Intranet app via remote location (Internet)

[Troy S.]

Hello all. I am developing a 2.0 web site whereby the client wants to give
access to everyone in their company's domain (I assume that means Active
Directory). The site will be accessed from the Internet (outside the
company' intranet). Once logged in, I will grab the authenticated user's
identity and search SQL tables for their app-specific rights. I have
wrestled with the proper settings to enable this functionality but have yet
to stumble upon the correct solution.

I would think Allow Anonymous Access would be turned off via IIS and
web.config would have something similar to the folllowing in it:

<authentication mode="Windows"/>
<identity impersonate="true"/>
<authorization>
<allow roles="app-specific-role-name" />
<deny users="*" />
</authorization>

I'd greatly appreciate any insight you have or even links to proper
resources. Take care.

Troy

 

[Joe Kaplan]

How do you want the auth to be done? Your basic options are Windows auth or
Forms auth. Making Windows auth work outside the firewall can be a
challenge as Kerberos requires access to a domain controller and NTLM can be
hard to get working well across firewalls and load balancers (although it
can work). Basic auth actually works fine but requires SSL for security and
won't provide SSO (although maybe you aren't expecting that for the
internet-based users).

All of those options assume the server is domain joined so that it can
authenticate these users.

To use forms auth, you would probably want to use the Active Directory
membership provider. Perhaps since you have custom roles in SQL you would
want to implement a custom SQL-based role provider. You might want to do
that regardless of whether you use Windows auth or Forms auth.

Joe K.

 

[Troy S.]

Joe, thanks for your time and informative reply.

How do you want the auth to be done?

I've always used Forms authentication in conjunction with my own SQL tables
(Users, Roles, etc) so I'm not sure how to answer your question. I've never
tried to utilize Active Directory for an internet application but I've had to
maintain a few apps that do (code is ugly and monstrous, using third-party
components).

I've not yet seen an elegant way to make Windows prompt the user for their
Windows un & pw and then allow them access to the site, which is the
functionality I need (just like RDPing to my work machine from home--fill in
my un & pw and I can then access all the network resources I normally have
access to).

I'm not sure about the domain controller. All I know at the moment is the
client has an intranet with many machines connected to it and wants to host
this new site on one of their machines, using existing Windows accounts for
authentication.

I will research the Active Directory membership provider and see where that
leads me. Hopefully I find the veritable pot of gold.

Take care.

Troy

 

[Joe Kaplan]

I find it strange that you've had such bad experiences with Windows auth as
you usually don't have to do anything to make it work. Just enable Windows
auth in IIS, disable anonymous and set ASP.NET to Windows auth mode. It
just works. If the IIS box is domain-joined, it will authenticate against
AD. There is no code to write.

The question is still whether you want to use Windows auth or forms auth.
If you choose to go with forms auth, the AD membership provider is the
easiest solution.

Joe K.

 

[Troy S.]

... Just enable Windows

auth in IIS, disable anonymous and set ASP.NET to Windows auth mode. It
just works. If the IIS box is domain-joined, it will authenticate against
AD. There is no code to write.

Those are specific instructions that even I understand. I will give that a
go and see if it passes the client's muster.

The question is still whether you want to use Windows auth or forms auth.
If you choose to go with forms auth, the AD membership provider is the
easiest solution.

I wish I knew. From what little I understand, using Windows auth from
outside the Internet firewall is inviting headaches but that's just based on
random postings I've reviewed. I've looked at the AD m.p. and it doesn't
seem too complicated (still not a plug-n-play kind of option--I love
programming but hate the security-related quicksand). If the above option is
shot down then I'll tackle the AD MP option.

Thanks again for your time and effort.

Troy S.