.NET HttpModule & NTLM Integrated Authentication

[Rob Mayo]

What I'm trying to do is Create an ASP.Net app that has both
Windows-authenticated users and Anonymous users. The idea is this:

When authenticated users attempt to access the site, their credentials are
passed to the Request, and I use the DOMAIN\USER value via the AUTH_USER
server variable to access their accounts. These people would never have to
log in to the app, only their machines on the network.

When anonymous users attempt to access the site, they are redirected to a
login page, rather than getting the Challenge dialog. Their login is
verified against a database and I alter the Current User with a
GenericPrincipal object.


I tried enabling 'Allow Anonymous Access' in IIS and producing the challenge
myself with a custom HttpModule, but was unable to make the challenge
myself.

Then I tried DISabling anonymous access and IIS provided the challenge and
the 401 response before it even got to my custom HttpModule.


Is there ANY way to acheive what I'm trying to do? Is there some way I can
intercept a request before IIS issues a challenge and issue the challenge
myself?

[Hernan de Lahitte]

Rob,

This case may by a bit tricky.
One of the security design considerations to take into account, should be to
rely as much as possible on the operating system security subsystem and
avoid whenever possible, creating your own custom solution. With this
premise in mind, you may try to set first the IIS authentication mode
(remember that ASP.NET is running over IIS, so the first security checkpoint
will be executed by IIS).
If you check Anonymous and NTLM/Kerberos as you auth methods, IIS will
first try to authenticate as Anonymous so you will always get the anonymous
access account. Remember that for IIS, there is no such an "Anonymous user",
so IIS will try to authenticate or not (if checked Anonymous) and it will
always run the ASP.NET worker process under some Windows account.
Based on this, your auth methods are incompatible for the same application
basically because you are using two different auth methods (Windows/AD and
Forms/Custom Resource) that where designed for different purposes.


--
Hernan de Lahitte
Lagash Systems S.A.
[url]http://www.lagash.com[/url]



"Rob Mayo" <NOSPAM@NOSPAM.COM> wrote in message
news:uDHMgrg4DHA.1816@TK2MSFTNGP12.phx.gbl...

> What I'm trying to do is Create an ASP.Net app that has both
> Windows-authenticated users and Anonymous users. The idea is this:
>
> When authenticated users attempt to access the site, their credentials are
> passed to the Request, and I use the DOMAIN\USER value via the AUTH_USER
> server variable to access their accounts. These people would never have to
> log in to the app, only their machines on the network.
>
> When anonymous users attempt to access the site, they are redirected to a
> login page, rather than getting the Challenge dialog. Their login is
> verified against a database and I alter the Current User with a
> GenericPrincipal object.
>
>
> I tried enabling 'Allow Anonymous Access' in IIS and producing the

challenge

> myself with a custom HttpModule, but was unable to make the challenge
> myself.
>
> Then I tried DISabling anonymous access and IIS provided the challenge and
> the 401 response before it even got to my custom HttpModule.
>
>
> Is there ANY way to acheive what I'm trying to do? Is there some way I can
> intercept a request before IIS issues a challenge and issue the challenge
> myself?
>
>