Mixed Mode (Forms & Windows) Authentication

Discussion in 'ASP .Net Security' started by crpietschmann, Sep 5, 2006.

  1. I have an ASP.NET application that is used remotely (over the internet) by
    our clients that uses Forms authentication and the usernames/passwords are
    stored in the database. I need to integrate Windows authentication with the
    existing Forms authentication so that our employees (on the intranet) can use
    the same application with requiring username/password.

    I've seen a suggestion of having two seperate copies of the app hosted, one
    accessed locally with Windows authentication and the other remotely with
    Forms authentication. But, I would rather have one server/site do both.

    There must be a way to do this, and I don't know why this support wasn't
    built into ASP.NET 2.0 out of the box. Does anyone have any
    suggestions/examples of doing Mixed Mode Authentication in ASP.NET 2.0??
     
    crpietschmann, Sep 5, 2006
    #1
    1. Advertising

  2. There are basically two models -

    #1one is to have a separate "start page" for Windows users - this page will
    convert the Windows credentials (and groups) to a FormsAuth ticket and redirect
    to your main app. All security will be forms based then.

    #2 A second approach involves injecting code into the pipeline (and reordering
    some of the modules) to enable this scenario.

    For existing applications #1 is often easier.

    I describe both approaches here [0]. #2 is too much code and plumbing to
    post here.

    If #1 is feasible for you i can walk you through the steps.


    [0] http://www.microsoft.com/mspress/books/9989.asp

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > I have an ASP.NET application that is used remotely (over the
    > internet) by our clients that uses Forms authentication and the
    > usernames/passwords are stored in the database. I need to integrate
    > Windows authentication with the existing Forms authentication so that
    > our employees (on the intranet) can use the same application with
    > requiring username/password.
    >
    > I've seen a suggestion of having two seperate copies of the app
    > hosted, one accessed locally with Windows authentication and the other
    > remotely with Forms authentication. But, I would rather have one
    > server/site do both.
    >
    > There must be a way to do this, and I don't know why this support
    > wasn't built into ASP.NET 2.0 out of the box. Does anyone have any
    > suggestions/examples of doing Mixed Mode Authentication in ASP.NET
    > 2.0??
    >
     
    Dominick Baier, Sep 5, 2006
    #2
    1. Advertising

  3. Since your book isn't out yet, could you send me some code or point me to an
    article on this?

    Thanks!


    "Dominick Baier" wrote:

    > There are basically two models -
    >
    > #1one is to have a separate "start page" for Windows users - this page will
    > convert the Windows credentials (and groups) to a FormsAuth ticket and redirect
    > to your main app. All security will be forms based then.
    >
    > #2 A second approach involves injecting code into the pipeline (and reordering
    > some of the modules) to enable this scenario.
    >
    > For existing applications #1 is often easier.
    >
    > I describe both approaches here [0]. #2 is too much code and plumbing to
    > post here.
    >
    > If #1 is feasible for you i can walk you through the steps.
    >
    >
    > [0] http://www.microsoft.com/mspress/books/9989.asp
    >
    > ---
    > Dominick Baier, DevelopMentor
    > http://www.leastprivilege.com
    >
    > > I have an ASP.NET application that is used remotely (over the
    > > internet) by our clients that uses Forms authentication and the
    > > usernames/passwords are stored in the database. I need to integrate
    > > Windows authentication with the existing Forms authentication so that
    > > our employees (on the intranet) can use the same application with
    > > requiring username/password.
    > >
    > > I've seen a suggestion of having two seperate copies of the app
    > > hosted, one accessed locally with Windows authentication and the other
    > > remotely with Forms authentication. But, I would rather have one
    > > server/site do both.
    > >
    > > There must be a way to do this, and I don't know why this support
    > > wasn't built into ASP.NET 2.0 out of the box. Does anyone have any
    > > suggestions/examples of doing Mixed Mode Authentication in ASP.NET
    > > 2.0??
    > >

    >
    >
    >
     
    crpietschmann, Sep 5, 2006
    #3
  4. how about this?

    http://www.google.com/search?hl=en&...mixed mode authentication asp.net&btnG=Search

    ;)

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > Since your book isn't out yet, could you send me some code or point me
    > to an article on this?
    >
    > Thanks!
    >
    > "Dominick Baier" wrote:
    >
    >> There are basically two models -
    >>
    >> #1one is to have a separate "start page" for Windows users - this
    >> page will convert the Windows credentials (and groups) to a FormsAuth
    >> ticket and redirect to your main app. All security will be forms
    >> based then.
    >>
    >> #2 A second approach involves injecting code into the pipeline (and
    >> reordering some of the modules) to enable this scenario.
    >>
    >> For existing applications #1 is often easier.
    >>
    >> I describe both approaches here [0]. #2 is too much code and plumbing
    >> to post here.
    >>
    >> If #1 is feasible for you i can walk you through the steps.
    >>
    >> [0] http://www.microsoft.com/mspress/books/9989.asp
    >>
    >> ---
    >> Dominick Baier, DevelopMentor
    >> http://www.leastprivilege.com
    >>> I have an ASP.NET application that is used remotely (over the
    >>> internet) by our clients that uses Forms authentication and the
    >>> usernames/passwords are stored in the database. I need to integrate
    >>> Windows authentication with the existing Forms authentication so
    >>> that our employees (on the intranet) can use the same application
    >>> with requiring username/password.
    >>>
    >>> I've seen a suggestion of having two seperate copies of the app
    >>> hosted, one accessed locally with Windows authentication and the
    >>> other remotely with Forms authentication. But, I would rather have
    >>> one server/site do both.
    >>>
    >>> There must be a way to do this, and I don't know why this support
    >>> wasn't built into ASP.NET 2.0 out of the box. Does anyone have any
    >>> suggestions/examples of doing Mixed Mode Authentication in ASP.NET
    >>> 2.0??
    >>>
     
    Dominick Baier, Sep 5, 2006
    #4
  5. Thanks for Dominick's good suggestion.

    Hello Crpietschmann,

    For your scenario, the difficulty here is windows authentication use
    completely different authentication mechanism from forms authentication.
    The forms authentication is purely done through clear username/password
    user put in form and then our application validate the credential against
    our custom database. Windows authentication normally rely on the underlying
    authentication mechanism of client browser(IE) and webserver IIS which is
    not controlable by us. Also, currently a single ASP.NET application can
    only be configured to use single authentication mode.

    Are you developing the web application upon ASP.NET 2.0? If so, as you
    mentioned that your application is over internet and will be accessed by
    both internet user and local intranet user(has windows login credential), I
    think you can consider the following approach:

    1. Use Forms authentication for your web application.

    2. Since ASP.NET 2.0 use provider based model for membership service, you
    can configure two membership providers for your web application. One is
    Sqlserver membership provider, another is ActiveDirectoryMembership
    Provider.

    3. And on your application's login form, you can put an option to let user
    choose whether he will login as internet user or intranet user, if internet
    user, you programmatically use SqlMembership provider to authenticate it,
    otherwise, use ActiveDirectoryMembershipProvider to authenticate the
    user(against AD ).

    e.g.
    ===================
    bool valid = false;

    if (IsPostBack)
    {
    valid =
    Membership.Providers["sqlprovider"].ValidateUser(txtUsername.Text,
    txtPassword.Text);
    }
    else
    {
    Membership.Providers["adprovier"].ValidateUsertxtUsername.Text,
    txtPassword.Text);
    }

    if(valid)
    {
    FormsAuthentication.RedirectFromLoginPage(txtUsername, false);
    }

    ===================

    In this case, you need to do the authentication and forms authentication's
    redirect/sigeout in code rather than directly utilize the login controls.

    Also, since the username/password is passed as clear text on forms
    authentication form page, you should consider using https/ssl for the
    authentication pages.

    Do you think this a possible approach for your scenario?

    Please feel free to let me know if you have any questions or other
    consideration on this.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    ==================================================

    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.



    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.

    ==================================================



    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Sep 6, 2006
    #5
  6. The OP said -

    "so that our employees (on the intranet) can use the same application with
    requiring username/password."

    This will not be achievable with Membership.

    You need some piece of plumbing that bridges the gap between Windows and
    Forms Auth. As i said, the easiest is to give the internal users a "special"
    login page that does this.

    This article depicts the general solution (can be optimized for ASP.NET 2.0
    - but thats the general idea) : http://www.15seconds.com/issue/050203.htm



    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > Thanks for Dominick's good suggestion.
    >
    > Hello Crpietschmann,
    >
    > For your scenario, the difficulty here is windows authentication use
    > completely different authentication mechanism from forms
    > authentication. The forms authentication is purely done through clear
    > username/password user put in form and then our application validate
    > the credential against our custom database. Windows authentication
    > normally rely on the underlying authentication mechanism of client
    > browser(IE) and webserver IIS which is not controlable by us. Also,
    > currently a single ASP.NET application can only be configured to use
    > single authentication mode.
    >
    > Are you developing the web application upon ASP.NET 2.0? If so, as you
    > mentioned that your application is over internet and will be accessed
    > by both internet user and local intranet user(has windows login
    > credential), I think you can consider the following approach:
    >
    > 1. Use Forms authentication for your web application.
    >
    > 2. Since ASP.NET 2.0 use provider based model for membership service,
    > you can configure two membership providers for your web application.
    > One is Sqlserver membership provider, another is
    > ActiveDirectoryMembership Provider.
    >
    > 3. And on your application's login form, you can put an option to let
    > user choose whether he will login as internet user or intranet user,
    > if internet user, you programmatically use SqlMembership provider to
    > authenticate it, otherwise, use ActiveDirectoryMembershipProvider to
    > authenticate the user(against AD ).
    >
    > e.g.
    > ===================
    > bool valid = false;
    > if (IsPostBack)
    > {
    > valid =
    > Membership.Providers["sqlprovider"].ValidateUser(txtUsername.Text,
    > txtPassword.Text);
    > }
    > else
    > {
    >
    > Membership.Providers["adprovier"].ValidateUsertxtUsername.Text,
    > txtPassword.Text);
    > }
    > if(valid)
    > {
    > FormsAuthentication.RedirectFromLoginPage(txtUsername,
    > false);
    > }
    > ===================
    >
    > In this case, you need to do the authentication and forms
    > authentication's redirect/sigeout in code rather than directly
    > utilize the login controls.
    >
    > Also, since the username/password is passed as clear text on forms
    > authentication form page, you should consider using https/ssl for the
    > authentication pages.
    >
    > Do you think this a possible approach for your scenario?
    >
    > Please feel free to let me know if you have any questions or other
    > consideration on this.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    > ==================================================
    >
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx
    > #notif ications.
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent
    > issues where an initial response from the community or a Microsoft
    > Support Engineer within 1 business day is acceptable. Please note that
    > each follow up response may take approximately 2 business days as the
    > support professional working with you may need further investigation
    > to reach the most efficient resolution. The offering is not
    > appropriate for situations that require urgent, real-time or
    > phone-based interactions or complex project analysis and dump analysis
    > issues. Issues of this nature are best handled working with a
    > dedicated Microsoft Support Engineer by contacting Microsoft Customer
    > Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >
    > ==================================================
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
     
    Dominick Baier, Sep 6, 2006
    #6
  7. Hello Chris,

    How are you doing on this issue? If there is still anything we can help,
    please feel free to post here.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Sep 8, 2006
    #7
  8. crpietschmann

    Joanne Roque Guest

    Joanne Roque, Sep 15, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tripwater

    VS Authentication (mixed mode)

    tripwater, Apr 5, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    635
    Tad Marshall
    Apr 10, 2005
  2. tripwater

    VS Authentication (mixed mode)

    tripwater, Apr 5, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    311
    tripwater
    Apr 5, 2005
  3. tripwater

    VS Authentication (mixed mode)

    tripwater, Apr 5, 2005, in forum: ASP .Net
    Replies:
    4
    Views:
    1,636
    =?Utf-8?B?UGF0cmljaw==?=
    Apr 6, 2005
  4. Matt
    Replies:
    0
    Views:
    423
  5. Matt
    Replies:
    0
    Views:
    371
Loading...

Share This Page