Site Config Question

[Craig]

Hi

I have a site that runs in an intranet environment, therefore the
authenication method in IIS is 'Integrated Windows authentication' and no
Anonymous access. In my web.config <authentication mode="Windows" />, works
fine.

We want to release the site to the internet whilst maintaining integrated
Windows authenication for the intranet users; and having a forms like
authenication for internet users.

I didn't think this was possible, any ideas?

 

[Chris Mohan]

Not sure I follow- what is it that you hope to accomplish by enabling windows
authentication and forms?

re: two authentication modes within the same website-- yes, it is possible
but you can't implement both authentication modes within the same
directory(which is probably b/c you can only implement 1 authentication mode
per application domain).

Here's how: Set the authentication mode to windows in the root web.config
and then configure a child dir as its own application in IIS. Set the child
dir's authentication mode to forms by either using the location element in
the root web.config or putting a new web.config at the root of the child
dir.

See this for more info:
http://www.theserverside.net/articles/article.tss?l=FormAuthentication

If your goal is to keep anonymous users out then you can accomplish this for
both intranet users and those who access the site remotely (internet users)
by setting the app's athentication mode to windows and then adding a deny tag
in the authorization element by setting its users property -anonymous- , aka
"?"

Denying anonymous users will prompt the server to challenge all
users(whether they are accessing the site from inside your network or not to
provide thier credentials)

'<authentication mode="Windows" />
'' <authorization>
'' <deny users="?" />
' </authorization>

The info above is based on the assumption that your server's machine.config
uses the framework's default settings (specifically the username attribute of
the processmodel element ("machine" and the impersonation element("no"))

If this is what you want.. you can take an additional step that will make
the lives of your users easier: if your organization uses Explorer 6.0 as its
default browser then employees can use IE's "zone" feature and list the
intranet app's url in IE's "Trusted Sites Zone." By changing a default
security setting (for this zone only) users can allow the browser to
authomaticly pass thier credentials to the site so they won't have to
manually login.

See this for more info:
http://support.microsoft.com/default.aspx?scid=kb;en-us;264086

1 sneaky suggestion: if you opt to do this.. do it AFTER your users have had
to go a week or two manually logging into the app. The reason: if you give
this to them from the get-go the convience is perceived as normal. If you
wait a little bit then you'll have made everyone's lives a little easier in
the organization in a way that both tehnical ppl and non-technical ppl(such
as those who decide things like salary increases) can understand and
appreciate.

 

[Chris Mohan]

One clarification for the following paragraph.
DOn't list the site in the trusted zone, list it the "Local Intranet" zone.
The reason: if users start listing arbitrary sites in the trusted list.. then
the security change will pass thier info to those sites too which are likely
to be outside your network