views:

173

answers:

2

I've posted this on Server Fault, but as there is sort of a programming aspect to it, I'll post it here too.

I have an ASP.NET MVC 1.0 application that uses Forms Authentication. We are using Windows Server 2008. I need to lock down the site so that only certain users (in AD Groups) can access the site. Unfortunately, though, when I set the site to not allow anon users and use windows authentication, due to the integration of the site and IIS, it shows the user as signed in as their domain account, instead of allowing them to sign in through Forms Auth.

So, I need a mixed mode authentication. I need the site to be only accessible through windows auth, without anon users, but once you are in, it needs to use forms auth only. How would I go about doing this the right way?

EDIT:

Here's a clarification. The site must work like this.

  1. You go to the URL and a windows auth login pops up. You sign in with a domain accout that has access. If you don't have access, it shows you the 401 error.
  2. If you have access, you hit the site. However, the site doesn't use your windows auth username. It uses forms Auth. So, you have to sigh in to the site using the forms auth.

The problem is, when I set it up to do step 1, it uses your windows username in step 2. I don't want it to do that.

+2  A: 

Trick here is to change the provider for your authentication to use Active Directory, rather than change the settings to Windows.

Or, use a version of the following provider:

<add
 name="AdProvider"
 type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
 connectionStringName="YourAd"
 applicationName="YourApp"
 enablePasswordReset="false"
  />

With a version of the following connection string:

<add name="YourAd"
connectionString="LDAP://[your DC]/OU=[your OU],DC=[your domain],DC=[your extension]"
/>

Authorization-wise, you have some options. If it is based on domain groups, then you'll need to get azman wired up. If it is application controlled, you'll need to line up the AD users with the database-stored roles.

PS: I suck at LDAP connection strings, you can probably do alot more with it than I did.


Well, seems like I answered the wrong question. I'll leave this up for posterity's sake, but you should just try to disable Anonymous Authentication for the site.

Wyatt Barnett
The site uses forms auth, and it cannot change from that. In IIS6, you used to be able to protect a site's access to windows auth and then use forms auth in the actual code. I need to do this.
Josh
Edited answer to answer rite question. See above.
Wyatt Barnett
A: 

I found my answer here:

http://stackoverflow.com/questions/289317/iis7-and-authentication-problems

The short of it is, in IIS 7 you cannot have two-tiered authentication like you could with IIS 6.

Josh