Re: User has to login twice. Why??

• Previous message: Shel Blauman [MSFT]: "Re: feature or bug?"
• In reply to: Redeye: "Re: User has to login twice. Why??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 11 Aug 2003 13:44:46 -0700

Redeye,

It's not clear to me from your original posting what exactly you're trying
to accomplish.

The design of ASP.NET security doesn't seem to contemplate the fairly common
scenario where you want to transparently authenticate and authorize Windows
users while allowing external users to be authenticated with Forms
authentication or something like it.

If that is what you are after, it is possible to achieve this I think. At
least, I've got a partial proof-of-concept worked out that seems to function
correctly and I've not hit any brick walls (yet). The secret (for my
purposes anyway) is to use standard Windows authentication and if that
fails, redirect the user to a login form that implements a Forms
Authentication-like login (without relying on any of the Forms
authentication scaffolding, since Forms authentication is not actually
enabled), and issues a cookie that carries a GUID that can be looked up in
SQL Server for user info. One then must tie into the Windows_OnAuthenticate
event in Global.asax and substitute a custom IPrincipal implementation to
convince the system that Windows authentication succeeded. This
implementation simply wraps the WindowsPrincipal if the user is
Windows-authenticated, or a GenericPrincipal if not. It determines that an
"external" authentication scheme was used if it sees that the user ID cookie
exists.

As a nice side benefit, user preferences and other user info such as custom
permission schemes can come along for the ride within the IPrincipal
instance.

--Bob

"Redeye" <redeye_51@hotmail.com> wrote in message
news:ORae%23tCYDHA.736@TK2MSFTNGP09.phx.gbl...
> I have tried that and the system hangs. I have tried all combinations of
> security settings. The only solution I have found is set the
authentication
> type in the web.config file to Windows and do away with the login form.
The
> powers that be do not like this solution which is why I am hoping to find
> some enlightenment out here.
>
> Thanks
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:%23$fiSg2XDHA.2572@TK2MSFTNGP09.phx.gbl...
> > That is the expected result when you use both Windows authentication
> > (Integrated auth. is checked) and Forms authentication. If you don't
want
> > the Windows authentication, disable IIS/Windows authentication
completely
> by
> > allowing anonymous and unchecking all Windows auth settings.
> >
> > Joe K.
> >
> > "Redeye" <redeye_51@hotmail.com> wrote in message
> > news:e2MnNTSXDHA.2476@tk2msftngp13.phx.gbl...
> > > Hello,
> > >
> > > I am using windows forms authentication in my asp.net web application
so
> > > that it uses ADSI to validate users.
> > >
> > > The application is in a virtual directory on my local system,
> > > (http://Localhost/MyApp), and it makes the call to a domain server on
> our
> > > network. Everything works great. When the application is on the
> deployment
> > > server the user is required to login via the windows login (Pop-up)
and
> > then
> > > once again via the login form.
> > >
> > > The test environment:
> > > ------------------------------------------------------
> > > IIS Authentication Methods: (Local Machine)
> > > Anonymous access (unchecked)
> > > --
> > > Basic authentication(checked)
> > > Digest authentication(grayed out)
> > > Integrated Windows authentication(checked)
> > > ------------------------------------------------------
> > >
> > > The deployment environment:
> > > The application is in the root directory, (http://MyApp.com), and it
> makes
> > > the call to a domain server on the network.
> > > ------------------------------------------------------
> > > IIS Authentication Methods: (Deployment Server)
> > > Anonymous access (unchecked)
> > > --
> > > Basic authentication(checked)
> > > Digest authentication(checked) I have also tried it unchecked.
> > > Integrated Windows authentication(checked)
> > > ------------------------------------------------------
> > >
> > > What security settings need to be changed?
> > >
> > > Here is the web.config file settings.
> > > <identity impersonate="true"/>
> > >
> > > <authentication mode="Forms">
> > > <forms loginUrl="logon.aspx" name="MyDomain" timeout="10" path="/"
>
> > > </forms>
> > > </authentication>
> > >
> > > <authorization>
> > > <deny users="?" />
> > > <allow users="*" />
> > > </authorization>
> > >
> > > Thanks,
> > > Bryan

• Previous message: Shel Blauman [MSFT]: "Re: feature or bug?"
• In reply to: Redeye: "Re: User has to login twice. Why??"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]