c# - Better approach for SSO to cater windows integrated auth as well as users not on domain -

This can be a duplicate (not sure), but since I am unable to quench my thirst for the right answer ( 0: So it goes here:

I have to provide a single signal for my ASP.NET web application. Where:

Case 1. User Login is allowed if user is already on the domain (logged in to a Windows domain).

Case 2. User login But does not allow if the user is not on the domain / validating user login credentials from Active Directory.

Question 1a. In the comments about those steps What I need to "follow" and "should follow" is required. How can I improve it? Improving the meaning, is this the right way to provide the expected functionality above?

Question 1b. In addition, I currently have difficult coded roles in my database; I am planning to move it within Active Directory user roles; I could use the IISInRole method functionality. What did you think about it?

Right now, I have implemented it in the following way

For the case 1, the application uses: Windows authentication; Basically like the following:

  Return (WindowsIdentity) (HTTPPTXX.Content.User.indenti)).  

This is an authenticated user, if application income.

For Case 2, the application: asks for the user who asks for the user who provides the ID, and password checks that the user is present on Active Directory; The following is a cut.

directory finder search = new directory finder (entry); Search.Filter = "(SAMAccountName =" + username "+") "; Search.PropertiesToLoad.Add ("cn"); SearchResult Results = search.FindOne ();

If it finds a user's record then the application income

Please note that the web in it. Recommended changes are included in the config file, such as the following fraud:

  & lt; Authentication mode = "form" & gt; & Lt; Forms loginUrl = "~ / UI / page / login aspx" defaultUrl = "Default.aspx" name = "adAuthCookie" timeout = "60" path = "/" /> & Lt; / Authentication & gt; & Lt; Authority & gt; & Lt; Deny users = "?" / & Gt; & Lt; Allow users = "*" /> & Lt; / Authorization & gt; & Lt; Identification impersonation = "true" />  

Adding roles (admin, supervisor, guest) to active directory roles is very good, but then when I deploy my application, I actively add those hard-coded roles How about going the directory? Well .. Just think loudly.

I had to research it a few months back, and how to add form and Windows security to ASP.NET Well, excellent article on I never got a chance to apply it, so I am unsure of the actual results. If you use any of these, please let me know how it works for you.