Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Using both Forms and Windows Security...

0 views
Skip to first unread message

Michael Jones

unread,
Jan 9, 2003, 6:24:41 AM1/9/03
to
Hello,

I'm just wondering....

Is it possible to create a site that allows for the following schemes at the
same time?

a) an Internet user enters the site and views the only content that is
for the public....
b) an Internet user enters the site and logs onto the site (via forms)
and can now view additional content

and finally

c) an Intranet user enters the site and is automatically logged on and
can view then content he is authorized for


Any Ideas?

Regards,
Michael


Bassel Tabbara [MSFT]

unread,
Jan 10, 2003, 3:06:28 PM1/10/03
to
Hello Michael,
Your scenario can be accomplished by configuring your web application
appropriately.
This can be done by using the location configuration section which can
specify which part
of the application allow users access to certain part of the application.
This can be better
explained using an example.

Lets say that you have the following application:
WebApp1
|
------ default.aspx
|
----- page1.aspx
|
----- page2.aspx.

Part a) and part b) of your requirements can be accomplished using form
authentication.
In this sample default.aspx is accessed by all internet users which
satisfies requirement a).
Page1.aspx and page2.aspx are accessed by the internet user after being
authenticated by
form authentication.

To achieve this scenario the following configuration must be included in
the web.config:
<forms loginUrl="login.aspx" >
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<!-- Allow all users to access default.aspx -->
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

In your login page make sure to redirect him to the original page after
custom authenticating the user by using
"System.Web.Security.FormsAuthentication.RedirectFromLoginPage".

In a web application you can't mix form and windows authentication at the
same time. But
what you can do is to implement a scenario that requires a twist. What you
can do is to have
an extra button on the log on page. This button will redirect the user to a
windows authenticated
page. This page is configured just for windows authentication. If the user
is windows authenticated,
there is no username/password dialog box that will be shown. Otherwise it
will require that he
enters username and password. From this page, you can direct the internal
user back to the login
page to create the authentication cookie.

In the login page, a session variable is used to track if this is the first
time the user has visited the forms authentication logon page. Like this:
If Session("BeenHere") = "a" Then
'If session("NTLM") = "OK" then pass them on through with no
interaction
'Otherwise, present some logon function here
Else
Session("BeenHere") = "a"
'use response.redirect to the NTLM page
End If

Also, a label will display and a button like this:
If you get prompted for your user name,
cancel the dialog and click here: <button>

The button will submit them back to the same page. This time the session
variable will exist and we will display some form of logon screen.

If they do get to the page that requires NTLM, it will perform:
session("NTLM") = "OK"
It will also include a response.redirect back to the logon page.


Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.

--------------------
| From: "Michael Jones" <Michael.Jones\remov...@binadyne.de>
| Subject: Using both Forms and Windows Security...
| Date: Thu, 9 Jan 2003 12:24:41 +0100
| Lines: 24
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| Message-ID: <#oRTsG9tCHA.2040@TK2MSFTNGP11>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 195.63.72.75
| Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP11
| Xref: cpmsftngxa09 microsoft.public.dotnet.framework.aspnet.security:3580
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.


Michael Jones

unread,
Jan 14, 2003, 11:18:11 AM1/14/03
to
Hallo Bassel,

Thanks for your very comprehensive answer!

Basically it is working fine - Yet I have still got one "little" problem....

I have created a page "Admin/Logon.aspx" which is set to "Windows
Integrated" in die IIS.

All fine so far... BUT - In the Logon.aspx.cs Page_Load method the
User.Identity.Name is always empty (and the Mode is set to forms) So I can
not identify the user...

Any suggestions to this?


Regards and Thanks!

Michael


"Bassel Tabbara [MSFT]" <bas...@online.microsoft.com> wrote in message
news:8q4O3OOuCHA.2704@cpmsftngxa09...

Bassel Tabbara [MSFT]

unread,
Jan 14, 2003, 12:00:35 PM1/14/03
to
Hello Michael,
Since you configured the web application to use form authentication, the
windows credentials are not passed and
User.Identity.Name returns null as expected. If you are using form
authentication, you will write code that will identify
the user since it is more a customized authentication that you are doing.

Please let me know if you have further questions?


Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.

--------------------
| From: "Michael Jones" <Michael.Jones\remov...@binadyne.de>

| References: <#oRTsG9tCHA.2040@TK2MSFTNGP11>
<8q4O3OOuCHA.2704@cpmsftngxa09>
| Subject: Re: Using both Forms and Windows Security...
| Date: Tue, 14 Jan 2003 17:18:11 +0100
| Lines: 174


| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

| Message-ID: <OAwd$h#uCHA.1624@TK2MSFTNGP11>


| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 195.63.72.75
| Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP11

| Xref: cpmsftngxa09 microsoft.public.dotnet.framework.aspnet.security:3631
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

Michael Jones

unread,
Jan 14, 2003, 2:25:43 PM1/14/03
to
Hello Bassel,

Thanks for the answer.... Even if I must say that I am not that happy with
it....

Is there some possiblity to sidestep this? I was intending to use (existing)
ActiveDirectory content for the "local" users and that would be best
controlled using "Windows" authentication.

I personlly think that enabling "Windows" authentication in the location
node would be a nice feature on behalf of ASP.NET.

<location path="Admin/Logon.aspx">
<system.web>
<authentication mode="Windows">
</authentication>


<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

Don't you have any idea?

Regards,
Michael


"Bassel Tabbara [MSFT]" <bas...@online.microsoft.com> wrote in message

news:RLhjw5#uCHA.1620@cpmsftngxa09...

Bassel Tabbara [MSFT]

unread,
Jan 15, 2003, 11:43:37 AM1/15/03
to
Hello Michael,
Since authentication section can be defined beyond an application level,
you can't use the location tag associated with
the authentication section.
You can submit a feedback wish on the product in the following form:
http://register.microsoft.com/mswish/suggestion.asp?from=cu&fu=%2Fisapi%2Fgo
mscom%2Easp%3Ftarget%3D%2Fmswish%2Fthanks%2Ehtm

But for now, do you have any questions on the implementation scenario that
I posted before?

Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.
-------------------

| From: "Michael Jones" <Michael.Jones\remov...@binadyne.de>
| References: <#oRTsG9tCHA.2040@TK2MSFTNGP11>

<8q4O3OOuCHA.2704@cpmsftngxa09> <OAwd$h#uCHA.1624@TK2MSFTNGP11>
<RLhjw5#uCHA.1620@cpmsftngxa09>


| Subject: Re: Using both Forms and Windows Security...

| Date: Tue, 14 Jan 2003 20:25:43 +0100
| Lines: 254


| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

| Message-ID: <OIuByKAvCHA.1848@TK2MSFTNGP09>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 195.63.72.75
| Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP09
| Xref: cpmsftngxa09 microsoft.public.dotnet.framework.aspnet.security:3635
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

David Braun

unread,
Jan 16, 2003, 5:19:22 AM1/16/03
to
Hello Bassel and Michael,

I have been following your thread with great interest as I need to
implement just such a hybrid security policy. I am very new to ASP.NET
and I'm afraid that I have got a little lost following what the
solution is. I, like Michael, need to capture the NT username, for
logging purposes, if the user has been authenticated via Windows
Security as opposed to Forms.

I would be grateful Bassel, if you could expand a little on how to
implement your "twist" so that an Intranet user can bypass the Forms
login.

Thanks in advance.

David Braun.

Bassel Tabbara [MSFT]

unread,
Jan 17, 2003, 4:12:16 PM1/17/03
to

Hello David,
Sure I will be glad to do so. Basically you will have a page which is
configured just for windows authentication. . From this page, you can
direct the internal
user back to the login page to create the authentication cookie.

In the login page, you use a session variable to track if this is the first
time the user has visited the forms authentication logon page. This will
provide that the user has been
already in this page but he had been redirected to the authentication page.
On the return from the windows
authentication page, the session will flag if the user has visited the page.


If Session("BeenHere") = "a" Then
'If session("NTLM") = "OK" then pass them on through with no
interaction
'Otherwise, present some logon function here
Else
Session("BeenHere") = "a"
'use response.redirect to the NTLM page
End If

Also, a label will display and a button like this:
If you get prompted for your user name,
cancel the dialog and click here: <button>

The button will submit them back to the same page. This time the session
variable will exist and we will display some form of logon screen.

The windows authentication page will have just as a purpose to
authenticate intranet users.
I hope this makes sense. Please let me know if you have more question.


Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.

--------------------
| From: david...@fco.gov.uk (David Braun)
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security


| Subject: Re: Using both Forms and Windows Security...

| Date: 16 Jan 2003 02:19:22 -0800
| Organization: http://groups.google.com/
| Lines: 16
| Message-ID: <22f93be2.03011...@posting.google.com>
| References: <#oRTsG9tCHA.2040@TK2MSFTNGP11>
<8q4O3OOuCHA.2704@cpmsftngxa09> <OAwd$h#uCHA.1624@TK2MSFTNGP11>
<RLhjw5#uCHA.1620@cpmsftngxa09> <OIuByKAvCHA.1848@TK2MSFTNGP09>
<PNFo9ULvCHA.2600@cpmsftngxa06>
| NNTP-Posting-Host: 64.213.98.16
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 8bit
| X-Trace: posting.google.com 1042712363 16701 127.0.0.1 (16 Jan 2003
10:19:23 GMT)
| X-Complaints-To: groups...@google.com
| NNTP-Posting-Date: 16 Jan 2003 10:19:23 GMT
| Path:
cpmsftngxa06!TK2MSFTNGP08!cppssbbsa01.microsoft.com!news-out.cwix.com!newsfe
ed.cwix.com!news-peer.gip.net!news.gsl.net!gip.net!c03.atl99!news.webusenet.
com!telocity-west!DIRECTV!sn-xit-03!sn-xit-01!sn-xit-08!supernews.com!postne
ws1.google.com!not-for-mail
| Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet.security:3644
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

Brad

unread,
Feb 24, 2003, 10:41:37 AM2/24/03
to
How do you have a page in a project that has windows authentication while
the remaining are forms authentication?


"Bassel Tabbara [MSFT]" <bas...@online.microsoft.com> wrote in message

news:fXzpW0mvCHA.3284@cpmsftngxa06...

Bassel Tabbara [MSFT]

unread,
Feb 25, 2003, 12:43:42 PM2/25/03
to
Hello Brad,
I didn't mean that you have the same web application using both windows and
forms authentication. This can't be accomplished.
The workaround that I described uses two web application; one uses forms
authentication and the second one uses windows authentication.
I hope this is clearer.


Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.


--------------------
| From: "Brad" <bh_10...@yahoo.com>


| References: <#oRTsG9tCHA.2040@TK2MSFTNGP11>
<8q4O3OOuCHA.2704@cpmsftngxa09> <OAwd$h#uCHA.1624@TK2MSFTNGP11>
<RLhjw5#uCHA.1620@cpmsftngxa09> <OIuByKAvCHA.1848@TK2MSFTNGP09>
<PNFo9ULvCHA.2600@cpmsftngxa06>

<22f93be2.03011...@posting.google.com>
<fXzpW0mvCHA.3284@cpmsftngxa06>


| Subject: Re: Using both Forms and Windows Security...

| Date: Mon, 24 Feb 2003 09:41:37 -0600
| Lines: 100


| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

| Message-ID: <eYfO7sB...@TK2MSFTNGP11.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: pc.turner-industries.com 216.115.140.77
| Path: cpmsftngxa06!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet.security:4051
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

0 new messages