views:

1029

answers:

9

We're getting ready to start migrating some of our IIS6 sites to IIS7, and the application currently uses Forms Authentication. We have started getting some requests from various sites to use the Windows Authentication for the users. While this is easy enough to implement (and I've shown internally that there is no issue with the app, as expected) the question then is how to continue to keep Forms authentication for when Integrated Windows doesn't work. I've seen several walkthroughs on how to have it configured on IIS6, and I could do the same thing on IIS7, but then I have to turn on Classic Mode processing. Any solution should also be back portable to IIS6, if possible, to keep the build tree simple.

So what are my options on this? Do I setup the app with Integrated Windows Authentication in IIS7, Forms Auth in the web.config, and redirect 401 errors to an "error page" allowing them to login using forms, then back to the regular app?

The case when Forms is likely to be needed is going to be reserved for Contract workers, our support staff, and if someone needs to access it on their site from their Extranet. So primarily it's for our staff to login to check functionality and confirm bug reports. I suggested we just maintain that for our support staff to work, we need a Windows login that will always be live, and then we'll just enforce local responsibility on who can login to the site, but I'm told that we would do better to have Forms Authentication.

Any thoughts? I can post some of the links of the articles I've already read through if that would help the forum better narrow my needs.

Many thanks.

tl;dr: How to do mixed mode authentication (forms, windows) in IIS7 without changing to classic pipeline and still be able to use the build in IIS6 if possible.

A: 

which way did you go? Im looking at the same technique

kmoo01
Depends on which platform you're going with. Basically I made a page that handles WindowsAuth and leave the app on FormsAuth. That page just looks for a user id in the 401 response and uses that to create a user and add to a role. For pre-IIS7 I have to go into IIS and add WindowsAuth (remove Anon) to that specific file. In IIS7+ I can do the same thing in the web.Config. I then left that specific info alone for the IIS6 deployments as it doesn't affect anything. -- You'll want to keep in mind the aspnet_Membership_Create_User requires a email address. Outta space; that's a start. Questions?
drachenstern
+1  A: 

thanks for getting back to me, I have been playing round with several of the implementations on and off for a few weeks now, that I've read about on the internet (javascript, 401, 2 virtual directories) but still havnt really found anything that works as I wanted. We will be potentially rolling it out to more than one client-each with different hardware/setups even different versions of iis, so wanted it to be as generic as possible. Ive come up against a brick wall on a couple of the suggested solutions...

when you say for IIS7+ you removed ann access in web config, I assume like this: -

< location path="Authent/WinLogin.aspx" >

<system.webServer>
  <security>
    <authorization>
      <add accessType="Deny" users="?" />
    </authorization>
  </security>
</system.webServer>

< /location>

kmoo01
No, that's not quite right, but I can't do a code block in a comment reply, so I'll post a new answer ...
drachenstern
+1  A: 

No, that's not quite right, but I can't do a code block in a comment reply, so I'll post a new answer ...

The following code block allows me to control anon access from IIS7 without having to muck about in the metabase (where GUI changes on IIS6 get applied)

<location path="WindowsLogin.aspx" >
    <system.web>
        <authorization>
            <deny users="?" />
            <allow users="*" />
        </authorization>
    </system.web>
    <system.webServer>
        <security>
            <authentication>
                <anonymousAuthentication enabled="false" />
                <windowsAuthentication enabled="true" />
            </authentication>
        </security>
    </system.webServer>
</location>
drachenstern
Not that I'm trying to imply that IIS7 has a metabase mind you...
drachenstern
A: 

Worked like a proverbial dream, thanks drachenstern

kmoo01
Thanks, glad I could help. I guess I should mark that as the answer huh? Maybe somebody else is looking for it too...
drachenstern
+1  A: 

Here's an article on two level authentication that might be of use on this subject.

Deke
Yeah, I didn't really do it anything like his, and I got mine working with no fuss on both IIS6 and 7, but I'm thinking something is wrong because guys like him want to be so complicated. But maybe I just did mine "the right way" because it "just works" with forms auth. ~ But thanks. I see you're new here, and so thanks for the input. Yeah, I read him a long time ago on this topic.
drachenstern
A: 

Hey Drachenstern,

Your solution is working perfectly for me when I run it from in the debug mode of VS2008 (which is running on my actual webserver itself running IIS7).

However, once I try to run it straight from the IE broweser itslef, I get a 401.2 error (You are not authorized to view this page due to invalid authentication headers).

Are there any IIS setttings that I need to change in order for this to work? I currently have Annon=Enabled,ASP Impersonation=Enabled,Forms Auth=Enabled and Basic Auth=Disabled.

Your help is greatly appreciated as I have been searching for this solution for weeks.

Thanks Bart

Bart Traudt
Anon can't be allowed for the Windows Auth page. The rest of the site is up to you, but if you allow anon access on a 401 redirect, you'll get an error. See if that solves the problem, or we can dig deeper.
drachenstern
Changed Anon=Disabled and still works in localhost but not on webserver.
Bart Traudt
@Bart Traudt ~ So to recap: The files are running on the same server, the only difference is whether you hook into the debug mode? That sounds odd. Is it localhost? Have you tried inserting Fiddler into the mix to see what the back and forth between the browser and the client is? Which browser are you testing with? Have you tried using Firefox to make sure it's prompting for a password (if not, different concern). (PS: Respond me @drachenstern in your comment and I'll see your response on my SO page sooner)
drachenstern
@drachensternRecap:Files on same server and only diff is debug mode. Yes localhost workshttp://localhost:62907/lan.ema.us/Winlogin.aspx? works, buthttp://lan.ema.us/Winlogin.aspx? does not.I have tried IE and Firefox with both the same results. However, I am not sure when it is supposed to prompt for the password because right now it just authenticates agianst the AD in debug mode and displays the Domain/user. But the webserver doesn't even let me get that far. Installed Fiddler but don't know how to read it yet.
Bart Traudt
@Bart Traudt ~ So are you familiar with what 200 and 401 mean? I presume so. That's what you're looking for in Fiddler (make sure you've started it with F12). You want to know if the browser is doing a 30x redirect or a 401 redirect. Every resource (identified by it's own URI) will cause the browser to (check cache and then if not found) issue a request to a server. The HTTP code 200 means successful, so you'll see a lot of those in fiddler. Use it to monitor a new connection to Google that you already understand. So long as we know if it's trying a 401, that's what we want.
drachenstern
Oh, that reminds me, you did disable forms for that particular page, right? In Firefox it will never "just" send the domain\user so it will always prompt you for credentials. Hence the reason why I recommend to test with Firefox. Also, you may need to clear cookies for the server. ~ Since this looks to be getting longwinded, you can use my nick on gmail if you have an account and we can do an offline chat. I can also provide you my skype if you would like that.
drachenstern
@drachenternAccording to Fiddler, it is doing a 302 from the Default.aspx, but a 401 once it hits my WebLogin.aspx. I have been trying to piece together a solution from different forums...could it be posible that my settings are correct and I just don't have the proper code-behind for this type of authentication? Any help you could provide with code behind would would be greatly apprecieated if thats what you think it is.thanks
Bart Traudt
+2  A: 

@drachenstern: I'm trying to accomplish the same thing that's outlined here, I believe. I want valid Windows domain users to be automatically authenticated (no user/password popup dialog); and I want others taken to a forms auth login page (which I believe you've called Winlogin.aspx). I believe I understand why your snippet of Web.config would achieve the desired effect. However, the way this question thread evolved, the various instructions, tips, etc. are scattered around; and I'm not sure I have all the required information. Any chance you could collate all the steps into a tutorial. I'm thinking of:

  • In IIS7 Manager, what are the required authentication settings for the web site?
  • Does it matter if the asp.net app is a virtual directory (app) or the root of the web site?
  • What does the <authentication> element within <system.web> look like?
  • You outlined a <location> element for Winlogin.aspx? Any other location elements for pages and/or folders?
  • What happens in Winlogin.aspx when accessed by an authenticated Windows user to skip the forms authentication and keep the user logged in (i.e. the typical forms auth ticket stuff?)?
  • Anything else in the way of prerequisites, IIS and/or Web.config settings, or code that's required for this to work?

Thanks much,

Donnie

soccerdad
Ya know, I think you're right, I think a tutorial would be better, or at least a once through walkthrough, but I'm not able to do it right this moment. I'm more than happy to help you offline, and maybe we could collab on the tutorial, since you're in a prime position to make screenshots while you work. You can reach me at this nick on gmail.com (or orkut, or wave, or twitter)
drachenstern
@soccerdad ~ I emailed you, let's bump heads and see if we can't make a tutorial, mkay?
drachenstern
I should have explicitly mentioned that for our application, the users have to automatically end up at the forms auth page, versus knowing to explicitly go to that page or click a corresponding link.
soccerdad
A: 

@drachenstern or @soccerdad perhaps I'm blind but did you guys ever create the tutorial you were talking about? If so could I get a copy to check it out I am using IIS7. BTW guys really cool thread.

Deathbat
No 'cos we discussed it offline and we were really going in two different directions. What are you having issues with? I think I need to make one tweak to my IIS install and I haven't done that. Since you commented this I actually made that tweak on my box, now I need to test it. Only on IIS7, not on IIS6. If you gmail me I'm more than happy to answer any questions, or to revive the idea of the tutorial on this. I've started collabing with some jQuery folks on some other tutorials, so maybe now I'll start writing stuff up. Yay documentation :\ ;)
drachenstern
A: 

@drachenstern

Tried to contact you over email, but no reply. So thought I would try here.

Any chance you could elaborate a bit more on how you did this. It's not very clear on your post which way you went.

So my question is.

  1. Does all AD authenticated users have to hit the site using a special URL? Or
  2. You send all users to the WindowsLogin.aspx and then if a 401 send them to the normal forms login page.

Thanks, Soeren

Soeren