I want to create a web application with a login form and authenticate with Active Directory account. Our users sometimes use a device that users cannot log in, so we don't want to use Windows Authentication.
How it's set up right now is:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginViewModel vm)
{
// Removed some details for readability
if(principalContext.ValidateCredentials(vm.username, vm.password))
{
userPrincipal = UserPrincipal.FindByIdentity(principalContext, IdentityType.SamAccountName, vm.username);
}
if(userPrinciipal != null)
{
TempData["username"] = userPrincipal.LogonName;
return RedirectToAction("PageForValidatedUser");
}
}
public ActionResult PageForValidatedUser()
{
if (TempData["username"] == null)
{
return RedirectToAction("Login");
}
string username = TempData["username"].ToString();
ValidatedUser vu = GetUserInfoByUsername(username);
ViewModel vm = SetupViewModel(vu);
return View(vm);
}
}
And in web.config and in IIS, I set it to Anonymous Authentication.
<authentication mode="None" ></authentication>
The authentication itself is "working fine" with this method, but I'm wondering if it would be a lot more secure if I go with Form Authentication (like this, or this) using the following features:
FormsAuthentication.SetAuthCookiefor loginFormAuthentication.SignOutfor logoutloginUrland[Authorize]
