Switching from Integrated Authentication to Anonymous

From: PMarino (PMarino_at_discussions.microsoft.com)
Date: 04/28/05 

Date: Wed, 27 Apr 2005 21:26:01 -0700

Hi all. I have a problem that I'm not sure I understand. I have a web site
framework that is designed to support Windows Authentication, Forms
Authenticatio or Mixed. When logging off from Windows Authentication, the
framework redirects to a special page that allows Anonymous Access but does
not allow Windows Authentication. This special page then redirects to the
front page of the application. This front page permits Anonymous and Windows
Auth.

While the special page is accessed Anonymously, the next (front) page uses
Windows Auth again. This doesn't make sense to me, and I'm wondering what to
do about it. To make sure it's not the framework's bug, I wrong a simple
test app consisiting of 3 ASP.Net pages, with the following security config:

Test.Aspx - Allow Anonymous AND Windows Auth. Front page of applications.

Secure.Aspx - Allow Windows Auth, do NOT allow Anonymous. Page used to grab
user's Windows auth.

NotSecure.Aspx. - Allow Anonymous, do NOT allow Windows Auth. Page used to
'log out'.

In this test scenario, Test.Aspx redirects to Secure.Aspx, and then back to
Test.Aspx. When I click 'Logout', I am redirected to NotSecure.Aspx, and
then back to Test.Aspx.

Any idea of why this happens, and how I can work around it?

Thanks in advance.

Here's a sample of the IIS Log file:

04:15:45 - GET /TestSecurity/Test.aspx - 302 -
04:15:45 - GET /TestSecurity/Secure.aspx - 401
04:15:45 Domain\UserName GET /TestSecurity/Secure.aspx - 302
04:15:45 Domain\UserName GET /TestSecurity/Test.aspx Stage=Logon 200
04:15:49 Domain\UserName POST /TestSecurity/Test.aspx Stage=Logon 302
04:15:49 - GET /TestSecurity/NotSecure.aspx - 302 04:15:49 Domain\UserName
GET /TestSecurity/Test.aspx Stage=Logoff 200

Relevant Pages

  • Re: General questions about LDAP, GC and access permissions
    ... Windows Communication Foundation) they are authenticated with the regular ... this is done by examing what groups the user is a member of. ... Since the regular windows authentication is used, ... trusted domain in an external forest. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Help please to authenticate Windows users
    ... status error code as well as Win32 error code -- I know the HTTP status code ... Windows Authentication automatically works if the machines are joined to the ... Is VS.Net on the same machine as IIS ...
    (microsoft.public.inetserver.iis.security)
  • Re: Intermittent access to web site secured with Windows authentication
    ... Marcus ... > Windows Authentication is connection-based and not delegatable. ... > various elements of Internet networking that can prevent Windows ... > likely work in your access scenario. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Intermittent access to web site secured with Windows authentication
    ... Windows Authentication is connection-based and not delegatable. ... When you try to access it from home (i.e. Internet scenario), ... in after multiple login prompts. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Custom authentication in a web application
    ... On the server we create our own principal object ... > Any reason for using Windows Authentication here rather than any of the ... >>two overloads of IsInRole to use our own security check. ...
    (microsoft.public.dotnet.framework.webservices)