MVC 5, OWIN and Active Directory Authentication

Update: I’ve replaced the Task.Run calls with Task.FromResult to improve performance.

I’ve seen several questions on Stack Overflow asking how to do “forms authentication” using the new MVC OWIN stack. This is actually really easy, and requires only a small amount of customization of the starter template you get when you make a New Project using Individual Accounts. Keep in mind there will be a bit of work required if you want to get around some of the other components of the default project if you don’t want to require users sign up for a new account with a fake password. That is a project for another time.

First things first, this solution uses System.DirectoryServices.AccountManagement, so you will need to add that to your project.

Since we will need a PrincipalContext for the all of this, we can use a request-wide singleton produced by the pipeline for us by editing App_Start\Startup.Auth.cs.

using System.DirectoryServices.AccountManagement;
public void ConfigureAuth(IAppBuilder app) {
// This is the important part, this is how you will configure the PrincipalContext used throughout your app
app.CreatePerOwinContext(() => new PrincipalContext(ContextType.Domain));
// Configure the db context, user manager and signin manager to use a single instance per request

That was easy, right? Next we need to tackle App_Start\IdentityConfig.cs, since that contains the ApplicationUserManager with a lot of methods you can override (thanks abstract!). Seriously, if you ever get a chance, check out the source or MSDN docs for it.

The key function we want to play with is CheckPasswordAsync. We will also need to modify the constructor so we have access to our PrincipalContext. Also, there is the “Create” method we need to tweak to accept our new constructor.

 public class ApplicationUserManager : UserManager<ApplicationUser>
    private readonly PrincipalContext _context ;
    public ApplicationUserManager(IUserStore<ApplicationUser> store, PrincipalContext context)
      : base(store)
        _context = context;

    public override async Task<bool> CheckPasswordAsync(ApplicationUser user, string password)
        return await Task.FromResult(_context.ValidateCredentials(user.UserName, password, ContextOptions.Negotiate));

    public static ApplicationUserManager Create(IdentityFactoryOptions<ApplicationUserManager> options, IOwinContext context) 
        var manager = new ApplicationUserManager(new UserStore<ApplicationUser>(context.Get<ApplicationDbContext>()), context.Get<PrincipalContext>());

That’s it! We simply override the password checking algorithm and checkthe password against AD. The reason for using ContextOptions.Negotiate is because it is required to get IIS Express to work correctly.

If you wanted to get extra fancy, you could add a property to the ApplicationUser to say whether or not that user should authenticate against AD. Then you could have a password checking method that falls back to the built-in authentication method, or even just fall back if AD authentication fails.

public override async Task<bool> CheckPasswordAsync(ApplicationUser user, string password)
    if (user.IsADUser)
        return await Task.FromResult(_context.ValidateCredentials(user.UserName, password, ContextOptions.Negotiate));
    return await base.CheckPasswordAsync(user, password);

Happy Coding!


Recently I had to build some XML files for importing into a Desire2Learn instance. They were nice enough to provide an XSD and a little bit of sample XML, but I didn’t want to actually build another console application to generate an XML file. I wanted to just export data straight from my SQL server. Enter FOR XML. There is a lot of documentation available for this feature, but a lot of it assumed that your column names matched very well with the shape of the XML you wanted to make. Thankfully FOR XML is actually quite powerful in letting you designate what shape your XML looks like.

For example, an XML file for importing might look like this:

 <group recstatus="2">
     <typevalue level="4">Course Template</typevalue>
     <long>Basic Math</long>
   <relationship relation="1">
     <label>A parent of MATH_101 is the Math Department</label>

You might have the data in your SQL database that could be queried simply like this:

SELECT Template, CourseDescription, Department
FROM Courses

To get from the “Normal” SQL to the XML output, you use FOR XML, and aliasing that looks like XPATH notation. Prefixing the last token in the alias turns that value into an attribute of the previously named tag.

SELECT '2' AS '@recstatus',
Template AS 'sourcedid/id',
'4' AS 'grouptype/typevalue/@level',
'Course Template' AS 'grouptype/typevalue',
Template AS 'description/short',
CourseDescription AS 'description/long',
1 AS 'relationship/@relation',
Department AS 'relationship/sourcedid/id',
'A parent of ' + Template + ' is the ' + Department + ' Department' AS 'relationship/label',
Department + '/templates/' + Template + '/' AS 'extension/path'
FROM Courses
FOR XML PATH('group'), ROOT('enterprise')


jQuery 2.0 and NuGet

Recently jQuery 2.0 was released to the world. Yay! It has many breaking changes. Boo! But they are going to keep the 1.x branch updated for the foreseeable future. Yay! NuGet however, does not currently have UI to selectively update only using the 1.x branch of jQuery. Boo!

Enter NuGet version contraints. Simply open up your packages.config, and find the following line:

<package id="jQuery" version="1.9.1" targetFramework="net45" />

Your targetFramework attribute may be different, but that doesn’t matter. What you need to do is edit that line to add the allowedVersions parameter:

<package id="jQuery" version="1.9.1" targetFramework="net45" allowedVersions="[1,2)" />

This tells NuGet that you want to constrain the jQuery package to versions 1 <= x < 2. In fact, if you use Update-Package, you will get a friendly line in the package manager console that reads:

Applying constraint 'jQuery (≥ 1.0 && < 2.0)' defined in packages.config.

Yay! Hopefully the UI for NuGet is updated soon to better support parallel release branches.

Steam and OpenID and MVC

Steam actually offers some options to people who want to build applications and services using their data. One of these options is that they offer Steam as an OpenID provider. MVC 4 actually makes this very easy to consume. I only had to add the following to my AuthConfig.cs to enable it:

using DotNetOpenAuth.AspNet.Clients;
// ... SNIP ....
public static void RegisterAuth() {
        new OpenIdClient("Steam", ""),
        "Steam", null
// ... SNIP ...