dynamic client authentication
- From: Karsten <Karsten@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 8 Jan 2009 01:51:01 -0800
A Happy New Year to all!
I built a corporate intranet site (ASP.NET, IIS 6.0, W2K3) that (until now)
was only used by domain users. The authentication mode was set to Integrated
Windows authentication, so clients could be easily identified
(Page.User.Identity / System.Security.Principal.WindowsIdentity ...).
Authentication btw is not the problem, but identification is, because every
user has its own personal profile stored in a database.
Now additional corporate users want to use the site, that do not have a
domain account. This new class of users can not be identified by their IP
addresses and the administration of individual server-local user accounts is
not wanted.
So I have to turn on "Anonymous" access. The problem is, if anonymous is
turned on, no NTLM handshake is done and therefore no "identity" is aquired
from the client - even if IWA is also checked.
How can it be achieved, that all existing and future domain users can use
the site as usual and only non-domain users must identify themselfs at a
custom page (without dismissing the browsers logon window and via a replaced
401 page because it is confusing)?
Clearly spoken, I want IIS to do IWA and if that fails, it should accept the
client as anonymous user instead of returning the 401 error that leads to the
browser logon process on the client.
Is there an "administrative" solution or do I have to write an ISAPI filter?
Is there any such ISAPI sample out there?
Thanks in advance!
.
- Follow-Ups:
- Re: dynamic client authentication
- From: David Wang
- Re: dynamic client authentication
- Prev by Date: Using client certs for authentication
- Next by Date: Re: dynamic client authentication
- Previous by thread: Using client certs for authentication
- Next by thread: Re: dynamic client authentication
- Index(es):
Relevant Pages
|
