Anonymous login and Windows Authentication

[Darren Oakey]

G'day -
I'm going insane trying to solve this proble, and would desperately love
some assistance:

My problem:
I am making a web site usable by both internal users and the general public.
Internal users are on a domain, but not necessarily under any known IP
structure. Throughout the web site I want extra buttons/menus enabled if
and only if the user is internal. I want the authentication of internal
users to be done with windows authentication - no logins anywhere...

So, basically, I want Windows Authentication working with the "allow
anonymous users" ticked ON - ie - is there any way of forcing IIS to do a
challenge response and then drop back to anonymous if the windows
authentication fails - at the moment it seems to just default to anonymous,
regardless of whether a user is in the domain?

 

[Lyndon Hills]

G'day -
I'm going insane trying to solve this proble, and would desperately love
some assistance:

My problem:
I am making a web site usable by both internal users and the general public.
Internal users are on a domain, but not necessarily under any known IP
structure. Throughout the web site I want extra buttons/menus enabled if
and only if the user is internal. I want the authentication of internal
users to be done with windows authentication - no logins anywhere...

So, basically, I want Windows Authentication working with the "allow
anonymous users" ticked ON - ie - is there any way of forcing IIS to do a
challenge response and then drop back to anonymous if the windows
authentication fails - at the moment it seems to just default to anonymous,
regardless of whether a user is in the domain?

I am currently playing around with this (albeit for mac users on an
intranet). My thinking;

The web site is anonymous access.
There is a base page class inherited by every page. This checks for
the existence of a session variable.

if it isn't set then it looks for the operating system (in your case
maybe you can use IP addy to identify external users, I don't see how
your users can not be under some sort of address scheme, the lan
wouldn't work. Either you have private address ranges, which external
users can't have, or you have internet-routable ips, in which case
it's your net block, and external users can't have these.).

If the OS is windows it redirects a page to a windows authentication
only page. The windows user is authenticated against the domain, the
session variable set, and then they are directed back to where they
came from.

If they are a mac user they are redirected to a page (same web site
but NOT inheriting base class). This page accepts a user/password that
I validate against our domain. If correct set the session variable and
redirect back to start.

I know I'm relying on cookies for the session id, browser
type/operating system can be spoofed etc etc, but this is on a
corporate network, so anyone messing around like that is going to get
a email to their manager if caught!

Obviously some holes in an internet situation and not quite your case
but it might inspire you.

PS Have realised a logic flaw - your lan uses internet-routable ip
blocks, that you don't own. Shoot your admins!