tags:

views:

173

answers:

2
Q: 

Lock down a site using Forms Auth in IIS7 with Windows Auth

I've posted this on Server Fault, but as there is sort of a programming aspect to it, I'll post it here too.

I have an ASP.NET MVC 1.0 application that uses Forms Authentication. We are using Windows Server 2008. I need to lock down the site so that only certain users (in AD Groups) can access the site. Unfortunately, though, when I set the site to not allow anon users and use windows authentication, due to the integration of the site and IIS, it shows the user as signed in as their domain account, instead of allowing them to sign in through Forms Auth.

So, I need a mixed mode authentication. I need the site to be only accessible through windows auth, without anon users, but once you are in, it needs to use forms auth only. How would I go about doing this the right way?

EDIT:

Here's a clarification. The site must work like this.

  1. You go to the URL and a windows auth login pops up. You sign in with a domain accout that has access. If you don't have access, it shows you the 401 error.
  2. If you have access, you hit the site. However, the site doesn't use your windows auth username. It uses forms Auth. So, you have to sigh in to the site using the forms auth.

The problem is, when I set it up to do step 1, it uses your windows username in step 2. I don't want it to do that.

+2  A: 

Trick here is to change the provider for your authentication to use Active Directory, rather than change the settings to Windows.

Or, use a version of the following provider:

<add
 name="AdProvider"
 type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
 connectionStringName="YourAd"
 applicationName="YourApp"
 enablePasswordReset="false"
  />

With a version of the following connection string:

<add name="YourAd"
connectionString="LDAP://[your DC]/OU=[your OU],DC=[your domain],DC=[your extension]"
/>

Authorization-wise, you have some options. If it is based on domain groups, then you'll need to get azman wired up. If it is application controlled, you'll need to line up the AD users with the database-stored roles.

PS: I suck at LDAP connection strings, you can probably do alot more with it than I did.

Well, seems like I answered the wrong question. I'll leave this up for posterity's sake, but you should just try to disable Anonymous Authentication for the site.

Wyatt Barnett  2009-11-02 17:09:00
The site uses forms auth, and it cannot change from that. In IIS6, you used to be able to protect a site's access to windows auth and then use forms auth in the actual code. I need to do this.
Josh  2009-11-02 17:14:26
Edited answer to answer rite question. See above.
Wyatt Barnett  2009-11-02 17:37:44
A: 

I found my answer here:

http://stackoverflow.com/questions/289317/iis7-and-authentication-problems

The short of it is, in IIS 7 you cannot have two-tiered authentication like you could with IIS 6.

Josh  2009-11-02 21:34:10

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication