Windows Authentication and Anonymous login URGENT

[Michal A. Valasek]

| users. However I need to be able to tell a difference if
| they have login through the intranet, which window
| authentication just lets them in, or through the internet
| where the login pop up box asks for their username and
| password.

I'm affraid that you won't be able to tell this - they're just
authenticated, and if browser asked for authentication or provided it on
itself is his thing and you can't discover that.

However, based on your network structure, you may try to filter
Internet/intranet users based on IP address. If users inside your network
are using some IP range, you may check if user is from this range or not.

| My second issue is that I need to let anonymous users into
| my default.aspx page but if my intranet users hit this
| page it needs to redirect them to a different
| default.aspx. But I cant tell the difference if the user
| logs in through the intranet or the internet. How can I
| achive this?

You can check if user is authenticated or not (via the
Request.IsAuthenticated) property. So, you can setup your Default.aspx to be
accessible for both authenticated and anonymous users and chech if they are
authenticated and then modify the page or redirect them away.

Honestly, I don't know *WHY* you need to know how the user is logged? I
think that matters only if is authenticated or not. If enters password by
hand or is remembered and sent automatically by browser, is user's thing,
not mine, as application author.

--
Michal A. Valasek, Altair Communications, [url]http://www.altaircom.net[/url]
Please do not reply to this e-mail, for contact see [url]http://www.rider.cz[/url]

[Silvia Brunet Jones]

thanks for your prompt replay I really need to figure
something out. My problem is that I am doign what you are
saying which is to check if the user is authenticated
(via the Request.IsAuthenticated) and have the
default.aspx to be accessible for both authenticated and
anonymous. The problem is that once you set anonymous
users then the Request.IsAuthenticated is allways false.
This is crazy. If I am inside the intranet then the
Request.IsAuthenticated should be true and then from
outside using anonymous login it should say yes. Right????
This is just what I want to know.
Thank you so much

[Michal A. Valasek]

Hello,

| thanks for your prompt replay I really need to figure
| something out. My problem is that I am doign what you are
| saying which is to check if the user is authenticated
| (via the Request.IsAuthenticated) and have the
| default.aspx to be accessible for both authenticated and
| anonymous. The problem is that once you set anonymous
| users then the Request.IsAuthenticated is allways false.
| This is crazy. If I am inside the intranet then the
| Request.IsAuthenticated should be true and then from
| outside using anonymous login it should say yes. Right????
| This is just what I want to know.

oh, I forgot that you're using the Windows, not Forms authentication. When
authenticated using Forms Authentication, data are stored in cookie, which
is sent with every request to given server, regardless if the server cares
about it.

In Windows authentication, the process if that server gives authentication
challenge, when requests one. Therefore, if anonymous access is enabled, all
users are anonymous, because server does not send the challenge.

Only solution I know is to make the Default page only for authenticated
users. Then try to catch the unauthorized state (probably as custom error
handler for HTTP error 401 or 403). You can get URL of requested page and if
it's /Default.aspx, redirect anonymous user somewhere.

--
Michal A. Valasek, Altair Communications, [url]http://www.altaircom.net[/url]
Please do not reply to this e-mail, for contact see [url]http://www.rider.cz[/url]

[Aaron Vance]

I like Joseph's suggestion, but thought I'd throw a little more money on the
table ($.02 or so):

We have a similar situation as you have, allowing NTLM auth through
internally, and IE throws up the prompt box on the outside.

One way we have found to test whether users are coming from the outside is
to test the incoming IP address. Our firewall processes all incoming
requests and a single IP address gets logged as the requestor from the
firewall/external users. This way we know that users are coming from the
outside.

As for the authentication there are various things you can do, but I guess
my take is to forget the idea of having a secure aspx page for NTLM users
and an open one for anonymous.

Just set default.aspx as anonymous - period. Then, users can click on a
"login" type link - whatever you want it to be, to actually pass off to an
NTFS protected page to throw up the NTLM auth box. This is honestly the
easiest way you're going to achieve this - simply because you can't have
anonymous passthrough AND NT auth at the same time. IIS either is
protecting something that it will prompt NTLM auth password box for? Or
it'll pass you through to the page...

-Aaron

"Joseph E Shook" <JoeShook@DeploymentCentric.com> wrote in message
news:e6k9mk7UDHA.2568@tk2msftngp13.phx.gbl...

> My gut feeling on this is to deploy your web site two times. One

deployment

> will be for your internal users. The second deployment will be for you
> external users. The code base should be identical. Just configure your
> web.config according to thee users locations. You can run both

deployments

> on the same machine if need be, just create two different web instances.
> Then set up the network to only allow external users to hit the external
> instance and only allow the internal users to hit the internal instance.

If

> you try to code this behavior there seems to be to much room for failure

in

> the future. Because today you may be able to reliably check the referer

url

> but tommorrow your firewall/proxy server access to the extern may not

allow

> you to figure out exactly where the user came from. Anyways there is some
> more food for thought.
>
>
> "Silvia Brunet-Jones" <sbrunet_jones@hotmail.com> wrote in message
> news:0b9701c352c4$341f4cc0$a501280a@phx.gbl...

> > I really need some help on this.
> > What I am trying to do is this. My application is a web
> > application that runs in my intranet. I am giving access
> > to the web pages through the internet to my intranet
> > users. However I need to be able to tell a difference if
> > they have login through the intranet, which window
> > authentication just lets them in, or through the internet
> > where the login pop up box asks for their username and
> > password.
> > My second issue is that I need to let anonymous users into
> > my default.aspx page but if my intranet users hit this
> > page it needs to redirect them to a different
> > default.aspx. But I cant tell the difference if the user
> > logs in through the intranet or the internet. How can I
> > achive this?

>
>