ASP.NET Mixed Forms/Windows Authentication

Question

I'm currently developing a MVC3 web application that needs to require extranet users to log in and be authenticated using Forms Authentication. Intranet users should be logged in automatically using Windows authentication.
I've found this article, http://aspalliance.com/553_Mixed_Mode_Authentication.all but it's dated Nov 2004 and like to find something written more recently than 7 years ago.

My plan is to have two applications in IIS, with virtual directories pointing at the same physical directory, but one will allow Anonymous Access and the other will not.

When a user is authenticated on the Windows/Intranet side of things, I hope to simply simulate the user logging in via forms authentication. Are there any pitfalls to this approach? Any better ideas?

EDIT: 7/22/2011

I'm using IIS7 which won't allow me to do many of the things suggested in the older articles. Due to authentication being integrated a bit tighter between IIS7 and the ASP.NET web sites, certain things aren't allowed. For example, I can't set Windows Auth on a single file while the rest of the application is using Forms Auth.

Answer 1

Wondering if the best approach here wouldn't be to have two applications where the first application uses windows authentication and consist solely of a hook to the PostAuthenticate event in the HTTP pipeline. If the user is authenticated, you give them a forms ticket and redirect to the target app, App2, which uses forms authentication. You have to be careful that the cookies are not path specific and also that the two apps reside on the same server (or that the encryption keys are synchronized in web.config). If the user is not authenticated, you simply redirect them without a an auth ticket and they login when the arrive at App2.

App1: www.myUrl.com\MyApp

This is the "public" url for the app and detects network users by hooking into the PostAuthenticate event (see Professional ASP.NET 2.0 Security, Membership, and Role Management):

//Hook PostAuthenticateRequest inside of global.asax
void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
    IPrincipal p = HttpContext.Current.User;

    if (p.Identity.IsAuthenticated)
    {
      // to do: give them a non-path specific ticket and redirect to App2
    }
}

App2: www.myUrl.com\MyApp2

This is the actual application. When network users arrive from App1, they'll already have a forms ticket. When non-network users arrive, they'll be redirected to login.aspx.

Notes: One downside of this would be if network users bookmark App2. I'm not quite sure how I would get around this. If they have a non-expiring cookie, it wouldn't matter too much. One option would be to put a link on the login page that says something like "I'm already a network user - log me in automatically", which would link back to App1, where they would get logged in?

I have some code to assist with issuing a forms ticket. I'll update the answer as I have time.

Note that you're going to have to do some fancy role-management footwork in App2 to handle the disparate role providers. That Amazon reference above is old, but I find myself constantly referencing it when I run into these kinds of custom Authentication and Authorization problems.