Skip to main content
A newer version of this page is available. .


  • 3 minutes to read

This topic describes authentication approaches you can use with the Security System.

Active Directory Authentication

To add security support, start the Application Designer and drop the SecurityStrategyComplex component from the Visual Studio Toolbox to the designer’s Security pane.


In this topic, we will start by using the Active Directory authentication. By default, the Security System automatically creates an administrative user for your current Windows account when this authentication type is in use. An XAF application does not store passwords and identity checks are performed by Windows. User names are obtained via the WindowsIdentity object, and look like COMPUTERNAME\UserName or DOMAINNAME\UserName. To enable Active Directory authentication, drop the AuthenticationActiveDirectory component to the designer near the SecurityStrategyComplex.

If you use Entity Framework, add built-in security entities to your DbContext (a reference to the DevExpress.ExpressApp.Security.v18.2.dll assembly is required), and set the SecurityStrategy.UserType and SecurityStrategyComplex.RoleType properties to PermissionPolicyUser and PermissionPolicyRole, respectively. This step is not required for XPO.

using DevExpress.Persistent.BaseImpl.EF.PermissionPolicy;
// ...
public DbSet<PermissionPolicyRole> Roles { get; set; }
public DbSet<PermissionPolicyUser> Users { get; set; }
public DbSet<PermissionPolicyTypePermissionObject> TypePermissionObjects { get; set; }


Run the application to see that User and Role items are now added to the navigation, a user is created for your current Windows account and an Administrator role is associated with it. By default, an account is added automatically for each new user who runs the application (this behavior is convenient while debugging). In a production environment, you can disable auto-creation by setting the AuthenticationActiveDirectory.CreateUserAutomatically option to false.



For deeper customization, you can handle the AuthenticationActiveDirectory.CustomCreateUser event. For instance, you can automatically create restricted accounts associated with a certain default role.

Standard Authentication

Another out-of-the box authentication type is AuthenticationStandard. It assumes that an internal XAF authentication is used, and user credentials are kept in the application’s database. To apply this authentication type, drag the corresponding item from the toolbox.


With Standard Authentication, the logon process is interactive and users are asked to provide credentials at startup. You will be required to create predefined roles and users manually in this instance.


You can also implement a custom authentication process. Refer to the How to: Use Custom Logon Parameters and Authentication to see an example.

In Mobile applications, specify an existing user with administrative permissions in the SetLogonParametersForUIBuilder method in the MobileApplication.cs (MobileApplication.vb) file.

protected override void SetLogonParametersForUIBuilder(object logonParameters) {
    ((AuthenticationStandardLogonParameters)logonParameters).UserName = "Sam";
    ((AuthenticationStandardLogonParameters)logonParameters).Password = "";

Custom Authentication

The following examples demonstrate the custom authentication implementations.