473,695 Members | 1,579 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Urgent - need help with logging anonymous and Active Dir users without login form

pv
Hi everyone,

I need help with following scenario, please:

Users are accessing same web server from intranet (users previously
authenticated in Active Dir) and from extranet (common public users). If
user is from intranet, web server should recognize it and application should
create additional options in controls regarding groups the user belongs to.
If user is from extranet it should be logged in as anonymous and a link to
login page should be created. The goal is to have login page only when user
request it.

I have tried to achieve this by using both windows and forms authentication
but I still did not find the way to avoid IIS login form.

Thanks in advance.

PV

P.S. I already posted this to microsoft.publi c.dotnet.framew ork.security but
no answers so far
Nov 19 '05 #1
2 2901
I'll layout what we did to resolve nearly identical situation...the only
difference being we're a government agency with several other agencies
networks behind the same firewall. Users on our agency network are
automatically logged in to our intranet in. Users from the other agencies
access our intranet as anonymous...or they can opptionally set up a portal
account on our intranet and log in using that (we can then use that account
to assign additional intranet access for them). To accomplish this we use
forms authentication for everything. We determine if a user is in our
domain and if they are we use that information to automatically create the
forms authenticaitont icket. If the user is not on in our domain they can
still access our intranet as anonymous and have the option to login (using a
web page or web user control) which will then fill in the forms
authentication ticket.

Here are the steps to accomplish this:
***************
Disclaimer: Examples are not the exact code from our system: in our system
it's all classed out and compartmentlize d...so I've typed in code which
should aproximate what we do...enough so to give you the concepts. I guess
I could probably write an article on the concept with the exact
code....maybe someday.
***************

(1) Use Forms Authentication for everything.
If you want this authenticaiton to apply to all web apps on your intranet
(single sign-on) you should set the forms authenticaiton and machine key
once in a root web.config file and the leave them out of all web.configs for
apps under the intranet.
<machineKey validationKey=" AutoGenerate"
decryptionKey=" AutoGenerate" validation="3DE S"/>
<authenticati on mode="Forms">
<forms name=".ASPXAUTH " loginUrl="/login.aspx" protection="All "
timeout="60" slidingExpirati on="true" />
</authentication>

Note: the /login.aspx in the forms element above is the login page
used by the users outside your domain.

(2) Create a sub folder on the web which will use NT authentication.
In IIS turn off anonymous access to this folder.

(3) In this subfolder create a asp.net page (if you have a root web project
this page can be part of the root web project...other wise you will need to
create a new web project in this subfolder)
This asp.net page (lets call it NTLogin.aspx) will have no html content,
just code behind. In the page_load event you will get the windows account
information and write it into the forms authentication ticket, then redirect
the user back to the page the access which initiated the login request.

example:
Private Sub Page_Load(..... .)
Dim userName As String = WindowsIdentity .GetCurrent.Nam e
userName = userName.Substr ing(userName.In dexOf("\") + 1)
Dim accountSystem As New DataAccess.User s
FormsAuthentica tion.SetAuthCoo kie(userName, False)

Dim url As String
If (Request.Params ("ReturnURL" ) Is Nothing) = False Then
url = Request.Params( "ReturnURL" )
Else
url = Request.Url.Abs oluteUri
End If
Response.Redire ct(url)
End Sub

(4) For the above NTLogin.aspx page set the web config to use impersonation
and allow all users
example:
<location path="/NTSecurity/NTLogon.aspx">
<system.web>
<identity impersonate="tr ue" />
<authorizatio n>
<allow users ="*" />
</authorization>
</system.web>
</location>

(5) In the global.asax code of your app, were going to add code to
a) Check if client is authenticated. If not then contin ue on with
the steps below.
b) Do a dns lookup on the client computer accessing the app and see
if that dns is in our domain
i.e. if client computer is named Accounting1 and your domain is
Acme100
the computers dns is going to be Accounting1.Acm e100.
We'll look to see if Acme100 is part of the computer's dns name.
c) If client is in our domain we redirect them to the above
NTLogin.aspx page
passing the current requested url so we can return to it.
This is using what we did in steps 2 - 4
d) If client is not authenticated let then through, they will be
anonymous

Example of code to do all of this.
Dim isDomainUser as boolean = false
' Check if client computer is on coming from our network
Try
Dim clientIPAddress As System.Net.IPAd dress =
System.Net.IPAd dress.Parse(req uest.UserHostAd dress)

Dim dnsName As String =
System.Net.Dns. GetHostByAddres s(clientIPAddre ss).HostName
' create a list of domain user could come from.
' if network has only one domain then just do the IndexOf
without a For/Each
Dim mask as String() = {"mydomain1","m ydomain2"....}
For Each mask As String In dnsMask
If dnsName.IndexOf (mask) >= 0 Then
isDomainUser = True
End If
Next
Catch ex As Exception
End Try

' Client is coming from our network, redirect them to the
autologin page
If isDomainUser then
Dim url As String = "/NTSecurity/NTLogon.aspx"
If Request.Url.ToS tring.IndexOf(u rl) < 0 Then
If Not(IsNothing(R equest.Params(" ReturnURL"))
Then
url &= "?ReturnURL =" &
Request.Params( "ReturnURL" )
End If
End If
Response.Redire ct(url)
' If you **always** want to force anonymous users to a login
page add an Else statement
' with code to direct them to the login page.
End If
Hope this helps some. I'm sure it's not the only solution but it has worked
well for us for several years now.

"pv" <pv@discussions .microsoft.com> wrote in message
news:u4******** ********@TK2MSF TNGP10.phx.gbl. ..
Hi everyone,

I need help with following scenario, please:

Users are accessing same web server from intranet (users previously
authenticated in Active Dir) and from extranet (common public users). If
user is from intranet, web server should recognize it and application
should
create additional options in controls regarding groups the user belongs
to.
If user is from extranet it should be logged in as anonymous and a link to
login page should be created. The goal is to have login page only when
user
request it.

I have tried to achieve this by using both windows and forms
authentication
but I still did not find the way to avoid IIS login form.

Thanks in advance.

PV

P.S. I already posted this to microsoft.publi c.dotnet.framew ork.security
but no answers so far

Nov 19 '05 #2
pv
Hi Brad

Thanks for the tip!

I have tried you solution and I could not make it work. But combining my old
solution and yours actually worked. My solution is based on windows
authentication with anonymous user. Only thing I missed was how to be sure
that user is coming from intranet or from extranet. So, the part of your
code regarding dns was missing link ;-)

If you are interested in complete solution (or anyone else) I can post it
here or send you on email. Here is only brief description.

Best regards,

PV

Solution in brief, not completed, optimized and commented yet.

----------------------------------------------

IIS settings:

Anonymous access: turned ON

Account used for anonymous access: DOMAIN\iisauth (new domain
whose only purpose is to access as anonymous)

Password: of course password of the 'iisauth' user

Allow IIS to control password: turned OFF

Integrated Windows authentication: ON

WEB Config:

<configuratio n>

<appSettings>

<add key="DOMAIN_NAM E" value="DOMAIN" />

<add key="ANONYMOUS_ IISAuth" value="iisauth"/>

</appSettings>

....

<system.web>

..

<identity impersonate="tr ue" />

<authenticati on mode="Windows"/>

<authorizatio n>

<deny users ="?" />

<allow users ="*" />

</authorization>

..

Globalasax.cs:

private string DOMAIN_NAME =
System.Configur ation.Configura tionSettings.Ap pSettings["DOMAIN_NAM E"];

private string ANONYMOUS_IISSp irelloAuth =
System.Configur ation.Configura tionSettings.Ap pSettings["ANONYMOUS_IISA uth"];

private FormsAuthentica tionTicket _authTicket;.

..

protected void Application_Aut henticateReques t(Object sender, EventArgs e)

{

SetCurrentAuthU ser();

}

..

..

private void SetCurrentAuthU ser() // set user from cookie

{

if (!User.Identity .IsAuthenticate d)

{

string cookieName =
FormsAuthentica tion.FormsCooki eName;

HttpCookie authCookie =
Context.Request .Cookies[cookieName];

if (authCookie != null)

{

FormsAuthentica tionTicket authTicket =
null;

try

{

authTicket =
FormsAuthentica tion.Decrypt(au thCookie.Value) ;

}

catch (Exception exp)

{

return;

}

if (authTicket == null)

{

return;

}

SetContextUser( authTicket);

}

else

{

if (WindowsIdentit y.GetCurrent(). Name ==
DOMAIN_NAME + "\\" + ANONYMOUS_IISSp irelloAuth)

{

SetAuthCookie(D OMAIN_NAME +
"\\" + ANONYMOUS_IISSp irelloAuth);

bool isDomainUser = false;

// Check if client computer
is on coming from our network

try

{

System.Net.IPAd dress
clientIPAddress = System.Net.IPAd dress.Parse(Req uest.UserHostAd dress);

string dnsName =
System.Net.Dns. GetHostByAddres s(clientIPAddre ss).HostName;

// create a list
of domain user could come from.

// if network
has only one domain then just do the IndexOf without a For/Each

string[] mask =
new string[] {"localhost" , "DOMAIN", "domain"};

foreach (string
dnsMask in mask)

{

if
(dnsName.IndexO f(dnsMask) >= 0)
isDomainUser = true;

}

}

catch (Exception ex)

{

}

if (!isDomainUser)

SetContextUser( _authTicket);

}

}

}

}



private void SetContextUser( FormsAuthentica tionTicket authTicket)

{

GenericIdentity id = new GenericIdentity (authTicket.Nam e,
"LdapAuthentica tion");

string[] groups = new String[] {"everyone"} ;

GenericPrincipa l principal = new GenericPrincipa l(id, groups);

Context.User = principal;

}



private void SetAuthCookie(s tring userName) // bind auth cookie

{

FormsAuthentica tionTicket authTicket =

new FormsAuthentica tionTicket

(

1, // version

userName,

DateTime.Now,

DateTime.Now.Ad dMinutes(60),

false,

userName // group actually

);

_authTicket = authTicket;

string encryptedTicket = FormsAuthentica tion.Encrypt
(authTicket);

HttpCookie authCookie =

new HttpCookie

(

FormsAuthentica tion.FormsCooki eName, encryptedTicket

);

Response.Cookie s.Add(authCooki e);

}
Nov 19 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
1930
by: Bobby | last post by:
Hello everyone I have a question. The school I am working for is in the beginning process of having a webpage that will direct students to download there homework and be able to view there info like test scores and etc(the homework and info page will reside on our webservers at the school on the local intranet network). Now what I need is a way for the students to go to a login page and when logging in will be automatically directed to...
0
1286
by: raj | last post by:
I had a simple .NET application successfully developed and deployed to a production environment. Out client required another application, which is slightly different from the first application. So I basically use the first application to develop the second application. I have successfully deployed the second application in my development PC, and it works absolutely fine. So I decided to deploy the application in the production.
36
16386
by: Thomas | last post by:
after spending countless hours trying, i give up and hope to get some help in here. on server1 i got the web myweb.com with my test.asp. in the test.asp, i'm trying to read a file from an UNC path with a FSO: Set myFile = Server.CreateObject("Scripting.FileSystemObject").GetFile("\\server2\myshare\myfile.txt") this fails with an Permission Denied. here's the deal:
0
2699
by: Norm Wong | last post by:
If anyone is interested in using db2uext2 with Cygwin gcc compiler on Windows, I've modified the IBM provided sample with the attached file. There are two main modifications. The mkdir command is the POSIX compliant version as opposed to the MicroSoft C compiler. The second parameter to mkdir is the file mode. In this case, I've made the directories created to be read/write/execute(list) for all users.
6
539
by: mark | last post by:
I have an asp.net ecommerce web application on a remote web server. I'm using an Access database on the back end. I've notice a few strange things. When I mimic an multiple user environment by surfin it in multiple browsers simultaneously the site generates a generic runtime error after awhile. I'm thinking this has something to do with my access database and multiple connections. I'm using forms authentication with a login page. Is...
5
3025
by: Vishal | last post by:
Hello, I already asked this question in the ASP.NET forums, but no help came. So I am hoping that somebody can help me out. This is really very URGENT me. For my e-commerce application, I need to send data from my server via the post method to the payment server. The payment server does not run asp.net. I dont know what they run. The payment server then returns to my server with the
2
269
by: Yoshitha | last post by:
Hi I want to create license protection for a web based application. when any user logging into the application it has to check the key enterd by the user against the database where the key along with the cpuid is stored. the users who want to access the particular web site, they must have license to acess for this they will be given one installer whre the key is maintained when the user installs that installer the key along with the...
18
3388
by: Gleep | last post by:
I've searched google intensely on this topic and it seems noone really knows how to approch this. The goal I don't want clients to give out their usernames and passwords to friends, since the site relies on subscrption fees. Sessions ID's are matched between the browser and the server. So a users can login with same username and password and those sessions are tracked individually. Some suggest create table fields with the session ID...
2
1321
by: Warren Churulich | last post by:
Is there a way to allow a customer to make a purchase with Commerce Starter Kit without logging in? Please post the answer here and perhaps samples. Thanks, Warren
0
8623
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8977
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8839
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8822
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6488
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5837
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4339
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4577
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
3
1971
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.