For context: I am working with .Net Framework 4.6.1 ASP.Net app deployed in IIS. Inside app we had implemented SSO authentication with Kerberos (that flow with HTTP 401 and WWW-Authenticate: Negotiate
header in the response, which is intercepted by someone in between app server and browser, however I do not understand who is this interceptor, and can not debug it).
The issue is, right after I am resetting session, I see in logs that during processing of the first following request, the value of HttpContext.Current.User.Identity.Name
is already exist (and it is the wrong value, representing Active Directory or Windows username, not the username we using inside application). I can't see any data looking like this username in the request in browser's Network
tab.
I tried to perform session reset on client side (clear cookie in browser) and on server side by calling API that executes:
FormsAuthentication.SignOut();
httpContext.Session.Clear();
httpContext.Session.Abandon();
Roles.DeleteCookie();
I also see configuration item in web.config
, that I do not understand: defaultProxy
.
So, where did value of Identity.Name
comes from? How can I make ASP.Net finally forget it? How this value can be matched with request even before I get any session cookie?
P.S. In my local environment without that Kerberos thing I am not facing this issue: the HttpContext.Current.User.Identity.Name
value stays empty until authentication is completed.
UPD: I managed to find out the origin of this value. It comes from windows authentication (NTLM), which enabled in this funny app, and kerberos sits on top of it. Now I am looking for way to override Identity value after kerberos authentication. Is it possible?