Complicated Fallback ASP.NET Security

[Shawn Wheatley]

I have been working on an ASP.NET app at work for quite some time now.
We've been using Windows authentication up until now, but I've come
across a problem. Ideally, users on our local intranet would be
authenticated via Windows authentication. Users outside of our
intranet would still authenticate, but via a seperate AD/AM instance
(to keep from adding non-intranet users to our main AD server).

Is something like this possible? Every article I've read relating to
AD used in an ASP.NET app involves using Forms authentication. I
would prefer that intranet users not have to login once again to this
app after logging into their workstations.

Thanks for any help,
Shawn Wheatley

 

[Joe Kaplan \(MVP - ADSI\)]

I'm pretty sure you would need to authenticate the ADAM users via LDAP and
some kind of Forms authentication as they aren't Windows users and can't be
authenticated via the normal SSPI stuff. You could also authenticate your
Windows users against ADAM using its proxy authentication stuff, but then
you won't have WindowsPrincipals for your web users.

From there you could get clever and do something like calling LogonUser for
the Windows users to build a real Windows logon token if you needed that,
but there isn't any way to get a token for the ADAM users, so it might be
best to treat them uniformly.

Hopefully that gave you some good ideas and didn't confuse you. I haven't
played with ADAM much yet, so this is all based on my current understanding
and reading a lot of newsgroup posts about it. But I am pretty sure this
info is accurate.

Joe K.

 

[Shawn Wheatley]

Thanks for the response. I'm trying to stay away from Forms
Authentication if possible. With the release of Mozilla 1.6, even
those clients not on Windows can use NTLM authentication, so I would
prefer to do that if possible. The question remains how to implement
an AD structure such that all application users outside the local
intranet would also be able to authenticate via AD or AD/AM.

I began reading through "Authentication in ASP.NET: .NET Security
Guidance" from the MS website:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp

They briefly discuss Custom Authentication, which seems like it would
be the way to go, but they don't go much into detail on how it works.
My ideal custom authentication would:

1) Use NTLM to authenticate the user
2) If the user cannot be authenticated, the system would then prompt
them for username and password, just like any other NTLM-authenticated
site
3) (The tricky bit) Check against local AD (maybe they're on a dial-up
connection, but have a local account); if not, check against AD/AM or
any other credential store.

I fear this is impossible though, as there don't seem to be any hooks
into Windows authentication.

Right now, I'm using a "WindowsAuthentication_OnAuthenticate" method,
which I found on Bill Hickman's weblog:

http://weblogs.asp.net/bhickman/archive/2003/02/07.aspx

This helped me because I never had the AD groups listed in the roles
array of my HttpContext.User object. I use this method to get roles
from a SQL Server database instead. Ideally, these roles would come
from and be managed in Active Directory instead. Unfortunately, I
haven't found a similar method to the one above which lets me at the
credentials *before or during* authentication occurs. I think this
would allow the scenario I described above.

Shawn

 

[Joe Kaplan \(MVP - ADSI\)]

I think the main problem is that you really can't do Windows authentication
against ADAM for ADAM users. You can't create a Windows login token for an
ADAM user. Thus ADAM users can't have a WindowsPrincipal object.

Thus you need a way to ask for credentials.

Now, you could try to do something fancy such as passing back a
WWW-Authenticate header in the response with Basic realm="xxx" in it. That
would cause the browser to throw up the Basic authentication dialog. Then
you would need to crack open the received httpauthorization header to
extract out the usename and password and try doing a bind to ADAM with those
credentials. From there you could build out an IPrincipal object. You
could probably build all that with an HttpModule so that your main code
wouldn't need to see it.

The thing is, you will still have two different kinds of IPrincipal objects.
WindowsPrincipal for Windows users and FormPrincipal (or your own custom
type) for ADAM users. They could probably be used interchangably in your
code, but I don't really know.

I also don't if tricking out the headers like that will cause IIS to do
weird things as it gets first crack at them.

Once again, I hope this is helpful and isn't causing more additional
confusion.

Joe K.

 

[Shawn Wheatley]

Ok, here's my latest update:

I found the following posting,
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=utf-8&selm=Rnw8J81PCHA.1712@cpmsftngxa07

which loosely explains how to do a joint NTLM/Passport authenticated
site, with a database for roles. I have been able to modify this
slightly to work for my own form authentication (actually using
<authentication="None"> though) Basically I have to manage a cookie
or session object that lets the system know the user is logged in.

I'm trying to follow the example in 5A of that posting. It has an
NTLM authenticated page which errors out to a form for logging in if
the user can't authenticate. Thus, the entire site has no .NET
managed authentication, and all but this one NTLM authenticated page
are anonymous.

Example:
ntlm.aspx - NTLM authenticated, if not, redirect to
forms.aspx
forms.aspx - form, anonymous access
Page3.aspx - once authenticated go here
anyotherpage.aspx - redirect to ntlm.aspx if not authenticated.

The problem is that whenever the ntlm.aspx fails authenticating, it
can't successfully redirect to the forms.aspx as the IIS properties
specify.

Any ideas?

Shawn

 

[Joe Kaplan \(MVP - ADSI\)]

That looks like a pretty interesting approach that you might be able to
apply. Unfortunately, I'm not sure where to tell you to begin looking as to
why the custom error redirect isn't working as I've never used them.
Hopefully someone else will know, but you might start a new thread on that
specific problem.

Good luck,

Joe K.

Ok, here's my latest update:

I found the following posting,
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=utf-8&selm=Rnw8J81PCHA.1712@cpmsftngxa07

which loosely explains how to do a joint NTLM/Passport authenticated
site, with a database for roles. I have been able to modify this
slightly to work for my own form authentication (actually using
<authentication="None"> though) Basically I have to manage a cookie
or session object that lets the system know the user is logged in.

I'm trying to follow the example in 5A of that posting. It has an
NTLM authenticated page which errors out to a form for logging in if
the user can't authenticate. Thus, the entire site has no .NET
managed authentication, and all but this one NTLM authenticated page
are anonymous.

Example:
ntlm.aspx - NTLM authenticated, if not, redirect to
forms.aspx
forms.aspx - form, anonymous access
Page3.aspx - once authenticated go here
anyotherpage.aspx - redirect to ntlm.aspx if not authenticated.

The problem is that whenever the ntlm.aspx fails authenticating, it
can't successfully redirect to the forms.aspx as the IIS properties
specify.

Any ideas?

Shawn