2

I have converted a MVC + AngularJS application to use NancyFx + AngularJS (as I wasn't really using any MVC stuff). I am using VS2013 and it runs under IIS (and IIS Express in my dev environment).

I can obtain the current logged in user by examining the server.User component of the OwinEnvironment. I am currently using Microsoft.Owin.Host.SystemWeb as per most of the demos. When I add a RequiresAuthentication to a Get request in my module, I get a pop-up in IE to enter credentials even though I'm logged in. Even when I enter the credentials, I just keep getting pop-ups and it never reaches the site.

I have a couple of questions:

1) If using Windows Authentication and RequiresAuthentication do I still need authentication mode="Windows" in the web.config.

2) Is it possible to use IIS without Microsoft.Owin.Host.SystemWeb in order to avoid the ASP.NET pipeline? I came across articles about Project Helios and Microsoft.Owin.Host.IIS (Nuget) but this hasn't been worked on for a while and is only an Alpha - what's happening with this?

3) What is the de facto way of using IIS, NancyFX and Windows Authentication with RequiresAuthentication and Roles?

I've looked at many articles and stackoverflow questions but have yet to find a definitive answer.

Improve this question

1 Answer 1

Reset to default
3

1) Yes, you have to tell the IIS module to use Windows Authentication

2) I do not believe so. Although you can do windows auth using OWIN self hosting if you really don't like IIS

Even if you have IIS set to win auth, nancy does not recognize this out of thie box. You can authenticate the current request using the Pipelines.BeforeRequest in the bootstrapper by overriding RequestStartup() and setting the current users, username. The following assumes .NET 4.5

Of course you may want to do standard null checking and what not.

public class User : IUserIdentity
{
    private readonly ClaimsPrincipal claimsPrincipal;

    public User(ClaimsPrincipal claimsPrincipal)
    {
        this.claimsPrincipal = claimsPrincipal;
    }

    public string UserName { get { return claimsPrincipal.Identity.Name; } }
    public IEnumerable<string> Claims { get { return claimsPrincipal.Claims.Select(c => c.ToString()); } }
}
public class Bootstrapper : DefaultNancyBootstrapper
{
    protected override void RequestStartup(TinyIoCContainer container, IPipelines pipelines, NancyContext context)
    {
        pipelines.BeforeRequest += ctx =>
        {
            ctx.CurrentUser = new User(Thread.CurrentPrincipal as ClaimsPrincipal);
            return null;
        };
    }

}
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

This looks like it would only work if ASP.NET impersonation is enabled -- you're getting the security principal of the currently executing thread, which is normally the Windows account under which the IIS worker thread is running.
I take that back - it looks like Thread.CurrentPrincipal is overwritten during the request lifecycle with the authenticated user. But for me, it's an anonymous user (I'm hosting from IIS express), even though windows authentication is enabled in web.config... argh!
Turn off anonymous auth
Thanks, fixed in solution properties.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.