Mixed Mode (Forms & Windows) Authentication

Discussion in 'ASP .Net Security' started by crpietschmann, Sep 5, 2006.

  1. I have an ASP.NET application that is used remotely (over the internet) by
    our clients that uses Forms authentication and the usernames/passwords are
    stored in the database. I need to integrate Windows authentication with the
    existing Forms authentication so that our employees (on the intranet) can use
    the same application with requiring username/password.

    I've seen a suggestion of having two seperate copies of the app hosted, one
    accessed locally with Windows authentication and the other remotely with
    Forms authentication. But, I would rather have one server/site do both.

    There must be a way to do this, and I don't know why this support wasn't
    built into ASP.NET 2.0 out of the box. Does anyone have any
    suggestions/examples of doing Mixed Mode Authentication in ASP.NET 2.0??
    crpietschmann, Sep 5, 2006
    1. Advertisements

  2. There are basically two models -

    #1one is to have a separate "start page" for Windows users - this page will
    convert the Windows credentials (and groups) to a FormsAuth ticket and redirect
    to your main app. All security will be forms based then.

    #2 A second approach involves injecting code into the pipeline (and reordering
    some of the modules) to enable this scenario.

    For existing applications #1 is often easier.

    I describe both approaches here [0]. #2 is too much code and plumbing to
    post here.

    If #1 is feasible for you i can walk you through the steps.

    [0] http://www.microsoft.com/mspress/books/9989.asp
    Dominick Baier, Sep 5, 2006
    1. Advertisements

  3. Since your book isn't out yet, could you send me some code or point me to an
    article on this?


    crpietschmann, Sep 5, 2006
  4. how about this?



    Dominick Baier, DevelopMentor
    Dominick Baier, Sep 5, 2006
  5. Thanks for Dominick's good suggestion.

    Hello Crpietschmann,

    For your scenario, the difficulty here is windows authentication use
    completely different authentication mechanism from forms authentication.
    The forms authentication is purely done through clear username/password
    user put in form and then our application validate the credential against
    our custom database. Windows authentication normally rely on the underlying
    authentication mechanism of client browser(IE) and webserver IIS which is
    not controlable by us. Also, currently a single ASP.NET application can
    only be configured to use single authentication mode.

    Are you developing the web application upon ASP.NET 2.0? If so, as you
    mentioned that your application is over internet and will be accessed by
    both internet user and local intranet user(has windows login credential), I
    think you can consider the following approach:

    1. Use Forms authentication for your web application.

    2. Since ASP.NET 2.0 use provider based model for membership service, you
    can configure two membership providers for your web application. One is
    Sqlserver membership provider, another is ActiveDirectoryMembership

    3. And on your application's login form, you can put an option to let user
    choose whether he will login as internet user or intranet user, if internet
    user, you programmatically use SqlMembership provider to authenticate it,
    otherwise, use ActiveDirectoryMembershipProvider to authenticate the
    user(against AD ).

    bool valid = false;

    if (IsPostBack)
    valid =

    FormsAuthentication.RedirectFromLoginPage(txtUsername, false);


    In this case, you need to do the authentication and forms authentication's
    redirect/sigeout in code rather than directly utilize the login controls.

    Also, since the username/password is passed as clear text on forms
    authentication form page, you should consider using https/ssl for the
    authentication pages.

    Do you think this a possible approach for your scenario?

    Please feel free to let me know if you have any questions or other
    consideration on this.


    Steven Cheng

    Microsoft MSDN Online Support Lead


    Get notification to my posts through email? Please refer to

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Sep 6, 2006
  6. The OP said -

    "so that our employees (on the intranet) can use the same application with
    requiring username/password."

    This will not be achievable with Membership.

    You need some piece of plumbing that bridges the gap between Windows and
    Forms Auth. As i said, the easiest is to give the internal users a "special"
    login page that does this.

    This article depicts the general solution (can be optimized for ASP.NET 2.0
    - but thats the general idea) : http://www.15seconds.com/issue/050203.htm

    Dominick Baier, DevelopMentor
    Dominick Baier, Sep 6, 2006
  7. Hello Chris,

    How are you doing on this issue? If there is still anything we can help,
    please feel free to post here.


    Steven Cheng

    Microsoft MSDN Online Support Lead

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Sep 8, 2006
Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.