tags:

views:

60

answers:

4
Q: 

How can I protect ASP.NET sites behind a Windows password and forms authentication?

I'm developing an ASP.NET MVC site that utilizes forms authentication for part of the application. During development, I need to be able to give external parties access to a development server hosting the site. Since I don't want to expose the site to the entire internet, I need to password protect it while still allowing forms authentication to be in use.

Mixing of Windows and forms authentication doesn't work. Is there a standard way of doing this? I would have to think this is a common scenario. The article on MSDN doesn't seem to apply to my situation: http://msdn.microsoft.com/en-us/library/ms972958.aspx

Update: The first two answers suggest adding in standard IIS basic/digest authentication. As far as I know, this is not compatible with forms authentication because the user's identity will be set to the Windows account, not the identity used through forms authentication. I need the two to be completely independent. Any thoughts?

+1  A: 

You could protect it in IIS, give those details to the external parties, and leave the forms auth as it is.

David Hedlund  2009-11-13 15:43:11
A: 

Disable anonomous access to force the users to login via a windows account before accessing the site.

Wyatt Barnett  2009-11-13 15:43:47
The problem with this is that the they can't access the forms-protected portion of the site as their user will already be set to the Windows account, which is unrelated to their site accounts.
Brian Vallelunga  2009-11-13 16:04:55
Not really--disabling anonomous access forces one to do a windows login to access the pages. The forms stuff can then work behind it. Key here is the disabling anonomous access while not adding another form of authentication.
Wyatt Barnett  2009-11-13 16:44:35
Perhaps I'm missing something. Leaving only Forms Authentication enabled in IIS 7, when going to the site I get redirected to the Forms Authentication login url which in turn shows a standard IIS 401 unauthorized error. What I want is a Windows prompt before anything else.
Brian Vallelunga  2009-11-13 16:52:08
Ah, never mentioned IIS7 and I missed the tag. For that angle, perhaps you could tweak the config to require authenticated users for everything, even the "public" parts of the site. No real good way to do this in IIS7 otherwise.
Wyatt Barnett  2009-11-13 17:40:29
One other thought--I think you can disallow the anonomous user from reading the folder and force a http authentication prompt, even on IIS7. Haven't tried it though.
Wyatt Barnett  2009-11-13 19:16:53
A: 

Well unfortunately what you're trying to do is not possible in IIS7 (integrated mode), but there is a workaround. I suggest you to read this article written by Mike Volodarsky a former program manager for IIS7 at Microsoft. Article addresses your problem and there is even a sample code you could use.

 2009-11-15 20:00:28
A: 

I knew a guy who did this using Apache and a reverse proxy.

http://www.apachetutor.org/admin/reverseproxies

Josh Pearce  2009-11-15 20:03:33
I actually like the reverse proxy idea, but I don't want to add Apache into the mix. I'm going to see if ARR for IIS might be able to do this.
Brian Vallelunga  2009-11-24 02:55:20

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication