Stack Overflow is a community of 4.7 million programmers, just like you, helping each other.

Join them; it only takes a minute:

Sign up
Join the Stack Overflow community to:
  1. Ask programming questions
  2. Answer and help your peers
  3. Get recognized for your expertise

I have a .NET Web API with a bunch of end points/methods that an Angular App calls. I want to now implement the login system against our active directory, and wondering what my options are.

Back in the days, it was simple: windows or forms authentication, and then just some simple configuration in the web.config, and may be a custom provider. But now it seems like there are a lot more options with OWIN, OAuth, token based authentication, etc.

Where do I start? I have a form with username, password, and a login button on the Angular app, and I have the active directory in the backend. What should happen after the user hits the login button? Any direction would help.

Thanks.

share|improve this question
    
From where do users come? Is it intranet? – voroninp Dec 19 '14 at 21:30
    
Yes, it's intranet for now – Prabhu Dec 19 '14 at 23:15
    
If it is intranet only nothing stop you from using windows authentication as is. You even don't need authentication form. But as I mentioned in my answer it depends on your further plans. – voroninp Dec 19 '14 at 23:33
    
How can I do windows authentication with Angular as my front end? I'll still need an Angular View with the username/password fields and a submit button right? – Prabhu Dec 20 '14 at 16:31
1  
See this article for a fuller walkthrough of using AngularJS/ASP.NET/AD. Note that this is only viable in a situation where the NT logged-in user will always be correct--forget this if users share workstations/logins/etc. – Eric Kramer Oct 9 '15 at 12:47
up vote 1 down vote accepted

Well, it depends on what you actually need.

If you want to authenticate only AD users then you can try authenticate in AD on their behalf and in case of success you return either token or authentication cookie.

But I don't think it is a good idea to make users use their domain password unless you have two factor authentication.

It's better to extend AD schema with additional data for authentication through your service or even to have standalone auth server with associated domain user info. Look how it is done in SQL server (but in reverse direction): you need to define internal user corresponding to domain login. This approach allows you to have users that do not belong to AD, sometimes this can be important for outsourcing some tasks.

Look at IdentityServer

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.