I'm interested in porting my .NET MVC app to .NET core mvc and using kestrel as my webserver.
I know that kestrel itself doesn't support Windows Authentication, can anyone suggest ideas on using IIS as an intermediary for WA?
For example, a user hits a page on the IIS server to check credentials -> page sends an AES encrypted key with specific user/domain info to my kestrel server page to verify identity. Maybe fetching this information through an ajax call would work too.
Does this example seem reasonable from a performance/security point?
I decided to go ahead and build this by:
1) Building a Net Core App on IIS with windows authentication enabled,
2) Passing an AES encrypted string with the user information + other information via URL to my kestrel server core apps,
3) Core Apps decrypt the key, check if it is still valid and the user info is valid.
4) Pass the encrypted string to a tempdata cookie and reload the url without the string so the user does not see any of the URL garbage.
This seems to work well, and the user doesn't see any indication via URL of any kind of authentication string, so I am now able to use any number of kestrel servers independent of IIS, only using IIS for the Windows Authentication where needed.