views:

320

answers:

1

In IIS 7.5 under Windows 7 Utilmate, I have an application which is configured for authentication as follows: Anonymous & Windows

In the ASP.NET Website, I have turned Forms authentication and identity impersonate = true I also deny any anonymous users.

<authentication mode="Forms">
</authentication>
<identity impersonate="true"/>
<authorization>
<deny user="?">
</authorization>

IIS complains. What am I doing wrong... What I want to achieve :I want the windows Logged On User so I can build a FormsAuthentication ticket and pass it to a Passive STS. So in IIS I have anonymous and windows...If have only windows ticked, I cannot go onto the Login.aspx page as I have an extra parameter to be passed from there. So now in webconfig, I then disable anonymous users by saying deny user="?" , so it leaves me with the authenticated windows user but using Forms Authentication.You know what I mean??

http://msdn.microsoft.com/en-us/library/ff649264.aspx

If you see Table 4 IIS Integrated Windows for IIS then Web.config setting 3rd row, accordingly WindowsIdentity is Domian\Username .It works on IIS 6.0 win2003/IIS 5.1 under XP

A: 

If this is an application that leverages claims based identity, then the responsibility of authenticating users is in the STS itself, not in the app.

If you are configuring your (web) application to trust an external STS, then your authentication mode would be "None" and you'd have a whole section in the config file for "Microsoft.identityModel". You would then configure the STS address there (the issuer attribute). Something like this:

<microsoft.identityModel>
<service>
  <audienceUris>
    <add value="https://aexpense-dev.adatum.com/" />
  </audienceUris>
  <federatedAuthentication>
    <wsFederation passiveRedirectEnabled="true" issuer="https://localhost/Adatum.SimulatedIssuer/" realm="https://aexpense-dev.adatum.com/" requireHttps="true" />
    <cookieHandler requireSsl="false" />
  </federatedAuthentication>
  <serviceCertificate>
    <certificateReference x509FindType="FindBySubjectDistinguishedName" findValue="CN=localhost"/>
  </serviceCertificate>
  <certificateValidation certificateValidationMode="None"/>
  <applicationService>
    <claimTypeRequired>
      <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
    </claimTypeRequired>
  </applicationService>
  <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
    <trustedIssuers>
      <add thumbprint="f260042d59e14937984c6183fbc6bfc71baf5462" name="https://localhost/Adatum.SimulatedIssuer/" />
    </trustedIssuers>
  </issuerNameRegistry>
</service>

The STS itself might use Forms authentication or something else, depending on the implementation.

Eugenio Pace