I have an asp.NET webapplication running in our datacenter in which we want the customer to logon with single sign-on. This would be very easy if we could use the IIS integrated security. However we can't do this. We don't have a trust to the domain controller of the customer. ANd we want to website to be available to the general internet. Only when people are connecting from within the clients network they should automatically login.
What we have is a list of domain accounts and a way to query the DC via LDAP in asp.net code. When anonymous access is allowed in IIS, IIS never challenges the browser for credentials. And thus our application never gets the users credentials.
Is there a way to force the browser into sending the credentials (and thus be able to use single sign-on) with IIS accepting anonymous request.
Update:
I tried sending 401: unauthorized, www-authenticate: NTLM headers by myself. What happens next (as Fiddler tells me) is that IIS takes complete control and handles the complete chain of request. As I understand from various sources is that IIS takes the username, sends a challenge back to the browser. The browser returns with encrypted reponse and IIS connects to the domain controller to authenticate the user with this response.
However in my scenario IIS is in a different windows domain than the clients and have no way to authenticate the users. For that reason building a seperate site with windows authenticaion enabaled isn't going to work either.
For now I have to options left which I'm researching:
- Creating a domain trust between our hosting domain and the clients domain (our IT department isn'tto happy with this)
- Using a NTML proxy to forward the IIS authentication requests to the clients domain controller (we have a VPN connection available to connect via LDAP)