.NET HttpModule & NTLM Integrated Authentication

Discussion in 'ASP .Net Security' started by Rob Mayo, Jan 23, 2004.

  1. Rob Mayo

    Rob Mayo Guest

    What I'm trying to do is Create an ASP.Net app that has both
    Windows-authenticated users and Anonymous users. The idea is this:

    When authenticated users attempt to access the site, their credentials are
    passed to the Request, and I use the DOMAIN\USER value via the AUTH_USER
    server variable to access their accounts. These people would never have to
    log in to the app, only their machines on the network.

    When anonymous users attempt to access the site, they are redirected to a
    login page, rather than getting the Challenge dialog. Their login is
    verified against a database and I alter the Current User with a
    GenericPrincipal object.


    I tried enabling 'Allow Anonymous Access' in IIS and producing the challenge
    myself with a custom HttpModule, but was unable to make the challenge
    myself.

    Then I tried DISabling anonymous access and IIS provided the challenge and
    the 401 response before it even got to my custom HttpModule.


    Is there ANY way to acheive what I'm trying to do? Is there some way I can
    intercept a request before IIS issues a challenge and issue the challenge
    myself?
    Rob Mayo, Jan 23, 2004
    #1
    1. Advertising

  2. Rob,

    This case may by a bit tricky.
    One of the security design considerations to take into account, should be to
    rely as much as possible on the operating system security subsystem and
    avoid whenever possible, creating your own custom solution. With this
    premise in mind, you may try to set first the IIS authentication mode
    (remember that ASP.NET is running over IIS, so the first security checkpoint
    will be executed by IIS).
    If you check Anonymous and NTLM/Kerberos as you auth methods, IIS will
    first try to authenticate as Anonymous so you will always get the anonymous
    access account. Remember that for IIS, there is no such an "Anonymous user",
    so IIS will try to authenticate or not (if checked Anonymous) and it will
    always run the ASP.NET worker process under some Windows account.
    Based on this, your auth methods are incompatible for the same application
    basically because you are using two different auth methods (Windows/AD and
    Forms/Custom Resource) that where designed for different purposes.


    --
    Hernan de Lahitte
    Lagash Systems S.A.
    http://www.lagash.com



    "Rob Mayo" <> wrote in message
    news:...
    > What I'm trying to do is Create an ASP.Net app that has both
    > Windows-authenticated users and Anonymous users. The idea is this:
    >
    > When authenticated users attempt to access the site, their credentials are
    > passed to the Request, and I use the DOMAIN\USER value via the AUTH_USER
    > server variable to access their accounts. These people would never have to
    > log in to the app, only their machines on the network.
    >
    > When anonymous users attempt to access the site, they are redirected to a
    > login page, rather than getting the Challenge dialog. Their login is
    > verified against a database and I alter the Current User with a
    > GenericPrincipal object.
    >
    >
    > I tried enabling 'Allow Anonymous Access' in IIS and producing the

    challenge
    > myself with a custom HttpModule, but was unable to make the challenge
    > myself.
    >
    > Then I tried DISabling anonymous access and IIS provided the challenge and
    > the 401 response before it even got to my custom HttpModule.
    >
    >
    > Is there ANY way to acheive what I'm trying to do? Is there some way I can
    > intercept a request before IIS issues a challenge and issue the challenge
    > myself?
    >
    >
    Hernan de Lahitte, Jan 26, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    0
    Views:
    675
  2. Rob Mayo
    Replies:
    2
    Views:
    3,846
    Hernan de Lahitte
    Jan 26, 2004
  3. Brett Smith
    Replies:
    2
    Views:
    449
    Brett Smith
    Oct 26, 2004
  4. Will
    Replies:
    5
    Views:
    2,611
  5. Matthijs
    Replies:
    0
    Views:
    835
    Matthijs
    Dec 10, 2008
Loading...

Share This Page