I'll layout what we did to resolve nearly identical situation...the only
difference being we're a government agency with several other agencies
networks behind the same firewall. Users on our agency network are
automatically logged in to our intranet in. Users from the other agencies
access our intranet as anonymous...or they can opptionally set up a portal
account on our intranet and log in using that (we can then use that account
to assign additional intranet access for them). To accomplish this we use
forms authentication for everything. We determine if a user is in our
domain and if they are we use that information to automatically create the
forms authenticaitonticket. If the user is not on in our domain they can
still access our intranet as anonymous and have the option to login (using a
web page or web user control) which will then fill in the forms
authentication ticket.
Here are the steps to accomplish this:
***************
Disclaimer: Examples are not the exact code from our system: in our system
it's all classed out and compartmentlized...so I've typed in code which
should aproximate what we do...enough so to give you the concepts. I guess
I could probably write an article on the concept with the exact
code....maybe someday.
***************
(1) Use Forms Authentication for everything.
If you want this authenticaiton to apply to all web apps on your intranet
(single sign-on) you should set the forms authenticaiton and machine key
once in a root web.config file and the leave them out of all web.configs for
apps under the intranet.
<machineKey validationKey="AutoGenerate"
decryptionKey="AutoGenerate" validation="3DES"/>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="/login.aspx" protection="All"
timeout="60" slidingExpiration="true" />
</authentication>
Note: the /login.aspx in the forms element above is the login page
used by the users outside your domain.
(2) Create a sub folder on the web which will use NT authentication.
In IIS turn off anonymous access to this folder.
(3) In this subfolder create a asp.net page (if you have a root web project
this page can be part of the root web project...otherwise you will need to
create a new web project in this subfolder)
This asp.net page (lets call it NTLogin.aspx) will have no html content,
just code behind. In the page_load event you will get the windows account
information and write it into the forms authentication ticket, then redirect
the user back to the page the access which initiated the login request.
example:
Private Sub Page_Load(......)
Dim userName As String = WindowsIdentity.GetCurrent.Name
userName = userName.Substring(userName.IndexOf("\") + 1)
Dim accountSystem As New DataAccess.Users
FormsAuthentication.SetAuthCookie(userName, False)
Dim url As String
If (Request.Params("ReturnURL") Is Nothing) = False Then
url = Request.Params("ReturnURL")
Else
url = Request.Url.AbsoluteUri
End If
Response.Redirect(url)
End Sub
(4) For the above NTLogin.aspx page set the web config to use impersonation
and allow all users
example:
<location path="/NTSecurity/NTLogon.aspx">
<system.web>
<identity impersonate="true" />
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
(5) In the global.asax code of your app, were going to add code to
a) Check if client is authenticated. If not then contin ue on with
the steps below.
b) Do a dns lookup on the client computer accessing the app and see
if that dns is in our domain
i.e. if client computer is named Accounting1 and your domain is
Acme100
the computers dns is going to be Accounting1.Acme100.
We'll look to see if Acme100 is part of the computer's dns name.
c) If client is in our domain we redirect them to the above
NTLogin.aspx page
passing the current requested url so we can return to it.
This is using what we did in steps 2 - 4
d) If client is not authenticated let then through, they will be
anonymous
Example of code to do all of this.
Dim isDomainUser as boolean = false
' Check if client computer is on coming from our network
Try
Dim clientIPAddress As System.Net.IPAddress =
System.Net.IPAddress.Parse(request.UserHostAddress )
Dim dnsName As String =
System.Net.Dns.GetHostByAddress(clientIPAddress).H ostName
' create a list of domain user could come from.
' if network has only one domain then just do the IndexOf
without a For/Each
Dim mask as String() = {"mydomain1","mydomain2"....}
For Each mask As String In dnsMask
If dnsName.IndexOf(mask) >= 0 Then
isDomainUser = True
End If
Next
Catch ex As Exception
End Try
' Client is coming from our network, redirect them to the
autologin page
If isDomainUser then
Dim url As String = "/NTSecurity/NTLogon.aspx"
If Request.Url.ToString.IndexOf(url) < 0 Then
If Not(IsNothing(Request.Params("ReturnURL"))
Then
url &= "?ReturnURL=" &
Request.Params("ReturnURL")
End If
End If
Response.Redirect(url)
' If you **always** want to force anonymous users to a login
page add an Else statement
' with code to direct them to the login page.
End If
Hope this helps some. I'm sure it's not the only solution but it has worked
well for us for several years now.
"pv" <pv@discussions.microsoft.com> wrote in message
news:u4****************@TK2MSFTNGP10.phx.gbl...
Hi everyone,
I need help with following scenario, please:
Users are accessing same web server from intranet (users previously
authenticated in Active Dir) and from extranet (common public users). If
user is from intranet, web server should recognize it and application
should
create additional options in controls regarding groups the user belongs
to.
If user is from extranet it should be logged in as anonymous and a link to
login page should be created. The goal is to have login page only when
user
request it.
I have tried to achieve this by using both windows and forms
authentication
but I still did not find the way to avoid IIS login form.
Thanks in advance.
PV
P.S. I already posted this to microsoft.public.dotnet.framework.security
but no answers so far