Centralize Authentication Code Between Applications

Question

For a given application I have a .aspx login form backed by a C# code behind file.
In the code behind I am using the following "home grown" method:

private bool AuthenticateUser(String username, String password)
{
    bool validated = false;
    try
    {
        PrincipalContext pc = new PrincipalContext(ContextType.Domain, "domnet.domad.com", "dc=domnet,dc=domad,dc=com");
        IdentityType ADElement;
        UserPrincipal up;

        //Try first with no @DOM.COM - this should work for SamAccountName values:                 
        username = username.ToUpper().Replace("@DOM.COM", "");
        ADElement = IdentityType.SamAccountName;
        up = UserPrincipal.FindByIdentity(pc, ADElement, username);
        validated = pc.ValidateCredentials(username, password, ContextOptions.Negotiate);

        //If SamAccountName fails try UserPrincipalName with @DOM.COM
        if (!validated)
        {
            username = username + "@DOM.COM";
            ADElement = IdentityType.UserPrincipalName;
            up = UserPrincipal.FindByIdentity(pc, ADElement, username);
            validated = pc.ValidateCredentials(username, password, ContextOptions.Negotiate);
        }

        //Put username into session
        if (validated)
        {
            Session["Username"] = username.Replace("@DOM.COM", "");
        }
    }
    catch (Exception) //login failure...
    {
        validated = false;
    }

    return validated;
}

This works fine for the application but I have other applications that need authentication too.
I really don't want to copy / paste the login files into ever application.

So my most basic question is what are my options to centralize the authentication code between applications?

In the future I will also be looking to:
Verify not only username/password but also AD group membership.
Once user is authenticated no more log in screens between apps. (SSO)

It seems to me I am not the first person to run into this problem.
I would prefer to use an out of the box solution vs. developing my own if possible.

Answer 1

You could:

• Enable Windows authentication in IIS and set your Web.Config to use Window authentication http://weblogs.asp.net/scottgu/archive/2006/07/12/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application.aspx
• Setup an ADFS claims authentication server and have all your applications use claims based authentication http://blogs.msdn.com/b/alextch/archive/2011/06/27/building-a-test-claims-aware-asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts.aspx
• Have one application that all others redirect to for authentication and set an encrypted cookie that the other applications can read to verify authentication Encrypt cookies in ASP.NET

Answer 2

One approach would be to create a Core project (.dll/library) that contains the common parts that you wish to share between your applications, and then to reference that project in your applications.

Ie: Say that you have 2 applications: A and B you would create three projects A, B and Core. In project A and B simply add a project reference to the Core library. Now you can access any method in core from both A and B.

This approach works well with SVN and similar version control systems and you will find it is a very flexible way of working. The hard part is to identify what is really common code and and to make as general as possible.

Answer 3

@Baxter Not sure if my answer comes a bit late as this question was posted a few days ago, but am looking into the same problem of implementing centralized session and authentication management in my MVC 3 application, and I believe the following link would be of great interest to you: http://www.codeproject.com/Articles/246631/ASP-NET-MVC3-Form-Authentication

The author of the article corresponding to the link above, factors out the authentication functionality into a separate DLL and uses dependency injection to use application context to utilize the external 'security' DLL. I am planning to use this approach to centralize the security mechanism and reuse it in 3 different MVC 3 web applications, so it is still research in progress, and will update this answer accordingly with what i find :)

Answer 4

You can refactor this method out into a separate project (meaning a different dll) and reference that project from any web application where you want to use this code.

Answer 5

An alternative if you are using Windows Authentication is to grab their SID, query AD for a piece of information that is shared between AD and the application's user table (we use the email address) and check to see if the user table has an entry with that email address.

This way, by logging onto their workstation, they are essentially pre-logged into any application using this authentication method. You just have to make sure that when you create a new user account (at the application level) you capture the info that you want to check for authentication (this is why we use the email address - everyone knows their company email).

This works really well with the Core library method suggested by Avada Kedavra. This method also allows you to have each application maintain its own user base (although it will also work well with a central user database).