Re: Complicated Fallback ASP.NET Security

From: Shawn Wheatley (swheatley22_at_yahoo.com)
Date: 01/16/04 

Date: 16 Jan 2004 10:47:01 -0800

Ok, here's my latest update:

I found the following posting,
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=utf-8&selm=Rnw8J81PCHA.1712%40cpmsftngxa07

which loosely explains how to do a joint NTLM/Passport authenticated
site, with a database for roles. I have been able to modify this
slightly to work for my own form authentication (actually using
<authentication="None"> though) Basically I have to manage a cookie
or session object that lets the system know the user is logged in.

I'm trying to follow the example in 5A of that posting. It has an
NTLM authenticated page which errors out to a form for logging in if
the user can't authenticate. Thus, the entire site has no .NET
managed authentication, and all but this one NTLM authenticated page
are anonymous.

Example:
            ntlm.aspx - NTLM authenticated, if not, redirect to
                        forms.aspx
           forms.aspx - form, anonymous access
           Page3.aspx - once authenticated go here
    anyotherpage.aspx - redirect to ntlm.aspx if not authenticated.

The problem is that whenever the ntlm.aspx fails authenticating, it
can't successfully redirect to the forms.aspx as the IIS properties
specify.

Any ideas?

Shawn

> "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:<eHYKy##2DHA.632@TK2MSFTNGP12.phx.gbl>...
>
> > I'm pretty sure you would need to authenticate the ADAM users via LDAP and
> > some kind of Forms authentication as they aren't Windows users and can't be
> > authenticated via the normal SSPI stuff. You could also authenticate your
> > Windows users against ADAM using its proxy authentication stuff, but then
> > you won't have WindowsPrincipals for your web users.
> >
> > From there you could get clever and do something like calling LogonUser for
> > the Windows users to build a real Windows logon token if you needed that,
> > but there isn't any way to get a token for the ADAM users, so it might be
> > best to treat them uniformly.
> >
> > Hopefully that gave you some good ideas and didn't confuse you. I haven't
> > played with ADAM much yet, so this is all based on my current understanding
> > and reading a lot of newsgroup posts about it. But I am pretty sure this
> > info is accurate.
> >
> > Joe K.

Relevant Pages

  • Re: E-mail help(That helped)
    ... There are windows users, and a mailbox (basically, just a folder in the ... You can use other authentication methods (like Encrypted File) if you do not ... >> with the same accounts, i'm told that the accounts already exits. ...
    (microsoft.public.windows.server.general)
  • FreeBSD, Squid, Active Directory integration
    ... authentication) a Windows users' Active Directory credentials to Squid ... running on FreeBSD. ...
    (freebsd-questions)
  • Re: Integrated Windows Authentication & Mac Compatibility
    ... > then send Mac users to antother virtual site that points ... > basic authentication instead. ... http://site.com/mac/page.aspx and windows users to ... Our site is Intranet, so sniffing can only occur within the network, ...
    (microsoft.public.inetserver.iis.security)
  • Microsoft said it was highly unlikely
    ... Even manages to compromise Vista remotely without authentication: ... I figure the Windows users in here that hate the Mac so much might not ...
    (comp.sys.mac.advocacy)
  • RE: OWA fails to close
    ... This posting is provided "AS IS" with no warranties, ... and cleared Integrated Windows Authentication. ... >closed in Exchange 2000 OWA. ... Users group ...
    (microsoft.public.exchange.misc)