473,581 Members | 2,491 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Authentication: multiple auth types for one site

I'm looking for feedback on an authentication solution we are
considering for an ASP.NET 2.0 project.

The site will be accessed by both internal users who are logged into
the Windows domain, and external (business partner) users via the
internet.

The internal users are required to be authenticated via WIA, and
external users will be authenticated using a custom solution based on a
signed ticket that will be included as a query parameter in the URL.

We are considering implementing this as follows:

1. In IIS, enable anonymous authentication for all resources in the
site except a page called LogonInternal.a spx, which will be protected
by WIA.
2. On session start, perform the following checks:
a) check if a signed ticket is present in the request. If there is
not, then assume the session is for an internal user, and redirect to
LogonInternal.a spx. The OnLoad handler for this page gets the current
user id via WIA and uses this to complete session initialisation
activities (fetching authorisation information, etc from a database).
LogonInternal.a spx then redirects back to the original URL. (If the
request originated from outside the Windows domain it will be rejected
by WIA.)
b) If a signed ticket IS present in the request, then verify the
signature on the ticket, get the username out of the ticket and
complete session initialisation activities as above. Redirect back to
the current request URL, but with the ticket removed from the query
parameters.
If any of the above checks fail, the current session is invalidated and
an error is returned in the response.

I have prototyped the above and it appears to work fine, but some
concern has been expressed about enabling anonymous authentication
throughout the site (except for LogonInternal.a spx).

Can anyone recommend any alternatives that don't require the use of
anonymous authentication? Perhaps using Forms authentication? (If
forms authentication is used as an alternative to anonymous
authentication, it would still have to let internal users be
authenticated via WIA and external users via the ticket mechanism.)

Thanks in advance ...

Steve

Jan 22 '07 #1
2 1771
you have a couple options. you could supply your login handler, or just
use forms authenication.

in the forms login page, if the query string is there, login the user
(set creditials cookie). if not external check user in WIA, if anonymous
return a 401 to force a login.

-- bruce (sqlwork)

Steve wrote:
I'm looking for feedback on an authentication solution we are
considering for an ASP.NET 2.0 project.

The site will be accessed by both internal users who are logged into
the Windows domain, and external (business partner) users via the
internet.

The internal users are required to be authenticated via WIA, and
external users will be authenticated using a custom solution based on a
signed ticket that will be included as a query parameter in the URL.

We are considering implementing this as follows:

1. In IIS, enable anonymous authentication for all resources in the
site except a page called LogonInternal.a spx, which will be protected
by WIA.
2. On session start, perform the following checks:
a) check if a signed ticket is present in the request. If there is
not, then assume the session is for an internal user, and redirect to
LogonInternal.a spx. The OnLoad handler for this page gets the current
user id via WIA and uses this to complete session initialisation
activities (fetching authorisation information, etc from a database).
LogonInternal.a spx then redirects back to the original URL. (If the
request originated from outside the Windows domain it will be rejected
by WIA.)
b) If a signed ticket IS present in the request, then verify the
signature on the ticket, get the username out of the ticket and
complete session initialisation activities as above. Redirect back to
the current request URL, but with the ticket removed from the query
parameters.
If any of the above checks fail, the current session is invalidated and
an error is returned in the response.

I have prototyped the above and it appears to work fine, but some
concern has been expressed about enabling anonymous authentication
throughout the site (except for LogonInternal.a spx).

Can anyone recommend any alternatives that don't require the use of
anonymous authentication? Perhaps using Forms authentication? (If
forms authentication is used as an alternative to anonymous
authentication, it would still have to let internal users be
authenticated via WIA and external users via the ticket mechanism.)

Thanks in advance ...

Steve
Jan 22 '07 #2
Bruce,

If I use forms authentication as you've described, do you mean that WIA
should be enabled for the forms login page in IIS? Wouldn't that
result in external users being prompted for windows logon credentials
when they get redirected to the login page?

Note: from the tests I've done, it seems that if both anonymous access
and WIA are enabled for a page in IIS, the anonymous access setting
takes precedence. Checking
Thread.CurrentP rincipal.Identi ty.IsAuthentica ted returns false, even
for internal users who are already logged into the Windows domain.
Only if the anonymous access checkbox for the page in IIS is cleared,
does WIA seem to work. This implies that for a forms authentication
login page to use WIA, anonymous access would need to be disabled for
that page.

Any comments?

Thanks
Steve
bruce barker wrote:
you have a couple options. you could supply your login handler, or just
use forms authenication.

in the forms login page, if the query string is there, login the user
(set creditials cookie). if not external check user in WIA, if anonymous
return a 401 to force a login.

-- bruce (sqlwork)
Jan 22 '07 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
9273
by: Michael Foord | last post by:
#!/usr/bin/python -u # 15-09-04 # v1.0.0 # auth_example.py # A simple script manually demonstrating basic authentication. # Copyright Michael Foord # Free to use, modify and relicense. # No warranty express or implied for the accuracy, fitness to purpose
4
2057
by: Barry | last post by:
The MS fix for IE broke how users access our site (if they patch their browsers), so I need a solution to get users logged onto our site transparently. Basically we used to log on to the site by: http://username:pwd@www.mysite.com/main/ which uses basic auth, but now that doesn't work. I would like to find a way where I can still use basic...
2
1675
by: Buddy Ackerman | last post by:
If my web site is setup for NTLM authentication and the user is using IE the context.user.identity.name property is the domain user that is currently logged into the local client workstation. Wehen the user is using FireFox the user is presented with a login dialog box and that login info is validated against the web servers local user name...
5
1661
by: Samba | last post by:
Hi, I've a web application and I'm using Forms authentication. My app contains some pages that can be viewed by everyone and it doesn't require any authentication or authoization and these pages mostly come at the start of the application. After a couple of such 'general' pages, the login screen comes. How do tackle this situation? Advance...
7
1735
by: mircu | last post by:
Hi, I noticed weird behaviour with the site that is using forms authentication. I am logged to the site from the same machine from two browsers (opened separately, not ctrl-N) as different users so two sessions are created. Then from the one window I logoff but I'm automatically logouted also from the other browser window. Why? It is...
2
2489
by: code | last post by:
Hi, I have stumbled across an interesting problem regarding forms authentication over multiple sub domains. The topic has been covered in various forms online but never really gets a definitive answer as to why it happens. I have two separate web apps sat on different sub domains of the same company realm. eg:
5
2191
by: Buddy Ackerman | last post by:
My app is a .NET forms app that runs in the taskbar and periodically polls a web service. I have a client that wants the app to integrate with their Active Directory. They do not want the user to have to provide the username and password to login to the application/web service. I need to be able to send the users authenticated security token...
1
3451
by: Arnaud Martel | last post by:
Hi, I am developping a custom Webdav server in C#. The IIS configuration is just an application Website with all verbs redirected to aspnet_isapi.dll and the server works as a httpModule. This server access a virtual filesystem actually located in a database. The whole thing works fine with a classic windows authentication with the...
0
1245
by: stevecnz | last post by:
I'm looking for feedback on an authentication solution we are considering for an ASP.NET 2.0 project. The site will be accessed by both internal users who are logged into the Windows domain, and external (business partner) users via the internet. The internal users are required to be authenticated via Windows Integrated Authentication...
4
3590
by: =?Utf-8?B?RmFyaWJh?= | last post by:
It know that we can use the following method http://msdn2.microsoft.com/en-us/library/eb0zx8fc.aspx to form authenticate across multiple applications. I have created an asp.net application that supports form authentication. My application is going to be called by another legacy application (HTML) which does the initial...
0
7857
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7788
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
8137
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
8299
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
7890
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
8163
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
6545
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
2297
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
0
1127
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.