tags:

views:

24

answers:

2
Q: 

How to eliminate authentication on my MVC app that is called from asp.net forms app

Curious what recommendations anyone has.

I have an existing asp.net forms application that does a Forms Authentication and has identity impersonate turned on.

The application has a link to a questionnaire that I would like to develop separately in an asp.net MVC application, but I don't want the users to click on the link and be prompted for a username and password, I would like them to be able seamless start filling out the questionnaire.

Is there a way to somehow transfer authentication from one .net app to another? I would like to be able to pass stuff like UserRole.

What's the best way to do this?

+1  A: 

Using Windows Identity Foundation (WIF) you can achieve Single Sign-On.

In WIF, a service called a Security Token Service (STS), issues a token with claims, which can be anything you want to declare about the authenticated user, for instance his roles. In your apps you can use the Page.User, Controller.Page or Thread.Current.Principal properties to check the User claims (though if you'll only be using role claims you can use the IsInRole method for simplicity).

You can easily create a STS using the tools for VS included in WIF's SDK. The Forms authentication will be done in the STS instead of in the Web Forms site and both sites should have a trust relationship with the STS.

Anero  2010-06-14 23:54:43
Thanks Anero, I'll check into STS.
Mark Kadlec  2010-06-15 03:56:09
+1  A: 

If you use the same MachineKey in both applications and the MVC application is on the same server, I think that it will reuse the auth cookie and simply consider them logged in. See this MSDN article on configuring the MachineKey, especially the section on sharing authentication tickets across applications. Note this assumes that both applications are on the same server. If they are on different servers then you'll need to investigate some other mechanisms -- say generating a single-use ticket for the URL that can be used by the remote system via a web call back to the originating server who the user is. It might not need to be a full-up implementation of a central authentication system, but along those lines. Just be sure that you're using SSL to encrypt the relevant bits to help avoid man-in-the-middle attacks.

tvanfosson  2010-06-15 00:05:15
Thanks tvanfosson, knowing this I can easily push for the MVC app to be on the same Server, that should not be a problem. I read the article you suggested, should work fine. A little bit of work, but should do the job once I generate the two keys.
Mark Kadlec  2010-06-15 03:57:43

related questions

How do I change a windows password through asp?
Can I log into a web application automatically using a users windows logon?
How do I setup IIS 6 with anonymous access for local asp.net webforms development ?
ASP.NET -> WCF Service requires Windows authentication
ASP.Net: Ignore Windows Auth
Partial trust XBAP & Windows Integrated Authenitcation - Fiddler hides problem
ASP.Net: How to properly implement this Authentication flow
B2B web service using windows credentials?
IIS7: Setup Integrated Windows Authentication like in IIS6
How to set up windows authentication just for a single route in ASP.NET MVC on iis6?
How to authenticate users on one site and pass credentials to other site? ( Windows Authentication, ASP.Net)
Web application to use window domain accounts for authentication
How do I set a default role for a new user using Windows Authentication with the SqlRoleProvider?
Getting authenticate AD users objectGuid from asp.net
Integrated Security
Windows Authentication and Network Service account as a db_owner
IIS7 and Authentication problems
Using Windows Role authentication in the App.config with WCF
Passing AD authentication credentials via IE browser in C# Windows Form
ASP.NET cannot connect to SQL Server 2005
Why can't I read from .BAK files on my Desktop using SQL Express in Windows Authentication Mode
Windows authentication problems using asp.net
Windows Authentication in SQL Sever 2000 for an account not logged into Windows
.NET Windows Integrated Authentication
Using windows authentication to log on to site using c#