I have a classic ASP application currently secured using ASP.NET Forms Authentication running on IIS 6, the problem is our purposes require this application implement a Single-Signon security model using Entrust TruePass which uses Client Certificates I believe. Can this be implemented using ASP.NET Http Modules or do I have to write an ISAPI filter? Are there other options available?
First off let me state that I don't know a whole lot about HTTPModules, but I would think you could write your own implementation of IHttpModule to handle the TruePass. See this link for more information: MSDN HttpModules.
From my experience, the biggest hassle of going back and forth between classic ASP and .NET is dealing with Session information. Something stored in a classic ASP session variable can't be read by .NET and vice versa. But since your FormsAuthentication is most likely using cookies, you have a means of going back and forth now.
I'm not sure about other options. If your business requirements are to keep the classic asp code and to use the TruePass, then I would think you could make it work.
Hope that helps.
In order to fire the HttpModule you have to have IIS send the request to aspnet_isapi.dll and then the regular asp.dll. In most cases if there is an endpoint in .net it won't pass the request back to IIS but in IIS6 you can define a handler for wildcards see this article on securing non .net stuff using forms authentication http://www.15seconds.com/issue/070104.htm
So what you would do is create your module, register in web.config and use it to do the authntication, and as long as the end point doesn't match anything .net will handle then it should let it go back to IIS to go to asp.dll