Windows and Forms Authentication

[Glenn Wilson]

Hi,

I need some help on building a security model for an intranet I am currently
building. I am aware that Intranets lend themselves quite nicely to Windows
authentication, since you would assume that all employees will have accounts
on the web server and the domain in which the server sits. So, I thought
about implementing this method of authentication in my intranet. However, I
now realise that no all users will have accounts on the web server. I
initially thought about adding them, but the volume and type of users that
this involves makes this solution impractical.

I then decided that forms authentication would be the solution. However,
following some usability studies, it is quite clear that our internal
employees will not use the intranet if they have have to log on when they
want to access it. It is not a problem for external users as far as we are
aware who expect to go through the process of logging on to our intranet.
So using forms authentication is not an ideal solution all round.

This leads me to my third idea. What about if I were to provide access to
internal employees through their windows accounts, but implement forms
authentication for those that do not have an account. Trouble is, I believe
that you cannot mix the two forms of authentication within an asp.net
application. Does anyone else have any suggestions about the best way for
me to move forward?

Glenn

[Johan Nomrén NSQUARED2]

Hi,

The thing with Form Authentication is that you handle the
authentication by yourself
You set the Authenticated options manually... On your
login page check first if the user are a local one (maybe
by IP address), if so then set the Authentication options
and redirect him/her to next page. And if the IP don't
exist in your local network show the login form and
handle this instead.

I took the IP address as an example because if you use
server variable that tells who you are logged in as you
will get null value if the page is set to anonymous
access.

JN
[url]http://www.nsquared2.net[/url]

>-----Original Message-----
>Hi,
>
>I need some help on building a security model for an

intranet I am currently

>building. I am aware that Intranets lend themselves

quite nicely to Windows

>authentication, since you would assume that all

employees will have accounts

>on the web server and the domain in which the server

sits. So, I thought

>about implementing this method of authentication in my

intranet. However, I

>now realise that no all users will have accounts on the

web server. I

>initially thought about adding them, but the volume and

type of users that

>this involves makes this solution impractical.
>
>I then decided that forms authentication would be the

solution. However,

>following some usability studies, it is quite clear that

our internal

>employees will not use the intranet if they have have to

log on when they

>want to access it. It is not a problem for external

users as far as we are

>aware who expect to go through the process of logging on

to our intranet.

>So using forms authentication is not an ideal solution

all round.

>
>This leads me to my third idea. What about if I were to

provide access to

>internal employees through their windows accounts, but

implement forms

>authentication for those that do not have an account.

Trouble is, I believe

>that you cannot mix the two forms of authentication

within an asp.net

>application. Does anyone else have any suggestions

about the best way for

>me to move forward?
>
>Glenn
>
>
>.
>