Click here to Skip to main content
13,191,331 members (77,223 online)
Click here to Skip to main content
Add your own
alternative version


45 bookmarked
Posted 3 Jun 2013

ASP.NET MVC 4 Forms Authentication Customized

, 4 Jun 2013
Rate this:
Please Sign up or sign in to vote.
Customizing form based authentication in MVC 4 for your requirement.


I am doing a POC in ASP.Net MVC 4 project in which i had to customize User Authentication requirement so that it can validate an active directory user which should also exist in my project database. I have googled a lot and looked into many articles but have not found any straight forward solution. So thought to take it up and share with you all.

Initially i thought i will go with Windows Authentication and in Application_AuthenticateRequest event of global.asax I will write my custom code to validate the user in my project database. But the main issue is, if the user validation is failed in the database it is difficult (I didn't find a way) to reset the authentication cookie to mark the user as unauthenticated user. In simple words the user is always authenticated with Windows Authentication. You can see Request.IsAuthenticated flag is always TRUE.

So I decided to go with Forms Authentication in which I will bypass the login page and will read the windows logged in user from Request.ServerVariables["LOGON_USER"] and will validate the user in database.


This article is helpful for those who is looking for single signon in MVC 4 application as well as they want the user should also be verified in users table in your project database. Please note that this article will be based on MVC 4 and i am using VS2010 SP1 to create sample code.

Understanding Forms Authentication in MVC

You can find tons of article on Forms Authentication. So i am not going to write the repeated boring stuff but will demystify the abstraction you see in your project when you select "Internet Application" template while creating your MVC project. Lets get into step by step.

  1. File -> New -> Project -> ASP.NET MVC 4 Application Click on "OK" button
  2. Project Template -> Internet Application
  3. View Engine -> Razor, now click on "OK" button to create the project

Now the project is created. If you look at the web.config file you can find the following Authentication tag which claims that the project will use "Forms" authentication.

<authentication mode="Forms" /><forms loginUrl="~/Account/Login" timeout="2880" /></authentication>

Now if you try to compile the project, you will be able to compile it and you shall be able to run the project successfully. The first issue comes when you click on "Login" button. You can see the following error in the "InitialiseSimpleMembershipAttribute.cs" file.

Login page error

The above error occures because the code is not able to initialise/create membership table in the SQL express. you can find the following connectionstring in the web.config file.

<add name="DefaultConnection" connectionstring="Data Source=.\SQLEXPRESS;
Initial Catalog=aspnet-MvcApplication1-20130603132719;Integrated Security=SSPI"

 providername="System.Data.SqlClient" />

I suggest you to change default connection string to point to your SQL server project database as as shown below:

<add name="DefaultConnection" 

  connectionString=quot;server=SQl Server machine name Integrated Security=false; 

  User ID=sa; Password=password; database= your project database; 

  providerName="System.Data.SqlClient" /&gt;</p>

Now you again run the application and click on the "Login" button, you will be able to see the Login Page as follows:

Well, now if you examine the database you will be able to see 5 new tables have been created automatically by the membership provider. Those are as follows:

  1. dbo.UserProfile (this table contains the users name when you try to register a user from application)
  2. dbo.webpages_ Membership (this table maintains the password of users created during registering a user from application)
  3. dbo.webpages_OAuthMembership (this table contains user id if you using OAuth. Out of scope for this article)
  4. dbo.webpages_Roles (You can create the roles in this table which can be used in [Authorize] attribute during authorization in the application)
  5. dbo.webpages_UsersInRoles ( this table contains the user and their role relationship)

Now let's talk about what happens when you click on the "Log in" button. First. Here is the code written in Account Controller which gets fire when you click on "Log in" button.

public ActionResult Login(LoginModel model, string returnUrl)
if (ModelState.IsValid && WebSecurity.Login(model.UserName, 
          model.Password, persistCookie: model.RememberMe))
return RedirectToLocal(returnUrl);

// If we got this far, something failed, redisplay form
ModelState.AddModelError("", "The user name or password provided is incorrect.");
return View(model);

The fairly simple code. Magic happens with WebSecurity.Login() method. this method first checks if supplied user exists in dbo.userprofile table. If exists, then this method checks if supplied password matches in the dbo.webpages_ Membership table. If password also matches then this method reads the roles associated with this user and set in the request context and returns true to indicate successful login. It internally also sets the Request.IsAuthenticated flag to true. That's all about forms authentication side in MVC 4 project.

Resolution of authentication customization problem

Now since you understand the logic behind forms authentication lets talk about resolution of single sign on problem with forms authentication in which user will also be validated in project database.

Step -1

Change the <Forms> tag in Web.Confile file with following tag. 

<forms loginUrl="errors/InvalidUser" timeout="2880" /> 

Step -2

Add errors Controller with following Action methods. 

public class ErrorsController : Controller
    // GET: /Errors/

    public ActionResult InvalidUser()
        return PartialView("_InvalidUser");
    public ActionResult UnAuthorizedUser()
        return PartialView("_UNAuthorizedUser");


Step -3

Add a shared view "_InvalidUser.cshtml" with following Razor. 

    ViewBag.Title = "Invalid User";

<hgroup class="title">
    <h1 class="error">Invalid User.</h1>
    <h2 class="error">Please contact your Administrator.</h2>

Add another shared view "_UNAuthorizedUser.cshtml" with following Razor.

    ViewBag.Title = "Invalid User";
    Layout = "~/Views/Shared/_Layout.cshtml";
<hgroup class="title">
    <h1 class="error">You are not authorized to view this page.</h1>
    <h2 class="error">Please contact your Administrator.</h2>

Step -4

change the existing _LoginPartial.cshtml partial view with following Razor. 

@if (Request.IsAuthenticated)
        Hello, @User.Identity.Name 

Step -5
Lets create our own User table in the Application Database.

CREATE TABLE [dbo].[AppUser](  [USerID] [int] IDENTITY(1,1) NOT NULL,

[LoginName1] [nvarchar]
 (50) NULL, )

Step -6

Create user data in user table manually.

Insert Into dbo.AppUser values(1,'<your windows user name>');

Step 7

Create data in Membership table.

insert into dbo.webpages_Membership(UserId,PasswordFailuresSinceLastSuccess,Password)

 Please note : the Encrypted value shown in the above query for password is "1", since WebSecurity.Login can not receive a blank password so I am hard-coding this password with "1" and I am planning to create every user with the same encrypted password. Since we are going with single signon password doesn't make much sense here.

Step -8

Create role as per your need in role table.

Step -9

Go to the InitializeSimpleMembershipAttribute.cs file and change the following code  in which "User" is newly created table.

   "User", "UserId", "UserName", autoCreateTables: true); 

Step 10

Add the following Attribute to the Home Controller.


Step -11

Change the Index Action of Home Controller with following code. 

public ActionResult Index()
    string username;
    var logonUser = Request.ServerVariables["LOGON_USER"];
    username = logonUser.Split('\\')[1].ToString();
    if (!Request.IsAuthenticated)
        username = "sanjiv";
        if (WebSecurity.Login(username, "2", persistCookie: false))
            return RedirectToAction("Index", "Home");
            return RedirectToAction("InvalidUser", "Errors");
    ViewBag.Message = "Modify this template to jump-start your ASP.NET MVC application.";
    return View();

 Step - 12

Remove account controller (AccountController.cs) completely from the project.

Step -13

Now you run the application and you will be able to see the following screen with logged in user information. 


I will recap the activities performed in this article.

  1. We had removed the Account Controller completely from the project and managed the authentication from "Index" action of "Home" controller. That's the reason we had to provide [AllowAnonymous] attribute to "Index" action. In this authentication process we are reading the logged in user name from Server variables and not providing the user to input username hence it behaves like single sing on application.
  2. Secondly we have changed the "InitializedSimpleMembership" provider to connect to our Local DB. We also managed the user data in our own AppUSer table in project database.
  3. Third and importantly we had changed the _LoginPartial partial view and also created our own error view to display "Invalid user ." error message.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

United States United States
No Biography provided

You may also be interested in...

Comments and Discussions

GeneralMy vote of 5 Pin
KalpataruSahoo4-Jan-16 22:33
memberKalpataruSahoo4-Jan-16 22:33 
QuestionMy Vote of 5 Pin
Member 100913985-Feb-15 23:18
memberMember 100913985-Feb-15 23:18 
GeneralMy vote of 3 Pin
vinodh kumar Narayanasetti12-Oct-14 23:30
membervinodh kumar Narayanasetti12-Oct-14 23:30 
QuestionNot working Pin
Mayur Dhavle20-Feb-14 1:37
memberMayur Dhavle20-Feb-14 1:37 
GeneralMy vote of 4 Pin
GregoryW23-Sep-13 4:13
memberGregoryW23-Sep-13 4:13 
Questionsample project Pin
sujono0512-Sep-13 16:43
membersujono0512-Sep-13 16:43 
GeneralMy vote of 1 Pin
Sergio Sabas1-Sep-13 12:15
memberSergio Sabas1-Sep-13 12:15 
I'm sorry, but the code you posted does not work...Request server variables returns NULL all the time and also, before the call to WebSecurity.Login, you are hard coding your user name. I assume that you did that because you also got a NULL value returned from Request Server variables.

Try using WindowsIdentity.GetCurrent().Name; instead.
QuestionRequest.ServerVariables["LOGON_USER"] returning blank entry in Home controller Pin
Member 278563225-Aug-13 23:33
memberMember 278563225-Aug-13 23:33 
GeneralMy vote of 5 Pin
Gun Gun Febrianza4-Jun-13 8:52
member Gun Gun Febrianza4-Jun-13 8:52 
GeneralMy vote of 5 Pin
iambics3-Jun-13 12:34
memberiambics3-Jun-13 12:34 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.171017.1 | Last Updated 4 Jun 2013
Article Copyright 2013 by sanjivksingh
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid