How to add authentication to ASP.NET hosted ICS iCalendar for outlook

Question

I have an ASP.NET application which dynamically creates an ICS calendar (using the DDay.iCal library) which I can subscribe to from within outlook. All is working fine, but I need to be able to secure the calendar so that only authenticated users can access it. i.e. when you add the URL to the calendar in outlook, it needs to ask for a username and password.

Remember The Milk seem to have implemented what I need, but I cannot seem to find any information on how to achieve this myself?

Answer 1

The article Chris provided as a comment was the solution.

What's required is to by-pass Forms Authentication for certain requests and use Basic HTTP Authentication instead. This is then supported by Outlook (and potentially other agents, like web browsers).

This is achieved by using the MADAM Http Module.

Steps:

1> Read the article to gain a basic understanding.

2> Install the MADAM NuGet package: PM> Install-Package madam

3> Implement your own IUserSecurityAuthority:

e.g

public class MadamUserSecurityAuthority : IUserSecurityAuthority
{
    public MadamUserSecurityAuthority()
    {

    }

    //This constructor is required
    public MadamUserSecurityAuthority(IDictionary options)
    {

    }

    public object Authenticate(string userName, object password, PasswordFormat format, IDictionary options, string authenticationType)
    {
        if (_yourAuthenticationService.isValid(userName, password.ToString()))
            return true;

        //Returning null means the authentication failed
        return null;
    }

    public string RealmName
    {
        get { return "MADAM"; }
    }
}

4> Add the following to your web config:

eg:

<sectionGroup name="madam">
    <section name="userSecurityAuthority" type="System.Configuration.SingleTagSectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
    <section name="formsAuthenticationDisposition" type="Madam.FormsAuthenticationDispositionSectionHandler, Madam"/>
</sectionGroup>  

<madam>
    <formsAuthenticationDisposition>
        <discriminators all="true">
            <discriminator inputExpression="Request.Url" pattern="Calendar\.aspx" type="Madam.RegexDiscriminator"/>
        </discriminators>
    </formsAuthenticationDisposition>
    <userSecurityAuthority realm="MADAM" provider="YourAppAssembly.MadamUserSecurityAuthority, YourAppAssembly"/>
</madam>

<httpModules>
  <add name="FormsAuthenticationDisposition" type="Madam.FormsAuthenticationDispositionModule, Madam"/>
  <add name="AuthenticationModule" type="Madam.BasicAuthenticationModule, Madam"/>      
</httpModules>

Note 1:

<discriminator inputExpression="Request.Url" pattern="Calendar\.aspx" type="Madam.RegexDiscriminator"/>

...is used to identify which requests should by-pass forms authentication and use basic HTTP authentication, this is done with Regex, and you can add multiple discriminators.

Note 2:

<userSecurityAuthority realm="MADAM" provider="YourAppAssembly.MadamUserSecurityAuthority, YourAppAssembly"/> 

....is where you configure your custom authentication provider (i.e. where you check credentials against your DB).