Mixing windows & forms authentication

I came across a situation today where I needed to mix two different authentication types on ASP.net MVC 4 application. The reason for this being that the client requirements, that although they use Active Directory they did not want to manage roles and responisbilities in an application through Active Directory. They still wanted the ability for administrators defined in an application to manage roles and access.

I experimented a little on how to achieve this, and the following is a solution I came up with.

I created an ASP.net MVC 4 application and enabled it with Windows Authentication. I then created a class within the application to inherit from the WindowsPrincipal.

I also created a Principal Serializable model class, which we will use to serialise the data to JavaScript

I created an interface for a basic security serviceĀ  that will be used to get the role data from the database.

The concrete implementation of the class, is a really simple class that just gets some values from the database. I used the repository pattern for this.

We’ll be using Unity as IOC container, so just some simple Set up ocde to set up our dependencies i.e. Security Service and Repositories, so we’ll just wire up unity


In the Global asax I implemented the code within the WindowsAuthentication_OnAutenticate method

I also implemented a Security Attribute

This code is not entirely production ready at this point, and I still need to put it through some more tests.

Gary Woodfine

Freelance Full Stack Developer at threenine.co.uk
Helps businesses by improving their technical proficiencies and eliminating waste from the software development pipelines.

A unique background as business owner, marketing, software development and business development ensures that he can offer the optimum business consultancy services across a wide spectrum of business challenges.

Latest posts by Gary Woodfine (see all)

  • Charlie Christiansen

    Hi Gary

    I kinda need to do this also, got any further with it?

    • Hi Charlie,

      The solution I defined there worked for me.
      I think the only I omitted from the article was how I set up my IOC container with my implementation of the ISecurityService