Mixed Mode (Forms & Windows) Authentication

C

crpietschmann

I have an ASP.NET application that is used remotely (over the internet) by
our clients that uses Forms authentication and the usernames/passwords are
stored in the database. I need to integrate Windows authentication with the
existing Forms authentication so that our employees (on the intranet) can use
the same application with requiring username/password.

I've seen a suggestion of having two seperate copies of the app hosted, one
accessed locally with Windows authentication and the other remotely with
Forms authentication. But, I would rather have one server/site do both.

There must be a way to do this, and I don't know why this support wasn't
built into ASP.NET 2.0 out of the box. Does anyone have any
suggestions/examples of doing Mixed Mode Authentication in ASP.NET 2.0??
 
D

Dominick Baier

There are basically two models -

#1one is to have a separate "start page" for Windows users - this page will
convert the Windows credentials (and groups) to a FormsAuth ticket and redirect
to your main app. All security will be forms based then.

#2 A second approach involves injecting code into the pipeline (and reordering
some of the modules) to enable this scenario.

For existing applications #1 is often easier.

I describe both approaches here [0]. #2 is too much code and plumbing to
post here.

If #1 is feasible for you i can walk you through the steps.


[0] http://www.microsoft.com/mspress/books/9989.asp
 
C

crpietschmann

Since your book isn't out yet, could you send me some code or point me to an
article on this?

Thanks!


Dominick Baier said:
There are basically two models -

#1one is to have a separate "start page" for Windows users - this page will
convert the Windows credentials (and groups) to a FormsAuth ticket and redirect
to your main app. All security will be forms based then.

#2 A second approach involves injecting code into the pipeline (and reordering
some of the modules) to enable this scenario.

For existing applications #1 is often easier.

I describe both approaches here [0]. #2 is too much code and plumbing to
post here.

If #1 is feasible for you i can walk you through the steps.


[0] http://www.microsoft.com/mspress/books/9989.asp

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
I have an ASP.NET application that is used remotely (over the
internet) by our clients that uses Forms authentication and the
usernames/passwords are stored in the database. I need to integrate
Windows authentication with the existing Forms authentication so that
our employees (on the intranet) can use the same application with
requiring username/password.

I've seen a suggestion of having two seperate copies of the app
hosted, one accessed locally with Windows authentication and the other
remotely with Forms authentication. But, I would rather have one
server/site do both.

There must be a way to do this, and I don't know why this support
wasn't built into ASP.NET 2.0 out of the box. Does anyone have any
suggestions/examples of doing Mixed Mode Authentication in ASP.NET
2.0??
 
D

Dominick Baier

how about this?

http://www.google.com/search?hl=en&...mixed+mode+authentication+asp.net&btnG=Search

;)

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
Since your book isn't out yet, could you send me some code or point me
to an article on this?

Thanks!

Dominick Baier said:
There are basically two models -

#1one is to have a separate "start page" for Windows users - this
page will convert the Windows credentials (and groups) to a FormsAuth
ticket and redirect to your main app. All security will be forms
based then.

#2 A second approach involves injecting code into the pipeline (and
reordering some of the modules) to enable this scenario.

For existing applications #1 is often easier.

I describe both approaches here [0]. #2 is too much code and plumbing
to post here.

If #1 is feasible for you i can walk you through the steps.

[0] http://www.microsoft.com/mspress/books/9989.asp

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
I have an ASP.NET application that is used remotely (over the
internet) by our clients that uses Forms authentication and the
usernames/passwords are stored in the database. I need to integrate
Windows authentication with the existing Forms authentication so
that our employees (on the intranet) can use the same application
with requiring username/password.

I've seen a suggestion of having two seperate copies of the app
hosted, one accessed locally with Windows authentication and the
other remotely with Forms authentication. But, I would rather have
one server/site do both.

There must be a way to do this, and I don't know why this support
wasn't built into ASP.NET 2.0 out of the box. Does anyone have any
suggestions/examples of doing Mixed Mode Authentication in ASP.NET
2.0??
 
S

Steven Cheng[MSFT]

Thanks for Dominick's good suggestion.

Hello Crpietschmann,

For your scenario, the difficulty here is windows authentication use
completely different authentication mechanism from forms authentication.
The forms authentication is purely done through clear username/password
user put in form and then our application validate the credential against
our custom database. Windows authentication normally rely on the underlying
authentication mechanism of client browser(IE) and webserver IIS which is
not controlable by us. Also, currently a single ASP.NET application can
only be configured to use single authentication mode.

Are you developing the web application upon ASP.NET 2.0? If so, as you
mentioned that your application is over internet and will be accessed by
both internet user and local intranet user(has windows login credential), I
think you can consider the following approach:

1. Use Forms authentication for your web application.

2. Since ASP.NET 2.0 use provider based model for membership service, you
can configure two membership providers for your web application. One is
Sqlserver membership provider, another is ActiveDirectoryMembership
Provider.

3. And on your application's login form, you can put an option to let user
choose whether he will login as internet user or intranet user, if internet
user, you programmatically use SqlMembership provider to authenticate it,
otherwise, use ActiveDirectoryMembershipProvider to authenticate the
user(against AD ).

e.g.
===================
bool valid = false;

if (IsPostBack)
{
valid =
Membership.Providers["sqlprovider"].ValidateUser(txtUsername.Text,
txtPassword.Text);
}
else
{
Membership.Providers["adprovier"].ValidateUsertxtUsername.Text,
txtPassword.Text);
}

if(valid)
{
FormsAuthentication.RedirectFromLoginPage(txtUsername, false);
}

===================

In this case, you need to do the authentication and forms authentication's
redirect/sigeout in code rather than directly utilize the login controls.

Also, since the username/password is passed as clear text on forms
authentication form page, you should consider using https/ssl for the
authentication pages.

Do you think this a possible approach for your scenario?

Please feel free to let me know if you have any questions or other
consideration on this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.
 
D

Dominick Baier

The OP said -

"so that our employees (on the intranet) can use the same application with
requiring username/password."

This will not be achievable with Membership.

You need some piece of plumbing that bridges the gap between Windows and
Forms Auth. As i said, the easiest is to give the internal users a "special"
login page that does this.

This article depicts the general solution (can be optimized for ASP.NET 2.0
- but thats the general idea) : http://www.15seconds.com/issue/050203.htm



---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com
Thanks for Dominick's good suggestion.

Hello Crpietschmann,

For your scenario, the difficulty here is windows authentication use
completely different authentication mechanism from forms
authentication. The forms authentication is purely done through clear
username/password user put in form and then our application validate
the credential against our custom database. Windows authentication
normally rely on the underlying authentication mechanism of client
browser(IE) and webserver IIS which is not controlable by us. Also,
currently a single ASP.NET application can only be configured to use
single authentication mode.

Are you developing the web application upon ASP.NET 2.0? If so, as you
mentioned that your application is over internet and will be accessed
by both internet user and local intranet user(has windows login
credential), I think you can consider the following approach:

1. Use Forms authentication for your web application.

2. Since ASP.NET 2.0 use provider based model for membership service,
you can configure two membership providers for your web application.
One is Sqlserver membership provider, another is
ActiveDirectoryMembership Provider.

3. And on your application's login form, you can put an option to let
user choose whether he will login as internet user or intranet user,
if internet user, you programmatically use SqlMembership provider to
authenticate it, otherwise, use ActiveDirectoryMembershipProvider to
authenticate the user(against AD ).

e.g.
===================
bool valid = false;
if (IsPostBack)
{
valid =
Membership.Providers["sqlprovider"].ValidateUser(txtUsername.Text,
txtPassword.Text);
}
else
{

Membership.Providers["adprovier"].ValidateUsertxtUsername.Text,
txtPassword.Text);
}
if(valid)
{
FormsAuthentication.RedirectFromLoginPage(txtUsername,
false);
}
===================

In this case, you need to do the authentication and forms
authentication's redirect/sigeout in code rather than directly
utilize the login controls.

Also, since the username/password is passed as clear text on forms
authentication form page, you should consider using https/ssl for the
authentication pages.

Do you think this a possible approach for your scenario?

Please feel free to let me know if you have any questions or other
consideration on this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx
#notif ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent
issues where an initial response from the community or a Microsoft
Support Engineer within 1 business day is acceptable. Please note that
each follow up response may take approximately 2 business days as the
support professional working with you may need further investigation
to reach the most efficient resolution. The offering is not
appropriate for situations that require urgent, real-time or
phone-based interactions or complex project analysis and dump analysis
issues. Issues of this nature are best handled working with a
dedicated Microsoft Support Engineer by contacting Microsoft Customer
Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.
 
S

Steven Cheng[MSFT]

Hello Chris,

How are you doing on this issue? If there is still anything we can help,
please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
474,039
Messages
2,570,375
Members
47,020
Latest member
anuradha

Latest Threads

Top