.NET HttpModule & NTLM Integrated Authentication

  • Thread starter Thread starter Rob Mayo
  • Start date Start date
R

Rob Mayo

What I'm trying to do is Create an ASP.Net app that has both
Windows-authenticated users and Anonymous users. The idea is this:

When authenticated users attempt to access the site, their credentials are
passed to the Request, and I use the DOMAIN\USER value via the AUTH_USER
server variable to access their accounts. These people would never have to
log in to the app, only their machines on the network.

When anonymous users attempt to access the site, they are redirected to a
login page, rather than getting the Challenge dialog. Their login is
verified against a database and I alter the Current User with a
GenericPrincipal object.


I tried enabling 'Allow Anonymous Access' in IIS and producing the challenge
myself with a custom HttpModule, but was unable to make the challenge
myself.

Then I tried DISabling anonymous access and IIS provided the challenge and
the 401 response before it even got to my custom HttpModule.


Is there ANY way to acheive what I'm trying to do? Is there some way I can
intercept a request before IIS issues a challenge and issue the challenge
myself?
 
What you want to do is not possible with .Net HttpModule. Authentication
has already been done by IIS by the time an HttpModule gets control.

There is one fundamental issue with what you are trying to do. Web
browsers, by default, only use Anonymous authentication UNLESS the website
requires something else. A website forces a client to authenticate by
rejecting anonymous requests with a 401.2. What this means is that if you
want any sort of built-in authentication to happen, anonymous cannot be
enabled for the same content.

There is no such thing as "conditional authentication", where clients who
can authenticate will do so while clients who can't will stay anonymous.
Recall that clients who can authenticate will start off as anonymous, and
since it's not denied, it will never "upgrade" to authenticate itself.
Clients do not pre-emptively try to authenticate because that's a security
risk (imagine trying to pre-emptively do Basic auth and sending your
username/password in clear text...).

To implement "dual authentication" where at least one authentication scheme
is not a built-in type, you have to do something similar to this post:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=utf-8&selm=Rnw8J81PCHA.1712@cpmsftngxa07

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
What I'm trying to do is Create an ASP.Net app that has both
Windows-authenticated users and Anonymous users. The idea is this:

When authenticated users attempt to access the site, their credentials are
passed to the Request, and I use the DOMAIN\USER value via the AUTH_USER
server variable to access their accounts. These people would never have to
log in to the app, only their machines on the network.

When anonymous users attempt to access the site, they are redirected to a
login page, rather than getting the Challenge dialog. Their login is
verified against a database and I alter the Current User with a
GenericPrincipal object.


I tried enabling 'Allow Anonymous Access' in IIS and producing the challenge
myself with a custom HttpModule, but was unable to make the challenge
myself.

Then I tried DISabling anonymous access and IIS provided the challenge and
the 401 response before it even got to my custom HttpModule.


Is there ANY way to acheive what I'm trying to do? Is there some way I can
intercept a request before IIS issues a challenge and issue the challenge
myself?
 
Rob,

This case may by a bit tricky.
One of the security design considerations to take into account, should be to
rely as much as possible on the operating system security subsystem and
avoid whenever possible, creating your own custom solution. With this
premise in mind, you may try to set first the IIS authentication mode
(remember that ASP.NET is running over IIS, so the first security checkpoint
will be executed by IIS).
If you check Anonymous and NTLM/Kerberos as you auth methods, IIS will
first try to authenticate as Anonymous so you will always get the anonymous
access account. Remember that for IIS, there is no such an "Anonymous user",
so IIS will try to authenticate or not (if checked Anonymous) and it will
always run the ASP.NET worker process under some Windows account.
Based on this, your auth methods are incompatible for the same application
basically because you are using two different auth methods (Windows/AD and
Forms/Custom Resource) that where designed for different purposes.
 
Back
Top