How do I re-authenticate a user in an ASP.NET MVC 3 Intranet application?

Asked 28/9, 2011 at 15:22 Answered 29/9, 2011 at 17:1

Solved asp.net-mvc windows-authentication pre-authentication

The application is already using Windows integrated security, not Forms. What I am trying to accomplish is a so called "step-up" authentication, or "force re-authentication" for the following scenario:

the user is browsing the site doing common, trivial stuff
suddenly, the user has to do a sensitive action such as authorizing a resource allocation or confirming a car loan or something similar
the user is prompted for the credential before (s)he's redirected to the sensitive page, in a manner similar to SharePoint's "Sign In as a Different User"
if, and only if, the credentials entered are the same as for the currently logged-in user the application proceeds to the sensitive area.

This would prevent the following two issues:

The user goes for a meeting or a coffee and forgets to lock the workstation and a colleague uses the session to access the sensitive area
The user enters the credentials of his or her boss (because, let's say he peeked over the boss' shoulder) to access the sensitive area.

I know, some would look at this as "being paranoid", but also some would say it's common sense and should be build in a framework somewhere (jQuery or .NET)

Stomachic answered 28/9, 2011 at 15:22 Comment(2)

For the record, I don't think there is such a thing as "being paranoid" when dealing with sensitive information. Have you tried configuring a virtual directory for your site? – Godmother 28/9, 2011 at 15:27

This is one reason that I almost never use integrated authentication - it delegates the security to the workstation security, over which I have no control. – Frondescence 28/9, 2011 at 15:31

Have the form send the credentials along with the request to perform the action, i.e., some actions require that you provide username/password. Use the PrincipalContext ValidateCredentials method to ensure that the proper credentials have been entered and check that the username supplied matches the current username in the User.Identity object.

public ActionResult SensitiveAction( SensitiveModel model, string username, string password )
{
    using (var context = new PrincipalContext(ContextType.Domain))
    {
         if (!string.Equals(this.User.Identity.Name,username,StringComparison.OrdinalIgnoreCase)
             || !context.ValidateCredentials(username,password))
         {
              return View("PermissionDenied");
         }
    }

    ...
}

Frondescence answered 28/9, 2011 at 15:34 Comment(1)

thank you for your prompt response! but this will mean creating a new view to manually get the credentials over https. Is there a way to use the build-in credential prompt just as SharePoint does it? I guess it does it by trying to access a protected file, _layouts/AccessDenied.aspx. – Stomachic 28/9, 2011 at 20:14

The user goes for a meeting or a coffee and forgets to lock the workstation and a colleague uses the session to access the sensitive area

That works only the first time, but now the boss enters a sensitive area, re-enters her credentials, then goes for coffee. Are you going to prompt for every sensitive request? Users won't put up with that.

The user enters the credentials of his or her boss (because, let's say he peeked over the boss' shoulder) to access the sensitive area.

If someone knows and enters the credentials of their boss, there is nothing you can do to detect that.

Bond answered 29/9, 2011 at 17:1 Comment(1)

This is moreso commentary on the question than it is an answer. Answers should be reserved for posts that offer a solution to OP's question or problem statement. – Biff 28/10, 2019 at 13:23

Recommended topics

Hot tags