By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
449,001 Members | 1,487 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 449,001 IT Pros & Developers. It's quick & easy.

Authentication: multiple auth types for one site

P: n/a
I'm looking for feedback on an authentication solution we are
considering for an ASP.NET 2.0 project.

The site will be accessed by both internal users who are logged into
the Windows domain, and external (business partner) users via the
internet.

The internal users are required to be authenticated via WIA, and
external users will be authenticated using a custom solution based on a
signed ticket that will be included as a query parameter in the URL.

We are considering implementing this as follows:

1. In IIS, enable anonymous authentication for all resources in the
site except a page called LogonInternal.aspx, which will be protected
by WIA.
2. On session start, perform the following checks:
a) check if a signed ticket is present in the request. If there is
not, then assume the session is for an internal user, and redirect to
LogonInternal.aspx. The OnLoad handler for this page gets the current
user id via WIA and uses this to complete session initialisation
activities (fetching authorisation information, etc from a database).
LogonInternal.aspx then redirects back to the original URL. (If the
request originated from outside the Windows domain it will be rejected
by WIA.)
b) If a signed ticket IS present in the request, then verify the
signature on the ticket, get the username out of the ticket and
complete session initialisation activities as above. Redirect back to
the current request URL, but with the ticket removed from the query
parameters.
If any of the above checks fail, the current session is invalidated and
an error is returned in the response.

I have prototyped the above and it appears to work fine, but some
concern has been expressed about enabling anonymous authentication
throughout the site (except for LogonInternal.aspx).

Can anyone recommend any alternatives that don't require the use of
anonymous authentication? Perhaps using Forms authentication? (If
forms authentication is used as an alternative to anonymous
authentication, it would still have to let internal users be
authenticated via WIA and external users via the ticket mechanism.)

Thanks in advance ...

Steve

Jan 22 '07 #1
Share this Question
Share on Google+
2 Replies


P: n/a
you have a couple options. you could supply your login handler, or just
use forms authenication.

in the forms login page, if the query string is there, login the user
(set creditials cookie). if not external check user in WIA, if anonymous
return a 401 to force a login.

-- bruce (sqlwork)

Steve wrote:
I'm looking for feedback on an authentication solution we are
considering for an ASP.NET 2.0 project.

The site will be accessed by both internal users who are logged into
the Windows domain, and external (business partner) users via the
internet.

The internal users are required to be authenticated via WIA, and
external users will be authenticated using a custom solution based on a
signed ticket that will be included as a query parameter in the URL.

We are considering implementing this as follows:

1. In IIS, enable anonymous authentication for all resources in the
site except a page called LogonInternal.aspx, which will be protected
by WIA.
2. On session start, perform the following checks:
a) check if a signed ticket is present in the request. If there is
not, then assume the session is for an internal user, and redirect to
LogonInternal.aspx. The OnLoad handler for this page gets the current
user id via WIA and uses this to complete session initialisation
activities (fetching authorisation information, etc from a database).
LogonInternal.aspx then redirects back to the original URL. (If the
request originated from outside the Windows domain it will be rejected
by WIA.)
b) If a signed ticket IS present in the request, then verify the
signature on the ticket, get the username out of the ticket and
complete session initialisation activities as above. Redirect back to
the current request URL, but with the ticket removed from the query
parameters.
If any of the above checks fail, the current session is invalidated and
an error is returned in the response.

I have prototyped the above and it appears to work fine, but some
concern has been expressed about enabling anonymous authentication
throughout the site (except for LogonInternal.aspx).

Can anyone recommend any alternatives that don't require the use of
anonymous authentication? Perhaps using Forms authentication? (If
forms authentication is used as an alternative to anonymous
authentication, it would still have to let internal users be
authenticated via WIA and external users via the ticket mechanism.)

Thanks in advance ...

Steve
Jan 22 '07 #2

P: n/a
Bruce,

If I use forms authentication as you've described, do you mean that WIA
should be enabled for the forms login page in IIS? Wouldn't that
result in external users being prompted for windows logon credentials
when they get redirected to the login page?

Note: from the tests I've done, it seems that if both anonymous access
and WIA are enabled for a page in IIS, the anonymous access setting
takes precedence. Checking
Thread.CurrentPrincipal.Identity.IsAuthenticated returns false, even
for internal users who are already logged into the Windows domain.
Only if the anonymous access checkbox for the page in IIS is cleared,
does WIA seem to work. This implies that for a forms authentication
login page to use WIA, anonymous access would need to be disabled for
that page.

Any comments?

Thanks
Steve
bruce barker wrote:
you have a couple options. you could supply your login handler, or just
use forms authenication.

in the forms login page, if the query string is there, login the user
(set creditials cookie). if not external check user in WIA, if anonymous
return a 401 to force a login.

-- bruce (sqlwork)
Jan 22 '07 #3

This discussion thread is closed

Replies have been disabled for this discussion.