Setting up authentication

Once you integrate Kentico membership into your MVC project, you can implement actions that allow visitors to sign in and out of the website with Kentico user accounts.

Kentico user-related features

The following settings in Kentico affect authentication on MVC sites:

  • Only user accounts that are Enabled in Kentico can be used for authentication. Accounts that have the enabled flag disabled (either manually or due to an account lock) cannot sign in. You can manage the enabled status of users in the Users application within the Kentico administration interface.

  • Settings -> Security & Membership:

    • Share user accounts on all sites – if enabled, users from any site in the system can be used for authentication on MVC sites. Otherwise, users must be assigned to the corresponding MVC site (in the Users application).
    • Use site prefixes for user names – must be disabled. Site prefixes for user names are not compatible with authentication on MVC sites.

All other user-related settings and features are NOT supported for authentication on MVC sites. For example, successful authentication does not update the Last sign-in date in Kentico and failed authentication attempts are not tracked (e.g. for the purposes of account locking).

Use the following approach to develop sign-in actions:

Tip: To view the full code of a functional example, you can inspect and download the LearningKit project on GitHub. You can also run the LearningKit website by connecting the project to a Kentico database.

  1. Create a new controller class in your MVC project or edit an existing one.

  2. Prepare a property that gets an instance of the Kentico.Membership.SignInManager class for the current request – call HttpContext.GetOwinContext().Get<SignInManager>().

  3. Implement two sign-in actions – one basic GET action to display the sign-in form and a second POST action to handle the authentication when the form is submitted.

  4. Call the PasswordSignInAsync method of the SignInManager instance to authenticate users against the Kentico database (within the code of the POST action).

    
    
    
     using System;
     using System.Web;
     using System.Web.Mvc;
     using System.Threading.Tasks;
    
     using Microsoft.AspNet.Identity;
     using Microsoft.AspNet.Identity.Owin;
     using Microsoft.Owin.Security;
    
     using Kentico.Membership;
    
     using CMS.EventLog;
     using CMS.SiteProvider;
    
    
    
     
    Sign-in actions example
    
    
    
             /// <summary>
             /// Provides access to the Kentico.Membership.SignInManager instance.
             /// </summary>
             public SignInManager SignInManager
             {
                 get
                 {
                     return HttpContext.GetOwinContext().Get<SignInManager>();
                 }
             }
    
             /// <summary>
             /// Basic action that displays the sign-in form.
             /// </summary>
             public ActionResult SignIn()
             {
                 return View();
             }        
    
             /// <summary>
             /// Handles authentication when the sign-in form is submitted. Accepts parameters posted from the sign-in form via the SignInViewModel.
             /// </summary>
             [HttpPost]
             [ValidateAntiForgeryToken]
             [ValidateInput(false)]
             public async Task<ActionResult> SignIn(SignInViewModel model, string returnUrl)
             {
                 // Validates the received user credentials based on the view model
                 if (!ModelState.IsValid)
                 {
                     // Displays the sign-in form if the user credentials are invalid
                     return View();
                 }
    
                 // Attempts to authenticate the user against the Kentico database
                 SignInStatus signInResult = SignInStatus.Failure;
                 try
                 {
                     signInResult = await SignInManager.PasswordSignInAsync(model.UserName, model.Password, model.SignInIsPersistent, false);
                 }
                 catch (Exception ex)
                 {
                     // Logs an error into the Kentico event log if the authentication fails
                     EventLogProvider.LogException("MvcApplication", "SignIn", ex);
                 }
    
                 // If the authentication was not successful, displays the sign-in form with an "Authentication failed" message 
                 if (signInResult != SignInStatus.Success)
                 {
                     ModelState.AddModelError(String.Empty, "Authentication failed");
                     return View();
                 }
    
                 // If the authentication was successful, redirects to the return URL when possible or to a different default action
                 string decodedReturnUrl = Server.UrlDecode(returnUrl);
                 if (!string.IsNullOrEmpty(decodedReturnUrl) && Url.IsLocalUrl(decodedReturnUrl))
                 {
                     return Redirect(decodedReturnUrl);
                 }
                 return RedirectToAction("Index", "Home");
             }
    
    
    
     
  5. We recommend creating a view model for your sign-in action (SignInViewModel in the example above). The view model allows you to:

    • Pass parameters from the sign-in form (username, password, and sign-in persistence status).
    • Use data annotations to define validation and formatting rules for the sign-in parameters. See System.ComponentModel.DataAnnotations for more information about the available data annotation attributes.

To allow users to sign out on your website, extend your sign-in controller class:

  1. Prepare a property that provides access to the authentication middleware functionality (Microsoft.Owin.Security.IAuthenticationManager instance) – use the HttpContext.GetOwinContext().Authentication property.

  2. Add another action to handle sign-out requests.

  3. Call the SignOut(DefaultAuthenticationTypes.ApplicationCookie) method of the authentication manager to sign out the current user.

    Sign-out action example
    
    
    
             /// <summary>
             /// Provides access to the Microsoft.Owin.Security.IAuthenticationManager instance.
             /// </summary>
             public IAuthenticationManager AuthenticationManager
             {
                 get
                 {
                     return HttpContext.GetOwinContext().Authentication;
                 }
             }
    
             /// <summary>
             /// Action for signing out users. The Authorize attribute allows the action only for users who are already signed in.
             /// </summary>
             [Authorize]
             [HttpPost]
             [ValidateAntiForgeryToken]
             public ActionResult SignOut()
             {
                 // Signs out the current user
                 AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
    
                 // Redirects to a different action after the sign-out
                 return RedirectToAction("Index", "Home");
             }
    
    
    
     

Finally, you need to design a user interface for the authentication logic:

  • Create a view for the SignIn action and display an appropriate sign-in form for your website. We recommend using a strongly typed view based on your sign-in view model.
  • Add a sign in button or link that targets the SignIn action (for example within your site’s main layout page).
  • Add a sign out button or link that targets the SignOut action.

Visitors can now sign in to your site with Kentico user accounts from the connected database. If you wish to allow users to register new accounts, see Enabling user registration.

Tip: When writing additional code or views for your website, you can access information about the currently authenticated user via the standard User.Identity object. For example, User.Identity.Name returns the username of the currently signed in user.

Ensuring the correct password format

If your Kentico application uses custom salt values when generating password hashes, you also need to set the same values for the MVC application. Authentication will always fail if the password hashes are not identical for both applications.

Check the appSettings section of your Kentico application’s web.config for the following keys:

  • CMSPasswordSalt
  • CMSUserSaltColumn (obsolete key used only for backward compatibility)

If either of the keys is present, copy them to the web.config of your MVC project.

See also: Setting the user password format