Windows authentication with custom user store

[Danny Vucinec]

I'm building a solution that uses Windows authentication. However, the
Windows users that are allowed to login and use the application are defined
in a custom user store. If a user is successfully authenticated by Windows,
access should be denied to if the user isn't in the custom user store.

Using roles to authorize the users would be a good solution, but the fact
is, that the web application uses both asp.net and classical asp. What other
options could be used? I'm thinking of a custom SessionStateUtility that only
issues a new session after the authenticated user is located in the user
store.

 

[Danny Vucinec]

Another option could be the use of a custom "authentication cookie" that is
issued after the user is located in the user store. This cookie should then
be checked in every request. What would be a good technique for this solution?

 

[Dominick Baier]

You can write an HttpModule that handles AuthorizeRequest (or in global.asax
for a start)

in this event you can check your userstore and see if the user is in the
allowed list.

This event gets called on every request - once you have this working, you
can think about optimizations, like a cookie or a flag in the cache...