I've been developing an Angular app with .NET Core backend (services). The task is to enable an integrated authentication, i.e. make it work with the local user seamlessly, so I login to my (connected to a local AD) machine once and the web application lets me in without the necessity to login a second time. We've been working with Identity Server 4 and intended to implement this scenario using it.

There is a little documentation on the official website concerning the Windows Authentication (e.g. against Active directory): but it doesn't explain much. As per my info, to make this scenario work the browser utilizes either Kerberos or NTLM. Neither of them is mentioned in the IS4 docs. I'm lacking the understanding of how the local credentials are getting picked up and how IS4 'knows' the user belongs to AD? How I can make sure only the users from a specific domain have access to my app?

I found some working stuff here but questions remain the same. Even though I was able to get to the app with my local account I don't understand the flow.

I expect the user utilizing the app in the local network to log-in to the app without entering the login/password (once he's already logged in to the Windows). Is this something achievable?


Identity Server is intended to serve as an Identity Provider, if you need to talk with your AD you should see the Federation Gateway architecture they propose using the IAuthenticationSchemeProvider. Where Identity Server acts as an endpoint and talks with your AD.

This is the link:

You have the control to programmatically reach your AD and pass the correct credentials to get the authentication. That step should be done in your Identity Server. After you get authenticated you should get redirected to your application again. About your last question, the answer is yes, if you have your website hosted on an intranet and you have the access to your AD, you don't need to capture your credentials as user input, you can programmatically reach the AD as I said.

Bellow is the code I use to connect with my active directory

On the ExternalController class, you get when you use IdentityServer, you have this:(I don't remember at the top of my head how much I changed from the original code, but you should get the idea)

    /// <summary>
    /// initiate roundtrip to external authentication provider
    /// </summary>
    public async Task<IActionResult> Challenge(string provider, string returnUrl)
        if (string.IsNullOrEmpty(returnUrl)) returnUrl = "~/";

        // validate returnUrl - either it is a valid OIDC URL or back to a local page
        if (Url.IsLocalUrl(returnUrl) == false && _interaction.IsValidReturnUrl(returnUrl) == false)
            // user might have clicked on a malicious link - should be logged
            throw new Exception("invalid return URL");

        if (AccountOptions.WindowsAuthenticationSchemeName == provider)
            // windows authentication needs special handling
            return await ProcessWindowsLoginAsync(returnUrl);
            // start challenge and roundtrip the return URL and scheme 
            var props = new AuthenticationProperties
                RedirectUri = Url.Action(nameof(Callback)),
                Items =
                    { "returnUrl", returnUrl },
                    { "scheme", provider },

            return Challenge(props, provider);

private async Task<IActionResult> ProcessWindowsLoginAsync(string returnUrl)
            // see if windows auth has already been requested and succeeded
            var result = await HttpContext.AuthenticateAsync(AccountOptions.WindowsAuthenticationSchemeName);
            if (result?.Principal is WindowsPrincipal wp)
                // we will issue the external cookie and then redirect the
                // user back to the external callback, in essence, testing windows
                // auth the same as any other external authentication mechanism
                var props = new AuthenticationProperties()
                    RedirectUri = Url.Action("Callback"),
                    Items =
                        { "returnUrl", returnUrl },
                        { "scheme", AccountOptions.WindowsAuthenticationSchemeName },

                var id = new ClaimsIdentity(AccountOptions.WindowsAuthenticationSchemeName);
                id.AddClaim(new Claim(JwtClaimTypes.Subject, wp.Identity.Name));
                id.AddClaim(new Claim(JwtClaimTypes.Name, wp.Identity.Name));

                // add the groups as claims -- be careful if the number of groups is too large
                if (AccountOptions.IncludeWindowsGroups)
                    var wi = wp.Identity as WindowsIdentity;
                    var groups = wi.Groups.Translate(typeof(NTAccount));
                    var roles = groups.Select(x => new Claim(JwtClaimTypes.Role, x.Value));

                await HttpContext.SignInAsync(
                    new ClaimsPrincipal(id),
                return Redirect(props.RedirectUri);
                // trigger windows auth
                // since windows auth don't support the redirect uri,
                // this URL is re-triggered when we call challenge
                return Challenge(AccountOptions.WindowsAuthenticationSchemeName);

If you want to use Azure AD, I would recommend you to read this article:


Not sure if it's what you want, but I would use the Active Directory Federation Services to configure an OAuth2 endpoint and obtain the user token in the .Net Core Web App.

Isn't NTLM authentication support limited on non Microsoft browsers?

OAuth2 have the advantage of using only standard technologies.


One way to do it is to have 2 instances of the app deployed. The first one is configured to use Windows Authentication and the other one uses IS4.


Your local DNS should redirect traffic internally from to will be the one configured to use AD authentication. You should have a flag in your appsettings.json to indicate if this instance is a AD auth or IS4 auth.

The downside of this solution is that you have to deploy 2 instances

