«

I have an ASP.NET application that is used remotely (over the internet) by
our clients that uses Forms authentication and the usernames/passwords are
stored in the database. I need to integrate Windows authentication with the
existing Forms authentication so that our employees (on the intranet) can use
the same application with requiring username/password.

I've seen a suggestion of having two seperate copies of the app hosted, one
accessed locally with Windows authentication and the other remotely with
Forms authentication. But, I would rather have one server/site do both.

There must be a way to do this, and I don't know why this support wasn't
built into ASP.NET 2.0 out of the box. Does anyone have any
suggestions/examples of doing Mixed Mode Authentication in ASP.NET 2.0??

There are basically two models -

#1one is to have a separate "start page" for Windows users - this page will
convert the Windows credentials (and groups) to a FormsAuth ticket and redirect
to your main app. All security will be forms based then.

#2 A second approach involves injecting code into the pipeline (and reordering
some of the modules) to enable this scenario.

For existing applications #1 is often easier.

I describe both approaches here [0]. #2 is too much code and plumbing to
post here.

If #1 is feasible for you i can walk you through the steps.


[0] http://www.microsoft.com/mspress/books/9989.asp

---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> I have an ASP.NET application that is used remotely (over the
> internet) by our clients that uses Forms authentication and the
> usernames/passwords are stored in the database. I need to integrate
> Windows authentication with the existing Forms authentication so that
> our employees (on the intranet) can use the same application with
> requiring username/password.
>
> I've seen a suggestion of having two seperate copies of the app
> hosted, one accessed locally with Windows authentication and the other
> remotely with Forms authentication. But, I would rather have one
> server/site do both.
>
> There must be a way to do this, and I don't know why this support
> wasn't built into ASP.NET 2.0 out of the box. Does anyone have any
> suggestions/examples of doing Mixed Mode Authentication in ASP.NET
> 2.0??
>

Since your book isn't out yet, could you send me some code or point me to an
article on this?

Thanks!


"Dominick Baier" wrote:

> There are basically two models -
>
> #1one is to have a separate "start page" for Windows users - this page will
> convert the Windows credentials (and groups) to a FormsAuth ticket and redirect
> to your main app. All security will be forms based then.
>
> #2 A second approach involves injecting code into the pipeline (and reordering
> some of the modules) to enable this scenario.
>
> For existing applications #1 is often easier.
>
> I describe both approaches here [0]. #2 is too much code and plumbing to
> post here.
>
> If #1 is feasible for you i can walk you through the steps.
>
>
> [0] http://www.microsoft.com/mspress/books/9989.asp
>
> ---
> Dominick Baier, DevelopMentor
> http://www.leastprivilege.com
>
> > I have an ASP.NET application that is used remotely (over the
> > internet) by our clients that uses Forms authentication and the
> > usernames/passwords are stored in the database. I need to integrate
> > Windows authentication with the existing Forms authentication so that
> > our employees (on the intranet) can use the same application with
> > requiring username/password.
> >
> > I've seen a suggestion of having two seperate copies of the app
> > hosted, one accessed locally with Windows authentication and the other
> > remotely with Forms authentication. But, I would rather have one
> > server/site do both.
> >
> > There must be a way to do this, and I don't know why this support
> > wasn't built into ASP.NET 2.0 out of the box. Does anyone have any
> > suggestions/examples of doing Mixed Mode Authentication in ASP.NET
> > 2.0??
> >
>
>
>

how about this?

http://www.google.com/search?hl=en&l...et&btnG=Search



---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> Since your book isn't out yet, could you send me some code or point me
> to an article on this?
>
> Thanks!
>
> "Dominick Baier" wrote:
>
>> There are basically two models -
>>
>> #1one is to have a separate "start page" for Windows users - this
>> page will convert the Windows credentials (and groups) to a FormsAuth
>> ticket and redirect to your main app. All security will be forms
>> based then.
>>
>> #2 A second approach involves injecting code into the pipeline (and
>> reordering some of the modules) to enable this scenario.
>>
>> For existing applications #1 is often easier.
>>
>> I describe both approaches here [0]. #2 is too much code and plumbing
>> to post here.
>>
>> If #1 is feasible for you i can walk you through the steps.
>>
>> [0] http://www.microsoft.com/mspress/books/9989.asp
>>
>> ---
>> Dominick Baier, DevelopMentor
>> http://www.leastprivilege.com
>>> I have an ASP.NET application that is used remotely (over the
>>> internet) by our clients that uses Forms authentication and the
>>> usernames/passwords are stored in the database. I need to integrate
>>> Windows authentication with the existing Forms authentication so
>>> that our employees (on the intranet) can use the same application
>>> with requiring username/password.
>>>
>>> I've seen a suggestion of having two seperate copies of the app
>>> hosted, one accessed locally with Windows authentication and the
>>> other remotely with Forms authentication. But, I would rather have
>>> one server/site do both.
>>>
>>> There must be a way to do this, and I don't know why this support
>>> wasn't built into ASP.NET 2.0 out of the box. Does anyone have any
>>> suggestions/examples of doing Mixed Mode Authentication in ASP.NET
>>> 2.0??
>>>

Thanks for Dominick's good suggestion.

Hello Crpietschmann,

For your scenario, the difficulty here is windows authentication use
completely different authentication mechanism from forms authentication.
The forms authentication is purely done through clear username/password
user put in form and then our application validate the credential against
our custom database. Windows authentication normally rely on the underlying
authentication mechanism of client browser(IE) and webserver IIS which is
not controlable by us. Also, currently a single ASP.NET application can
only be configured to use single authentication mode.

Are you developing the web application upon ASP.NET 2.0? If so, as you
mentioned that your application is over internet and will be accessed by
both internet user and local intranet user(has windows login credential), I
think you can consider the following approach:

1. Use Forms authentication for your web application.

2. Since ASP.NET 2.0 use provider based model for membership service, you
can configure two membership providers for your web application. One is
Sqlserver membership provider, another is ActiveDirectoryMembership
Provider.

3. And on your application's login form, you can put an option to let user
choose whether he will login as internet user or intranet user, if internet
user, you programmatically use SqlMembership provider to authenticate it,
otherwise, use ActiveDirectoryMembershipProvider to authenticate the
user(against AD ).

e.g.
===================
bool valid = false;

if (IsPostBack)
{
valid =
Membership.Providers["sqlprovider"].ValidateUser(txtUsername.Text,
txtPassword.Text);
}
else
{
Membership.Providers["adprovier"].ValidateUsertxtUsername.Text,
txtPassword.Text);
}

if(valid)
{
FormsAuthentication.RedirectFromLoginPage(txtUsern ame, false);
}

===================

In this case, you need to do the authentication and forms authentication's
redirect/sigeout in code rather than directly utilize the login controls.

Also, since the username/password is passed as clear text on forms
authentication form page, you should consider using https/ssl for the
authentication pages.

Do you think this a possible approach for your scenario?

Please feel free to let me know if you have any questions or other
consideration on this.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

The OP said -

"so that our employees (on the intranet) can use the same application with
requiring username/password."

This will not be achievable with Membership.

You need some piece of plumbing that bridges the gap between Windows and
Forms Auth. As i said, the easiest is to give the internal users a "special"
login page that does this.

This article depicts the general solution (can be optimized for ASP.NET 2.0
- but thats the general idea) : http://www.15seconds.com/issue/050203.htm



---
Dominick Baier, DevelopMentor
http://www.leastprivilege.com

> Thanks for Dominick's good suggestion.
>
> Hello Crpietschmann,
>
> For your scenario, the difficulty here is windows authentication use
> completely different authentication mechanism from forms
> authentication. The forms authentication is purely done through clear
> username/password user put in form and then our application validate
> the credential against our custom database. Windows authentication
> normally rely on the underlying authentication mechanism of client
> browser(IE) and webserver IIS which is not controlable by us. Also,
> currently a single ASP.NET application can only be configured to use
> single authentication mode.
>
> Are you developing the web application upon ASP.NET 2.0? If so, as you
> mentioned that your application is over internet and will be accessed
> by both internet user and local intranet user(has windows login
> credential), I think you can consider the following approach:
>
> 1. Use Forms authentication for your web application.
>
> 2. Since ASP.NET 2.0 use provider based model for membership service,
> you can configure two membership providers for your web application.
> One is Sqlserver membership provider, another is
> ActiveDirectoryMembership Provider.
>
> 3. And on your application's login form, you can put an option to let
> user choose whether he will login as internet user or intranet user,
> if internet user, you programmatically use SqlMembership provider to
> authenticate it, otherwise, use ActiveDirectoryMembershipProvider to
> authenticate the user(against AD ).
>
> e.g.
> ===================
> bool valid = false;
> if (IsPostBack)
> {
> valid =
> Membership.Providers["sqlprovider"].ValidateUser(txtUsername.Text,
> txtPassword.Text);
> }
> else
> {
>
> Membership.Providers["adprovier"].ValidateUsertxtUsername.Text,
> txtPassword.Text);
> }
> if(valid)
> {
> FormsAuthentication.RedirectFromLoginPage(txtUsern ame,
> false);
> }
> ===================
>
> In this case, you need to do the authentication and forms
> authentication's redirect/sigeout in code rather than directly
> utilize the login controls.
>
> Also, since the username/password is passed as clear text on forms
> authentication form page, you should consider using https/ssl for the
> authentication pages.
>
> Do you think this a possible approach for your scenario?
>
> Please feel free to let me know if you have any questions or other
> consideration on this.
>
> Sincerely,
>
> Steven Cheng
>
> Microsoft MSDN Online Support Lead
>
> ==================================================
>
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscripti...s/default.aspx
> #notif ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent
> issues where an initial response from the community or a Microsoft
> Support Engineer within 1 business day is acceptable. Please note that
> each follow up response may take approximately 2 business days as the
> support professional working with you may need further investigation
> to reach the most efficient resolution. The offering is not
> appropriate for situations that require urgent, real-time or
> phone-based interactions or complex project analysis and dump analysis
> issues. Issues of this nature are best handled working with a
> dedicated Microsoft Support Engineer by contacting Microsoft Customer
> Support Services (CSS) at
> http://msdn.microsoft.com/subscripti...t/default.aspx.
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Hello Chris,

How are you doing on this issue? If there is still anything we can help,
please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

*** Sent via Developersdex http://www.developersdex.com ***