Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IIS Windows Authentication before Anonymous

I have a website that I would like to allow both Forms and Windows Auth for. My problem is that it seems that when you setup IIS to allow both anonymous (Required for forms auth) and Windows auth that the browser won't send the user's network credentials.

It just uses the anonymous login. Is there any way either in IE8 or IIS to have it try Windows Auth 1st and then fall back to Anonymous?

Thanks for any help.

like image 513
Phill Avatar asked Jan 15 '10 00:01

Phill


People also ask

How do I verify Anonymous authentication in IIS?

Go to Administrative Tools and open Internet Information Services (IIS). In the Internet Information Services dialog box, expand local computer ► Sites, and click Default Website. Double-click Authentication. Click Anonymous Authentication and make sure it is enabled.

Which IIS authentication allows any user to access any public content without providing a username and password challenge to the client browser?

The most common form of authentication in IIS is Anonymous authentication. Under this method, although a user can access a Web site without providing a username and password, that user is still logged on to the server. This authentication method works through use of the Anonymous account.


1 Answers

You can't ask for HTTP authentication (whether that's Basic Authentication or Integrated Windows Authentication) without causing the authentication dialogue box to pop in the case where there are no credentials yet.

So in general for hybrid HTTP-auth+cookie-auth approaches you enable both anonymous and authenticated access for the bulk of the site, but allow only authenticated access to one particular script.

When the user accesses a page without either kind of auth, you spit out a page with a login form for the cookie-based auth, and also a link to the one URL that allows only authenticated access. The user can fill out the form for cookies&forms auth, or hit the link to log in with HTTP auth instead.

If the user follows that link, they will be given a 401 response and must provide HTTP authentication, either through the auth dialog, or potentially automatically using integrated Windows authentication. Once this has happened once, the browser will start submitting the same credentials to every future page, so IIS will decode the credentials to give you the expected REMOTE_USER when your main site scripts are run.

Browsers will only submit the credentials to pages in the same directory as the 401 script, or subdirectories of this. For this reason it is best to put the HTTP-auth-required script in the root, for example as /login.aspx.

However, there are a few browsers that won't automatically submit credentials for further pages, and require every HTTP request to respond 401 first, before sending the request again with credentials. This makes optional-auth and hybrid-auth schemes impossible (as well as making browsing of protected sites much slower!). The only modern browser that does this is Safari. You may not care, as Safari's support for Integrated Windows Authentication has traditionally been shaky anyway, and it can still use the forms+cookies auth type.

like image 78
bobince Avatar answered Nov 02 '22 16:11

bobince