Redirecting specific user accounts to a login page when using windows authentication in MVC3 application

I am working on an application using .Net MVC3. I have it all working OK using Windows开发者_如何转开发 authentication and Active Directory for the logins. It's an intranet based application.

The problem is we have a login which is used by multiple people in one department.

I would like to be able to have that account redirected to a login page so that I can prompt for a different username and password but can't seem to find a way to make that happen with Windows authentication. If there is I just can't see where in MVC to make that take place.

I've tried using Forms authentication with AD instead but we don't want everyone to have to login, just that one account. It's a business decision that I don't see changing unfortunately!

Using authorize attributes on the controllers isn't suitable in this case either as all the controllers can be accessed by any user or group.

The suggestions I've seen seem to revolve around mixing Windows and Forms authentication for internal and external accounts but all our accounts are in AD in this case.

Is there any way to pull this off?

Mark

That sounds tough, cos if all users and groups can access all areas, then the people could just use an individual URL, so you'd have to cover any URL being entered.

Can you add another group for that specific user?

And when you want to redirect them to another login page, do you mean a page into which they are going to enter more AD credentials?

And do you meant hat multiple people in one department are logged in to multiple machines using one AD account between them? Cos that sounds very bad!

I would recommend having a class where you get the user's name who is logged in using Windows Authentication like so:

WindowsIdentity identity = HttpContext.Current.Request.LogonUserIdentity;

You can then use this to check if it's the master user everyone is using. If so, log that user out. On log out, redirect the user to a login page where they have to use their new login. You could even send a status message with it.

Now you can either modify the Authorize Attribute class OR just write your own custom one and call it on every page that requires login (which is not ideal).