I want to create a web application with a login form and authenticate with Active Directory account. Our users sometimes use a device that users cannot log in, so we don’t want to use Windows Authentication.
How it’s set up right now is:
[HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public ActionResult Login(LoginViewModel vm) { // Removed some details for readability if(principalContext.ValidateCredentials(vm.username, vm.password)) { userPrincipal = UserPrincipal.FindByIdentity(principalContext, IdentityType.SamAccountName, vm.username); } if(userPrinciipal != null) { TempData["username"] = userPrincipal.LogonName; return RedirectToAction("PageForValidatedUser"); } } public ActionResult PageForValidatedUser() { if (TempData["username"] == null) { return RedirectToAction("Login"); } string username = TempData["username"].ToString(); ValidatedUser vu = GetUserInfoByUsername(username); ViewModel vm = SetupViewModel(vu); return View(vm); } } And in web.config and in IIS, I set it to Anonymous Authentication.
<authentication mode="None" ></authentication> The authentication itself is “working fine” with this method, but I’m wondering if it would be a lot more secure if I go with Form Authentication (like this, or this) using the following features:
FormsAuthentication.SetAuthCookiefor loginFormAuthentication.SignOutfor logoutloginUrland[Authorize]