I'm currently developing a MVC3 web application that needs to require extranet users to log in and be authenticated using Forms Authentication. Intranet users should be logged in automatically using Windows authentication.
I've found this article,
http://aspalliance.com/553_Mixed_Mode_Authentication.all
but it's dated Nov 2004 and like to find something written more recently than 7 years ago.
My plan is to have two applications in IIS, with virtual directories pointing at the same physical directory, but one will allow Anonymous Access and the other will not.
When a user is authenticated on the Windows/Intranet side of things, I hope to simply simulate the user logging in via forms authentication. Are there any pitfalls to this approach? Any better ideas?
EDIT: 7/22/2011
I'm using IIS7 which won't allow me to do many of the things suggested in the older articles. Due to authentication being integrated a bit tighter between IIS7 and the ASP.NET web sites, certain things aren't allowed. For example, I can't set Windows Auth on a single file while the rest of the application is using Forms Auth.
Windows Authentication relies on the operating system to authenticate users of ASP.NET Core apps. You can use Windows Authentication when your server runs on a corporate network using Active Directory domain identities or Windows accounts to identify users.
Passport authentication relies on a centralized service provided by Microsoft. Passport authentication identifies a user with using his or her e-mail address and a password and a single Passport account can be used with many different Web sites.
To configure forms authentication by using the UIOpen IIS Manager and navigate to the level you want to manage. In Features View, double-click Authentication. On the Authentication page, select Forms Authentication. In the Actions pane, click Enable to use Forms authentication with the default settings.
Form Authentication is a token-based system. When users log in, they receive a token with user information that is stored in an encrypted cookie. When a user requests an ASP.NET page via the browser, the ASP.NET verifies whether the form authentication token is available.
Wondering if the best approach here wouldn't be to have two applications where the first application uses windows authentication and consist solely of a hook to the PostAuthenticate event in the HTTP pipeline. If the user is authenticated, you give them a forms ticket and redirect to the target app, App2, which uses forms authentication. You have to be careful that the cookies are not path specific and also that the two apps reside on the same server (or that the encryption keys are synchronized in web.config). If the user is not authenticated, you simply redirect them without a an auth ticket and they login when the arrive at App2.
App1: www.myUrl.com\MyApp
This is the "public" url for the app and detects network users by hooking into the PostAuthenticate event (see Professional ASP.NET 2.0 Security, Membership, and Role Management):
//Hook PostAuthenticateRequest inside of global.asax
void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
IPrincipal p = HttpContext.Current.User;
if (p.Identity.IsAuthenticated)
{
// to do: give them a non-path specific ticket and redirect to App2
}
}
App2: www.myUrl.com\MyApp2
This is the actual application. When network users arrive from App1, they'll already have a forms ticket. When non-network users arrive, they'll be redirected to login.aspx.
Notes: One downside of this would be if network users bookmark App2. I'm not quite sure how I would get around this. If they have a non-expiring cookie, it wouldn't matter too much. One option would be to put a link on the login page that says something like "I'm already a network user - log me in automatically", which would link back to App1, where they would get logged in?
I have some code to assist with issuing a forms ticket. I'll update the answer as I have time.
Note that you're going to have to do some fancy role-management footwork in App2 to handle the disparate role providers. That Amazon reference above is old, but I find myself constantly referencing it when I run into these kinds of custom Authentication and Authorization problems.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With