«

Hello!

I have a project that I'm working on and have some thoughts on how to
secure it but was hoping to get suggestions on the feasibility of my
approach.

The situation is this: I'm building a "client extranet" for my
company (in ASP.NET of course). The extranet files will all be
securable via Forms Authentication, which I already have in place,
thus forcing everyone to login before gaining access to any of the
secured content. I plan to use groups to protect the individual
client folders as well.

The issue I am running into right now is that there will be entire
site builds that may not be ASP.NET in nature (could be ASP or Cold
Fusion, or even just plain html). Forms Authentication won't work on
files not handled by the aspnet_wp filter and I can't imagine that
mapping .asp and .cfm files to it will work.

It is not an option to have true Windows authentication (we have a few
hundred clients, it is just not an option to create Windows accounts
for all of our clients. So, this is what I'm thinking might work
(just not quite sure on how to implement it).

I create one Windows account that is used for all logged in users,
protecting all folders inside a specific directory. This *should*
recognize that a user hasn't authenticated even if the page isn't an
..aspx. The login authentication however would be handled via Forms
Authentication, with the user privileges (groups, roles, etc.) loaded
during the login and carried throughout.

So, is this possible? Am I completely off my rocker? Did I miss
something major or is there another way that I'm just not seeing? Any
help is appreciated.

Thanks in advance!

-K