ASP.Net: How to properly implement this Authentication flow

Question

Here's the flow I'm looking for for authentication:

1. Attempt to pull in the user's name from windows authentication
2. If that failed (user is external to network), use BASIC authentication to get the username/password.
3. Check the username/password against the SQL database. If windows, password isn't required, if BASIC authentication and password is incorrect, prompt again
4. Create the Identity object with the user name, and populate the user's roles via another SQL database call

This would need to be used for multiple applications.

What would be the best method of implementing this? Creating a HTTPModule? If so, what do I need to keep in mind (security, virtual directory setup, etc)

Answer 1

This type of authentication is called Mixed Mode authentication (some google searches on this will get you alot of hits). We have a flavor of this running on a site I work on, however there are some quirks to our setup that have to do with odd business requirements.

Here is an article that might get you going on the subject: http://www.15seconds.com/Issue/050203.htm

It is a big topic to give a huge detailed explanation of how you could set it up in one post.

Good luck!