Skip to main content


  • 3 minutes to read

This topic describes authentication approaches you can use with the Security System.

Active Directory Authentication

To add security support, start the Application Designer and drop the SecurityStrategyComplex component from the Visual Studio Toolbox to the designer’s Security pane.


In this topic, we will start by using the Active Directory authentication. By default, the Security System automatically creates an administrative user for your current Windows account when this authentication type is in use. An XAF application does not store passwords and identity checks are performed by Windows. User names are obtained via the WindowsIdentity object, and look like COMPUTERNAME\UserName or DOMAINNAME\UserName. To enable Active Directory authentication, drop the AuthenticationActiveDirectory component to the designer near the SecurityStrategyComplex.

If you use Entity Framework, add built-in security entities to your DbContext (a reference to the DevExpress.ExpressApp.Security.v22.1.dll assembly is required), and set the SecurityStrategy.UserType and SecurityStrategyComplex.RoleType properties to PermissionPolicyUser and PermissionPolicyRole, respectively. This step is not required for XPO.

using DevExpress.Persistent.BaseImpl.EF.PermissionPolicy;
// ...
public DbSet<PermissionPolicyRole> Roles { get; set; }
public DbSet<PermissionPolicyUser> Users { get; set; }
public DbSet<PermissionPolicyTypePermissionObject> TypePermissionObjects { get; set; }


Run the application to see that User and Role items are now added to the navigation, a user is created for your current Windows account and an Administrator role is associated with it. By default, an account is added automatically for each new user who runs the application (this behavior is convenient while debugging). In a production environment, you can disable autocreation by setting the AuthenticationActiveDirectory.CreateUserAutomatically option to false.



For deeper customization, you can handle the AuthenticationActiveDirectory.CustomCreateUser event. For instance, you can automatically create restricted accounts associated with a certain default role.

Active Directory and OAuth2 Authentication

You can extend your ASP.NET Core Blazor application with external authentication methods such as Windows Authentication and OAuth providers (Google, Azure, and GitHub). For more information, refer to the following help topic: How to: Use Active Directory and OAuth2 Authentication Providers in ASP.NET Core Blazor Applications.

Standard Authentication

Another out-of-the box authentication type is AuthenticationStandard. It assumes that an internal XAF authentication is used, and user credentials are kept in the application’s database. To apply this authentication type, drag the corresponding item from the toolbox.


With Standard Authentication, the logon process is interactive and users are asked to provide credentials at startup. You will be required to create predefined roles and users manually in this instance.


You can also implement a custom authentication process. Refer to the How to: Use Custom Logon Parameters and Authentication to see an example.

Custom Authentication

The following examples demonstrate the custom authentication implementations.