Re: Seriously: Allowing anonymous and authenticated and anonymous access (somehow related to ASP.NET)
From: x y (jamescagney90210@excite.com)
Date: 07/17/02
- Next message: Mark A. Richman: "Windows Authentication without popup box"
- Previous message: PA: "Forms authentication and Page_Load"
- In reply to: Christian Weyer: "Seriously: Allowing anonymous and authenticated and anonymous access (somehow related to ASP.NET)"
- Next in thread: Egbert Nierop \(MVP for IIS\): "Re: Seriously: Allowing anonymous and authenticated and anonymous access (somehow related to ASP.NET)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y" <jamescagney90210@excite.com> Date: Wed, 17 Jul 2002 08:47:18 -0400
"Christian Weyer" <cw@_nospam-xmlwebservices.cc> wrote in message
news:3D33EC06.5030902@_nospam-xmlwebservices.cc...
> Hi experts,
Who, me?? I think maybe you have the wrong person.
> my application (portal-like) allows access to all (anonymous) users by
> default. But then there are some pages that require explicit
authentication.
> It must be possible to use Windows Integrated Authentication in IIS to
> enable Intranet users a seamless workflow (without having to login to
> the Web app through a seperate page). When the user is not an Intranet
> user then I have to 'redirect' him to a login page (ASP.NET forms
> based-like). Everything on a single code base, no seperate Web or things
> like that.
> One problem I see is that when both Anonymous and Windows Integrated are
> enabled in IIS, then _always_ Anonymous i used!? Ah, of course I am
> using 'Windows' in web.config's authentication section :-)
> I also played around with the 'send a 401 back'. This works, then I get
> NTLM authentication forced. But I then need a step to determine that it
> is _not_ a Windows user and redirect him to the login page (therefore
> anonymous -> authenticated -> anonymous).
Interesting idea. If you know the IP addresses of the windows users you
could write an .ASP script to get the IP address and redirect non-Windows
users based on IP address. Additionally, you could use different FQDN
server names with host headers or different port numbers to separate the
windows users from the non-windows users.
I guess you could write a custom 401.2.htm page so that after a person has
tried to access a windows-only web page and entered their login ID
unsuccessfully 3 times, the page either assumes the person with the failed
login ID is not a windows user or uses .ASP script to check the login ID
being used by the person. This might not be so desirable because if the
person is a windows user that has forgotten their password, they will get
redirected to the internet and may not realize that there's a problem... and
if the person clicks cancel because they are an internet user and think they
are trying to go somewhere forbidden, then they never get redirected to the
internet page.
Unless you choose to use one of the methods in the first paragraph [user ID
type determined by IP address or by the FQDN used in the URL] or one of the
methods you've rejected such as a custom login web page, I can't think of a
way to test whether the user is Windows or not without making them go
through the 3 login ID and password challenge screens. Until they do that,
they're still using the anonymous login ID as far as IIS is concerned.
- Next message: Mark A. Richman: "Windows Authentication without popup box"
- Previous message: PA: "Forms authentication and Page_Load"
- In reply to: Christian Weyer: "Seriously: Allowing anonymous and authenticated and anonymous access (somehow related to ASP.NET)"
- Next in thread: Egbert Nierop \(MVP for IIS\): "Re: Seriously: Allowing anonymous and authenticated and anonymous access (somehow related to ASP.NET)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
