Ask a Question related to ASP.NET Security, Design and Development.
-
Craig #1
Site Config Question
Hi
I have a site that runs in an intranet environment, therefore the
authenication method in IIS is 'Integrated Windows authentication' and no
Anonymous access. In my web.config <authentication mode="Windows" />, works
fine.
We want to release the site to the internet whilst maintaining integrated
Windows authenication for the intranet users; and having a forms like
authenication for internet users.
I didn't think this was possible, any ideas?
Craig Guest
-
Web Server Config tool not seeing IIS6 virtual site.
I dont know if I am posting in the right place but am working on CF High availiability using multiple CF instances connected to different virtual... -
Error loading XML file c:\windows\microsoft.net\framework\v1.0.3705\Config\machine.config
I had many ASP.NET web applications that I created before I had to rebuild my machine. After a fresh install of XP Pro, VS.NET 2003, etc, I now... -
machine.config <processModel> setting question
I'm having problems trying to do follow examples I've seen using the EventLog and Process classes. I'm getting security exceptions (access denied). ... -
config file: a) what Module ? b) conditionals in config (for multiple hosts)
Hi, a) I am looking for a module to handle config files. There are a number of these modules, like AppCconig. Any consensus about The Right... -
[RCR] Include CONFIG::Config['rubydocdir'] in rbconfig.rb
Hi folks, I apologise if people have read this RCR and are not interested, but this is what I consider to be an important RCR, not a merely... -
Chris Mohan #2 RE: Site Config Question
Not sure I follow- what is it that you hope to accomplish by enabling windows
authentication and forms?
re: two authentication modes within the same website-- yes, it is possible
but you can't implement both authentication modes within the same
directory(which is probably b/c you can only implement 1 authentication mode
per application domain).
Here's how: Set the authentication mode to windows in the root web.config
and then configure a child dir as its own application in IIS. Set the child
dir's authentication mode to forms by either using the location element in
the root web.config or putting a new web.config at the root of the child
dir.
See this for more info:
[url]http://www.theserverside.net/articles/article.tss?l=FormAuthentication[/url]
If your goal is to keep anonymous users out then you can accomplish this for
both intranet users and those who access the site remotely (internet users)
by setting the app's athentication mode to windows and then adding a deny tag
in the authorization element by setting its users property -anonymous- , aka
"?"
Denying anonymous users will prompt the server to challenge all
users(whether they are accessing the site from inside your network or not to
provide thier credentials)
'<authentication mode="Windows" />
'' <authorization>
'' <deny users="?" />
' </authorization>
The info above is based on the assumption that your server's machine.config
uses the framework's default settings (specifically the username attribute of
the processmodel element ("machine" and the impersonation element("no"))
If this is what you want.. you can take an additional step that will make
the lives of your users easier: if your organization uses Explorer 6.0 as its
default browser then employees can use IE's "zone" feature and list the
intranet app's url in IE's "Trusted Sites Zone." By changing a default
security setting (for this zone only) users can allow the browser to
authomaticly pass thier credentials to the site so they won't have to
manually login.
See this for more info:
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;264086[/url]
1 sneaky suggestion: if you opt to do this.. do it AFTER your users have had
to go a week or two manually logging into the app. The reason: if you give
this to them from the get-go the convience is perceived as normal. If you
wait a little bit then you'll have made everyone's lives a little easier in
the organization in a way that both tehnical ppl and non-technical ppl(such
as those who decide things like salary increases) can understand and
appreciate.
"Craig" wrote:
> Hi
>
> I have a site that runs in an intranet environment, therefore the
> authenication method in IIS is 'Integrated Windows authentication' and no
> Anonymous access. In my web.config <authentication mode="Windows" />, works
> fine.
>
> We want to release the site to the internet whilst maintaining integrated
> Windows authenication for the intranet users; and having a forms like
> authenication for internet users.
>
> I didn't think this was possible, any ideas?Chris Mohan Guest
-
Chris Mohan #3 RE: Site Config Question
One clarification for the following paragraph.
DOn't list the site in the trusted zone, list it the "Local Intranet" zone.
The reason: if users start listing arbitrary sites in the trusted list.. then
the security change will pass thier info to those sites too which are likely
to be outside your network
> If this is what you want.. you can take an additional step that will make
> the lives of your users easier: if your organization uses Explorer 6.0 as its
> default browser then employees can use IE's "zone" feature and list the
> intranet app's url in IE's "Trusted Sites Zone." By changing a default
> security setting (for this zone only) users can allow the browser to
> authomaticly pass thier credentials to the site so they won't have to
> manually login.
>
> See this for more info:
> [url]http://support.microsoft.com/default.aspx?scid=kb;en-us;264086[/url]Chris Mohan Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
