IIS7 and Authentication problems

Question

i've got a stock standard ASP.NET web site, deployed to our development machine (internal machine in our server room).

Now, this dev site can be accessed by both INTERNAL and EXTERNAL users. Now, in IIS6 we used to have it so that Anonymous Authentication was turned off and something else was turned on .. giving the users a popup model box for username and password. I think they had to type some username or password that was defined in a web.config file? (not their website account username/password)/

Now, with IIS7, when i turn Anon Auth off, and turn on Basic or Windows Auth, i get access to the site BUT it's trying to log me in with those credentials .. and not the account the user signed up with (using some stock standard asp.net webform page).

So ... is it possible to 'lock' the entire site and get the testers to get general access to the site .. which is different to their website username and password. Those usernames and passwords are for use in the site instead.

does that make sense?

cheers!

---

<authentication mode="Forms">
    <forms loginUrl="~/Pages/Login.aspx" protection="Validation" timeout="1000000000" requireSSL="false" slidingExpiration="true" defaultUrl="Default.aspx">
    </forms>
</authentication>

there is no authorization section.

also, when i add 'Digest Auth' to iis7 and enable that (and disable everythign else), i get the pop up window (kewl!) but i'm not sure what credentials i need to pass in. Where can i define those credentials manually (so they are seperate from the website's users) ??

Answer 1

IIS7 integrated mode does not support the two phase authentication that IIS6 does. Basically, IIS6 would perform its authentication (windows), followed by asp.net performing its authentication (forms). But with IIS7, everything is equal in integrated mode, so you can only have one or the other authentication methods.

You can either convert the app pool to use classic mode or follow this workaround to get it working with Integrated mode.