tags:

views:

2527

answers:

3

I have an asp.NET webapplication running in our datacenter in which we want the customer to logon with single sign-on. This would be very easy if we could use the IIS integrated security. However we can't do this. We don't have a trust to the domain controller of the customer. ANd we want to website to be available to the general internet. Only when people are connecting from within the clients network they should automatically login.

What we have is a list of domain accounts and a way to query the DC via LDAP in asp.net code. When anonymous access is allowed in IIS, IIS never challenges the browser for credentials. And thus our application never gets the users credentials.

Is there a way to force the browser into sending the credentials (and thus be able to use single sign-on) with IIS accepting anonymous request.

Update:

I tried sending 401: unauthorized, www-authenticate: NTLM headers by myself. What happens next (as Fiddler tells me) is that IIS takes complete control and handles the complete chain of request. As I understand from various sources is that IIS takes the username, sends a challenge back to the browser. The browser returns with encrypted reponse and IIS connects to the domain controller to authenticate the user with this response.

However in my scenario IIS is in a different windows domain than the clients and have no way to authenticate the users. For that reason building a seperate site with windows authenticaion enabaled isn't going to work either.

For now I have to options left which I'm researching:

  1. Creating a domain trust between our hosting domain and the clients domain (our IT department isn'tto happy with this)
  2. Using a NTML proxy to forward the IIS authentication requests to the clients domain controller (we have a VPN connection available to connect via LDAP)
A: 

Not sure that you'll easily get this to work. Unlike basic where the 401 challenge happens in-band of the user request - such that the creds appear in the headers, NTLM handshakes are done on a separate port - then forced onto the thread context by unmanaged code.

You tried pulling apart the ASP.NET NTLM module in VS2008 (or reflector) to see what it does to extract the creds?

Not really an answer - sorry...

stephbu
A: 

This solution is about forms authentication, but it details the 401 issue.

The solution was simply to attach a handler to the Application's EndRequest event by putting the following in Global.asax:

protected void Application_EndRequest(object sender, EventArgs e) {
    if (Context.Items["Send401"] != null)
    {
         Response.StatusCode = 401;
         Response.StatusDescription = "Unauthorized";
    } }

Then, in order to trigger this code, all you have to do is put a

Context.Items["Send401"] = true;

Edit:
I've used this method with Anonymous and Integrated turned on to get the user's domain credentials. I'm not sure if it'll work in your situation, but I thought I was worth a shot.

Greg
Greg that works great for Basic Authentication - its easy to get the creds for forms - I've done this for SPS before.Are the creds attached to the request for NTLM as well? I've only ever seen this work for Basic Auth.
stephbu
+2  A: 

What you're asking for is called mixed mode authentication. I've recently used a two entry-point mechanism from Paul Glavich and it works perfectly. I guess it's the most elegant solution for this problem.

cruster