I'm just wondering....
Is it possible to create a site that allows for the following schemes at the
same time?
a) an Internet user enters the site and views the only content that is
for the public....
b) an Internet user enters the site and logs onto the site (via forms)
and can now view additional content
and finally
c) an Intranet user enters the site and is automatically logged on and
can view then content he is authorized for
Any Ideas?
Regards,
Michael
Lets say that you have the following application:
WebApp1
|
------ default.aspx
|
----- page1.aspx
|
----- page2.aspx.
Part a) and part b) of your requirements can be accomplished using form
authentication.
In this sample default.aspx is accessed by all internet users which
satisfies requirement a).
Page1.aspx and page2.aspx are accessed by the internet user after being
authenticated by
form authentication.
To achieve this scenario the following configuration must be included in
the web.config:
<forms loginUrl="login.aspx" >
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<!-- Allow all users to access default.aspx -->
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
In your login page make sure to redirect him to the original page after
custom authenticating the user by using
"System.Web.Security.FormsAuthentication.RedirectFromLoginPage".
In a web application you can't mix form and windows authentication at the
same time. But
what you can do is to implement a scenario that requires a twist. What you
can do is to have
an extra button on the log on page. This button will redirect the user to a
windows authenticated
page. This page is configured just for windows authentication. If the user
is windows authenticated,
there is no username/password dialog box that will be shown. Otherwise it
will require that he
enters username and password. From this page, you can direct the internal
user back to the login
page to create the authentication cookie.
In the login page, a session variable is used to track if this is the first
time the user has visited the forms authentication logon page. Like this:
If Session("BeenHere") = "a" Then
'If session("NTLM") = "OK" then pass them on through with no
interaction
'Otherwise, present some logon function here
Else
Session("BeenHere") = "a"
'use response.redirect to the NTLM page
End If
Also, a label will display and a button like this:
If you get prompted for your user name,
cancel the dialog and click here: <button>
The button will submit them back to the same page. This time the session
variable will exist and we will display some form of logon screen.
If they do get to the page that requires NTLM, it will perform:
session("NTLM") = "OK"
It will also include a response.redirect back to the logon page.
Thanks,
Bassel Tabbara
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------
| From: "Michael Jones" <Michael.Jones\remov...@binadyne.de>
| Subject: Using both Forms and Windows Security...
| Date: Thu, 9 Jan 2003 12:24:41 +0100
| Lines: 24
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| Message-ID: <#oRTsG9tCHA.2040@TK2MSFTNGP11>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 195.63.72.75
| Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP11
| Xref: cpmsftngxa09 microsoft.public.dotnet.framework.aspnet.security:3580
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
Thanks,
Bassel Tabbara
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
Thanks for your very comprehensive answer!
Basically it is working fine - Yet I have still got one "little" problem....
I have created a page "Admin/Logon.aspx" which is set to "Windows
Integrated" in die IIS.
All fine so far... BUT - In the Logon.aspx.cs Page_Load method the
User.Identity.Name is always empty (and the Mode is set to forms) So I can
not identify the user...
Any suggestions to this?
Regards and Thanks!
Michael
"Bassel Tabbara [MSFT]" <bas...@online.microsoft.com> wrote in message
news:8q4O3OOuCHA.2704@cpmsftngxa09...
Please let me know if you have further questions?
Thanks,
Bassel Tabbara
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------
| From: "Michael Jones" <Michael.Jones\remov...@binadyne.de>
| References: <#oRTsG9tCHA.2040@TK2MSFTNGP11>
<8q4O3OOuCHA.2704@cpmsftngxa09>
| Subject: Re: Using both Forms and Windows Security...
| Date: Tue, 14 Jan 2003 17:18:11 +0100
| Lines: 174
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| Message-ID: <OAwd$h#uCHA.1624@TK2MSFTNGP11>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 195.63.72.75
| Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP11
| Xref: cpmsftngxa09 microsoft.public.dotnet.framework.aspnet.security:3631
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
Thanks for the answer.... Even if I must say that I am not that happy with
it....
Is there some possiblity to sidestep this? I was intending to use (existing)
ActiveDirectory content for the "local" users and that would be best
controlled using "Windows" authentication.
I personlly think that enabling "Windows" authentication in the location
node would be a nice feature on behalf of ASP.NET.
<location path="Admin/Logon.aspx">
<system.web>
<authentication mode="Windows">
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Don't you have any idea?
Regards,
Michael
"Bassel Tabbara [MSFT]" <bas...@online.microsoft.com> wrote in message
news:RLhjw5#uCHA.1620@cpmsftngxa09...
But for now, do you have any questions on the implementation scenario that
I posted before?
Thanks,
Bassel Tabbara
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
-------------------
| From: "Michael Jones" <Michael.Jones\remov...@binadyne.de>
| References: <#oRTsG9tCHA.2040@TK2MSFTNGP11>
<8q4O3OOuCHA.2704@cpmsftngxa09> <OAwd$h#uCHA.1624@TK2MSFTNGP11>
<RLhjw5#uCHA.1620@cpmsftngxa09>
| Subject: Re: Using both Forms and Windows Security...
| Date: Tue, 14 Jan 2003 20:25:43 +0100
| Lines: 254
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| Message-ID: <OIuByKAvCHA.1848@TK2MSFTNGP09>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: 195.63.72.75
| Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP09
| Xref: cpmsftngxa09 microsoft.public.dotnet.framework.aspnet.security:3635
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
I have been following your thread with great interest as I need to
implement just such a hybrid security policy. I am very new to ASP.NET
and I'm afraid that I have got a little lost following what the
solution is. I, like Michael, need to capture the NT username, for
logging purposes, if the user has been authenticated via Windows
Security as opposed to Forms.
I would be grateful Bassel, if you could expand a little on how to
implement your "twist" so that an Intranet user can bypass the Forms
login.
Thanks in advance.
David Braun.
In the login page, you use a session variable to track if this is the first
time the user has visited the forms authentication logon page. This will
provide that the user has been
already in this page but he had been redirected to the authentication page.
On the return from the windows
authentication page, the session will flag if the user has visited the page.
If Session("BeenHere") = "a" Then
'If session("NTLM") = "OK" then pass them on through with no
interaction
'Otherwise, present some logon function here
Else
Session("BeenHere") = "a"
'use response.redirect to the NTLM page
End If
Also, a label will display and a button like this:
If you get prompted for your user name,
cancel the dialog and click here: <button>
The button will submit them back to the same page. This time the session
variable will exist and we will display some form of logon screen.
The windows authentication page will have just as a purpose to
authenticate intranet users.
I hope this makes sense. Please let me know if you have more question.
Thanks,
Bassel Tabbara
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------
| From: david...@fco.gov.uk (David Braun)
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| Subject: Re: Using both Forms and Windows Security...
| Date: 16 Jan 2003 02:19:22 -0800
| Organization: http://groups.google.com/
| Lines: 16
| Message-ID: <22f93be2.03011...@posting.google.com>
| References: <#oRTsG9tCHA.2040@TK2MSFTNGP11>
<8q4O3OOuCHA.2704@cpmsftngxa09> <OAwd$h#uCHA.1624@TK2MSFTNGP11>
<RLhjw5#uCHA.1620@cpmsftngxa09> <OIuByKAvCHA.1848@TK2MSFTNGP09>
<PNFo9ULvCHA.2600@cpmsftngxa06>
| NNTP-Posting-Host: 64.213.98.16
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 8bit
| X-Trace: posting.google.com 1042712363 16701 127.0.0.1 (16 Jan 2003
10:19:23 GMT)
| X-Complaints-To: groups...@google.com
| NNTP-Posting-Date: 16 Jan 2003 10:19:23 GMT
| Path:
cpmsftngxa06!TK2MSFTNGP08!cppssbbsa01.microsoft.com!news-out.cwix.com!newsfe
ed.cwix.com!news-peer.gip.net!news.gsl.net!gip.net!c03.atl99!news.webusenet.
com!telocity-west!DIRECTV!sn-xit-03!sn-xit-01!sn-xit-08!supernews.com!postne
ws1.google.com!not-for-mail
| Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet.security:3644
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
"Bassel Tabbara [MSFT]" <bas...@online.microsoft.com> wrote in message
news:fXzpW0mvCHA.3284@cpmsftngxa06...
Thanks,
Bassel Tabbara
Microsoft, ASP.NET
This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------
| From: "Brad" <bh_10...@yahoo.com>
| References: <#oRTsG9tCHA.2040@TK2MSFTNGP11>
<8q4O3OOuCHA.2704@cpmsftngxa09> <OAwd$h#uCHA.1624@TK2MSFTNGP11>
<RLhjw5#uCHA.1620@cpmsftngxa09> <OIuByKAvCHA.1848@TK2MSFTNGP09>
<PNFo9ULvCHA.2600@cpmsftngxa06>
<22f93be2.03011...@posting.google.com>
<fXzpW0mvCHA.3284@cpmsftngxa06>
| Subject: Re: Using both Forms and Windows Security...
| Date: Mon, 24 Feb 2003 09:41:37 -0600
| Lines: 100
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| Message-ID: <eYfO7sB...@TK2MSFTNGP11.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.security
| NNTP-Posting-Host: pc.turner-industries.com 216.115.140.77
| Path: cpmsftngxa06!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet.security:4051
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security