I am trying to create an ASP MVC 4 Application that is going to be used by both external and internal users and not sure which is the best way to proceed.
I have created my own authorization logic, but this only handles external users, and I am unsure on how to add and validate internal users in a secure way. The current code looks like this:
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if(Idnt.IsInitialized() == true)
{
return true;
}
else
{
return false;
}
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new RedirectResult("Login/RedirectToExternalLogin");
}
The above is working fine for external users. However my problem is that we also have some internal users. The internal users that needs access to the application is defined by an AD group (so it is only some internal users that is allowed to access the application). In order for me to check if the user is in the AD I am using the following code:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "MyDomain", "Username", "Password");
The problem is that I am not able to access the domain controller without the users AD Username and Password, so an internal user needs to input this in order for me to check if the user is in the group allowed to access the application.
I am thought about creating an AdminController and check if the user is accessing the application via xyz.com/Admin or xyz.com (and block all entries to /Admin from external access in the Firewall), but to make matters worse the application is also accessed from an old legacy system using querystrings, fx
xyz.com/?VALUE1=1234&VALUE2=5678
Not thinking like a hacker / being a securityspecialist and my googling skills came up empty, I have these questions to ensure I don't introduce a security risk:
1: The easiest solution, would be to create a dummy AD-account that could query the AD and find out if the currently logged on windows user is a member of the group allowed to access the application. The flow would basically be:
- A user accesses the application. Check if the user is an internal user and a member of the group if not go to external validation. Since the AD domain controller is on the same domain as the application server, this would be a secure, albeit not very elegant solution?
2: Block all access to /Admin and all queries containing querystrings (if that is even possible or would that interfere with the internal magic workings of ASP MVC ?) from external sources and then redirect the (thus verified) internal user to an input page and use these credentials to query the AD domain controller and validate the user. However this also needs to store some kind of session variables in a secure way, so the user does not get prompted all the time and in the end I would need to verify this variable or send the user to the external login page and I dont know how easy it is to forge something like that?
3: An easy obvious solution that I am missing that would help me archive the above? Fx would it be ok to check on IP-adresses like so: ASP.Net check if user is internal or external or is that to easy to spoof?
