Re: .NET HttpModule & NTLM Integrated Authentication

From: Hernan de Lahitte (hernan_at_lagash.com)
Date: 01/26/04


Date: Mon, 26 Jan 2004 17:22:47 -0300

Rob,

This case may by a bit tricky.
One of the security design considerations to take into account, should be to
rely as much as possible on the operating system security subsystem and
avoid whenever possible, creating your own custom solution. With this
premise in mind, you may try to set first the IIS authentication mode
(remember that ASP.NET is running over IIS, so the first security checkpoint
will be executed by IIS).
If you check Anonymous and NTLM/Kerberos as you auth methods, IIS will
first try to authenticate as Anonymous so you will always get the anonymous
access account. Remember that for IIS, there is no such an "Anonymous user",
so IIS will try to authenticate or not (if checked Anonymous) and it will
always run the ASP.NET worker process under some Windows account.
Based on this, your auth methods are incompatible for the same application
basically because you are using two different auth methods (Windows/AD and
Forms/Custom Resource) that where designed for different purposes.

-- 
Hernan de Lahitte
Lagash Systems S.A.
http://www.lagash.com
"Rob Mayo" <NOSPAM@NOSPAM.COM> wrote in message
news:uDHMgrg4DHA.1816@TK2MSFTNGP12.phx.gbl...
> What I'm trying to do is Create an ASP.Net app that has both
> Windows-authenticated users and Anonymous users. The idea is this:
>
> When authenticated users attempt to access the site, their credentials are
> passed to the Request, and I use the DOMAIN\USER value via the AUTH_USER
> server variable to access their accounts. These people would never have to
> log in to the app, only their machines on the network.
>
> When anonymous users attempt to access the site, they are redirected to a
> login page, rather than getting the Challenge dialog. Their login is
> verified against a database and I alter the Current User with a
> GenericPrincipal object.
>
>
> I tried enabling 'Allow Anonymous Access' in IIS and producing the
challenge
> myself with a custom HttpModule, but was unable to make the challenge
> myself.
>
> Then I tried DISabling anonymous access and IIS provided the challenge and
> the 401 response before it even got to my custom HttpModule.
>
>
> Is there ANY way to acheive what I'm trying to do? Is there some way I can
> intercept a request before IIS issues a challenge and issue the challenge
> myself?
>
>


Relevant Pages

  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: DCOM calls fails - access denied
    ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: .NET HttpModule & NTLM Integrated Authentication
    ... One of the security design considerations to take into account, ... (remember that ASP.NET is running over IIS, ... > When anonymous users attempt to access the site, they are redirected to a> login page, rather than getting the Challenge dialog. ...
    (microsoft.public.dotnet.security)
  • Re: .NET HttpModule & NTLM Integrated Authentication
    ... One of the security design considerations to take into account, ... (remember that ASP.NET is running over IIS, ... > When anonymous users attempt to access the site, they are redirected to a> login page, rather than getting the Challenge dialog. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Cannot use usernameForCertificateSecurity with IIS application pool custom account
    ... other account does not. ... It seems to be a bug or problem in one of the CryptoAPI functions. ... In IIS 5.0/6.0 to process the PFX file I use the CryptoAPI function ... The security context token cannot be retrieved ...
    (microsoft.public.dotnet.framework.webservices.enhancements)