Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > .NET HttpModule & NTLM Integrated Authentication

Reply
Thread Tools

.NET HttpModule & NTLM Integrated Authentication

 
 
Rob Mayo
Guest
Posts: n/a
 
      01-23-2004
What I'm trying to do is Create an ASP.Net app that has both
Windows-authenticated users and Anonymous users. The idea is this:

When authenticated users attempt to access the site, their credentials are
passed to the Request, and I use the DOMAIN\USER value via the AUTH_USER
server variable to access their accounts. These people would never have to
log in to the app, only their machines on the network.

When anonymous users attempt to access the site, they are redirected to a
login page, rather than getting the Challenge dialog. Their login is
verified against a database and I alter the Current User with a
GenericPrincipal object.


I tried enabling 'Allow Anonymous Access' in IIS and producing the challenge
myself with a custom HttpModule, but was unable to make the challenge
myself.

Then I tried DISabling anonymous access and IIS provided the challenge and
the 401 response before it even got to my custom HttpModule.


Is there ANY way to acheive what I'm trying to do? Is there some way I can
intercept a request before IIS issues a challenge and issue the challenge
myself?


 
Reply With Quote
 
 
 
 
Hernan de Lahitte
Guest
Posts: n/a
 
      01-26-2004
Rob,

This case may by a bit tricky.
One of the security design considerations to take into account, should be to
rely as much as possible on the operating system security subsystem and
avoid whenever possible, creating your own custom solution. With this
premise in mind, you may try to set first the IIS authentication mode
(remember that ASP.NET is running over IIS, so the first security checkpoint
will be executed by IIS).
If you check Anonymous and NTLM/Kerberos as you auth methods, IIS will
first try to authenticate as Anonymous so you will always get the anonymous
access account. Remember that for IIS, there is no such an "Anonymous user",
so IIS will try to authenticate or not (if checked Anonymous) and it will
always run the ASP.NET worker process under some Windows account.
Based on this, your auth methods are incompatible for the same application
basically because you are using two different auth methods (Windows/AD and
Forms/Custom Resource) that where designed for different purposes.


--
Hernan de Lahitte
Lagash Systems S.A.
http://www.lagash.com



"Rob Mayo" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> What I'm trying to do is Create an ASP.Net app that has both
> Windows-authenticated users and Anonymous users. The idea is this:
>
> When authenticated users attempt to access the site, their credentials are
> passed to the Request, and I use the DOMAIN\USER value via the AUTH_USER
> server variable to access their accounts. These people would never have to
> log in to the app, only their machines on the network.
>
> When anonymous users attempt to access the site, they are redirected to a
> login page, rather than getting the Challenge dialog. Their login is
> verified against a database and I alter the Current User with a
> GenericPrincipal object.
>
>
> I tried enabling 'Allow Anonymous Access' in IIS and producing the

challenge
> myself with a custom HttpModule, but was unable to make the challenge
> myself.
>
> Then I tried DISabling anonymous access and IIS provided the challenge and
> the 401 response before it even got to my custom HttpModule.
>
>
> Is there ANY way to acheive what I'm trying to do? Is there some way I can
> intercept a request before IIS issues a challenge and issue the challenge
> myself?
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ANN: python-ntlm - provides NTLM support, including an authenticationhandler for urllib2 Matthijs Python 0 12-10-2008 03:38 PM
Java - Integrated Windows Authentication - NTLM Authentication Forwarding Will Java 5 12-03-2005 01:00 AM
SQL integrated authentication when using forms authentication Brett Smith ASP .Net 2 10-26-2004 02:15 PM
.NET HttpModule & NTLM Integrated Authentication Rob Mayo ASP .Net 2 01-26-2004 08:22 PM
Basic Authentication v. Integrated Windows Authentication w/ Delegation Mark ASP .Net 0 01-20-2004 03:13 PM



Advertisments