Forms and Windows Authentication

From: Kyle Heon (kheon_at_comcast.net)
Date: 04/29/04 

Date: 28 Apr 2004 16:22:51 -0700

Hello!

I have a project that I'm working on and have some thoughts on how to
secure it but was hoping to get suggestions on the feasibility of my
approach.

The situation is this: I'm building a "client extranet" for my
company (in ASP.NET of course). The extranet files will all be
securable via Forms Authentication, which I already have in place,
thus forcing everyone to login before gaining access to any of the
secured content. I plan to use groups to protect the individual
client folders as well.

The issue I am running into right now is that there will be entire
site builds that may not be ASP.NET in nature (could be ASP or Cold
Fusion, or even just plain html). Forms Authentication won't work on
files not handled by the aspnet_wp filter and I can't imagine that
mapping .asp and .cfm files to it will work.

It is not an option to have true Windows authentication (we have a few
hundred clients, it is just not an option to create Windows accounts
for all of our clients. So, this is what I'm thinking might work
(just not quite sure on how to implement it).

I create one Windows account that is used for all logged in users,
protecting all folders inside a specific directory. This *should*
recognize that a user hasn't authenticated even if the page isn't an
.aspx. The login authentication however would be handled via Forms
Authentication, with the user privileges (groups, roles, etc.) loaded
during the login and carried throughout.

So, is this possible? Am I completely off my rocker? Did I miss
something major or is there another way that I'm just not seeing? Any
help is appreciated.

Thanks in advance!

-K

Relevant Pages

  • Re: clients editing information w/o authentication--advice needed
    ... I completely concur that username/password authentication is the way to go. ... SSL, while the most secure, is not essential since there's no confidential ... I will "push back" with the client and tell them they'd be better off ...
    (comp.lang.php)
  • Re: UsernameTokenManager.AuthenticateUser
    ... > Hi Phil, ... > authentication and the key interchange is done once. ... > as client token. ... >> I'm currently using username over certificate with secure session. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: UsernameTokenManager.AuthenticateUser
    ... That happens because you are using secure session. ... WSE only authenticates the client the first ... authentication and the key interchange is done once. ... > I'm currently using username over certificate with secure session. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Windows Authentication, Single sign on and Active Directory
    ... service proxy client fails to connect due to authentication failure and then ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The server is always in the domain. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: BASIC authentication Issues with IE - Part II - Solved but WHY?
    ... it does not know the difference between a request from IE or from ... some other HTTP client. ... Some other authentication schemes are more ... IIS can sometimes remember the token for a particular set of credentials so ...
    (microsoft.public.inetserver.iis.security)