Site Config Question

Discussion in 'ASP .Net Security' started by Craig, Nov 5, 2004.

  1. Craig

    Craig Guest

    Hi

    I have a site that runs in an intranet environment, therefore the
    authenication method in IIS is 'Integrated Windows authentication' and no
    Anonymous access. In my web.config <authentication mode="Windows" />, works
    fine.

    We want to release the site to the internet whilst maintaining integrated
    Windows authenication for the intranet users; and having a forms like
    authenication for internet users.

    I didn't think this was possible, any ideas?
    Craig, Nov 5, 2004
    #1
    1. Advertising

  2. Craig

    Chris Mohan Guest

    Not sure I follow- what is it that you hope to accomplish by enabling windows
    authentication and forms?

    re: two authentication modes within the same website-- yes, it is possible
    but you can't implement both authentication modes within the same
    directory(which is probably b/c you can only implement 1 authentication mode
    per application domain).

    Here's how: Set the authentication mode to windows in the root web.config
    and then configure a child dir as its own application in IIS. Set the child
    dir's authentication mode to forms by either using the location element in
    the root web.config or putting a new web.config at the root of the child
    dir.

    See this for more info:
    http://www.theserverside.net/articles/article.tss?l=FormAuthentication

    If your goal is to keep anonymous users out then you can accomplish this for
    both intranet users and those who access the site remotely (internet users)
    by setting the app's athentication mode to windows and then adding a deny tag
    in the authorization element by setting its users property -anonymous- , aka
    "?"

    Denying anonymous users will prompt the server to challenge all
    users(whether they are accessing the site from inside your network or not to
    provide thier credentials)

    '<authentication mode="Windows" />
    '' <authorization>
    '' <deny users="?" />
    ' </authorization>

    The info above is based on the assumption that your server's machine.config
    uses the framework's default settings (specifically the username attribute of
    the processmodel element ("machine" and the impersonation element("no"))

    If this is what you want.. you can take an additional step that will make
    the lives of your users easier: if your organization uses Explorer 6.0 as its
    default browser then employees can use IE's "zone" feature and list the
    intranet app's url in IE's "Trusted Sites Zone." By changing a default
    security setting (for this zone only) users can allow the browser to
    authomaticly pass thier credentials to the site so they won't have to
    manually login.

    See this for more info:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;264086

    1 sneaky suggestion: if you opt to do this.. do it AFTER your users have had
    to go a week or two manually logging into the app. The reason: if you give
    this to them from the get-go the convience is perceived as normal. If you
    wait a little bit then you'll have made everyone's lives a little easier in
    the organization in a way that both tehnical ppl and non-technical ppl(such
    as those who decide things like salary increases) can understand and
    appreciate.


    "Craig" wrote:

    > Hi
    >
    > I have a site that runs in an intranet environment, therefore the
    > authenication method in IIS is 'Integrated Windows authentication' and no
    > Anonymous access. In my web.config <authentication mode="Windows" />, works
    > fine.
    >
    > We want to release the site to the internet whilst maintaining integrated
    > Windows authenication for the intranet users; and having a forms like
    > authenication for internet users.
    >
    > I didn't think this was possible, any ideas?
    Chris Mohan, Nov 12, 2004
    #2
    1. Advertising

  3. Craig

    Chris Mohan Guest

    One clarification for the following paragraph.
    DOn't list the site in the trusted zone, list it the "Local Intranet" zone.
    The reason: if users start listing arbitrary sites in the trusted list.. then
    the security change will pass thier info to those sites too which are likely
    to be outside your network

    > If this is what you want.. you can take an additional step that will make
    > the lives of your users easier: if your organization uses Explorer 6.0 as its
    > default browser then employees can use IE's "zone" feature and list the
    > intranet app's url in IE's "Trusted Sites Zone." By changing a default
    > security setting (for this zone only) users can allow the browser to
    > authomaticly pass thier credentials to the site so they won't have to
    > manually login.
    >
    > See this for more info:
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;264086
    Chris Mohan, Nov 12, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?RGFuaWVs?=

    Machine.config & web.config

    =?Utf-8?B?RGFuaWVs?=, Jan 18, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    13,272
    Hermit Dave
    Jan 18, 2004
  2. =?Utf-8?B?QXVndXN0aW4gUHJhc2FubmEuIEo=?=

    Web.Config Get Config settings at runtime.

    =?Utf-8?B?QXVndXN0aW4gUHJhc2FubmEuIEo=?=, Feb 5, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    2,243
    Kevin Spencer
    Feb 6, 2004
  3. Bob
    Replies:
    7
    Views:
    944
    Saravana [MVP]
    May 5, 2004
  4. Ivan
    Replies:
    1
    Views:
    3,043
    Natty Gur
    May 21, 2004
  5. CSharpner
    Replies:
    0
    Views:
    1,000
    CSharpner
    Apr 9, 2007
Loading...

Share This Page