Merge pull request #927 from umbraco/temp-U4-7307

U4-7307 Windows Authentication prompts for Windows login after Umbrac…

src/Umbraco.Web/Security/Identity/AppBuilderExtensions.cs

@@ -171,9 +171,11 @@ namespace Umbraco.Web.Security.Identity
             app.Use(typeof(CookieAuthenticationMiddleware), app, options);
             app.UseStageMarker(PipelineStage.Authenticate);
             
-            //Then our custom middleware
+            //Then our custom middlewares
             app.Use(typeof(ForceRenewalCookieAuthenticationMiddleware), app, options);
             app.UseStageMarker(PipelineStage.Authenticate);
+            app.Use(typeof(FixWindowsAuthMiddlware));
+            app.UseStageMarker(PipelineStage.Authenticate);
 
             return app;
         }

src/Umbraco.Web/Security/Identity/FixWindowsAuthMiddlware.cs

@@ -0,0 +1,51 @@
+using System.Linq;
+using System.Security.Claims;
+using System.Security.Principal;
+using System.Threading.Tasks;
+using Microsoft.Owin;
+using Umbraco.Core;
+using Umbraco.Core.Security;
+
+namespace Umbraco.Web.Security.Identity
+{
+    /// <summary>
+    /// This is used to inspect the request to see if 2 x identities are assigned: A windows one and a back office one.
+    /// When this is the case, it means that auth has executed for Windows & auth has executed for our back office cookie
+    /// handler and now two identities have been assigned. Unfortunately, at some stage in the pipeline - I'm pretty sure
+    /// it's the Role Provider Module - it again changes the user's Principal to a RolePrincipal and discards the second
+    /// Identity which is the Back office identity thus preventing a user from accessing the back office... it's very annoying.
+    /// 
+    /// To fix this, we re-set the user Principal to only have a single identity: the back office one, since we know this is
+    /// for a back office request.
+    /// </summary>
+    internal class FixWindowsAuthMiddlware : OwinMiddleware
+    {
+        public FixWindowsAuthMiddlware(OwinMiddleware next) : base(next)
+        {
+        }
+
+        public override async Task Invoke(IOwinContext context)
+        {
+            if (context.Request.Uri.IsClientSideRequest() == false)
+            {
+                var claimsPrincipal = context.Request.User as ClaimsPrincipal;
+                if (claimsPrincipal != null
+                    && claimsPrincipal.Identities.Count() > 1
+                    && claimsPrincipal.Identities.Any(x => x is WindowsIdentity)
+                    && claimsPrincipal.Identities.Any(x => x is UmbracoBackOfficeIdentity))
+                {
+                    var backOfficeIdentity = claimsPrincipal.Identities.First(x => x is UmbracoBackOfficeIdentity);
+                    if (backOfficeIdentity.IsAuthenticated)
+                    {
+                        context.Request.User = new ClaimsPrincipal(backOfficeIdentity);
+                    }
+                }
+            }
+
+            if (Next != null)
+            {
+                await Next.Invoke(context);
+            }
+        }
+    }
+}

src/Umbraco.Web/Umbraco.Web.csproj

@@ -310,6 +310,7 @@
     <Compile Include="RequestLifespanMessagesFactory.cs" />
     <Compile Include="Scheduling\LatchedBackgroundTaskBase.cs" />
     <Compile Include="Security\Identity\ExternalSignInAutoLinkOptions.cs" />
+    <Compile Include="Security\Identity\FixWindowsAuthMiddlware.cs" />
     <Compile Include="Security\Identity\ForceRenewalCookieAuthenticationHandler.cs" />
     <Compile Include="Security\Identity\ForceRenewalCookieAuthenticationMiddleware.cs" />
     <Compile Include="Security\Identity\GetUserSecondsMiddleWare.cs" />