Tuesday, 23 February 2010

Mixed Mode Authentication in ASP.NET

I'm currently looking a implementing mixed-mode authentication in ASP.NET 3.5. I've looked around the web and found two solutions.

1. Create two virtual directories, one implementing windows authentication, takes credentials from active directory, stores them into a cookie and feeds them into the forms auth on virtual directory 2. VD2 will have a login page to anon. users, but will bypass the login if a valid req is received from VD1.
http://www.15seconds.com/Issue/050203.htm - here

2. Create one virtual directory... implement forms auth in web.config, deny anon users globally, but except anon users to WebLogin. Create WinLogin and WebLogin aspx pages. Specify windows integrated auth and deny anon. users in IIS to WinLogin. However, this requires using JS in custom 401 pages to take a user to WebLogin.aspx

In the end I opted for option 1. This allowed me more control over the process without replying on custom 401 pages (bit of a messy solution). However, instead of cookies, a database was used as we didn't store both applications on the same server. With this solution, you can provide forms auth link to client users and internal users can have a seperate access point (In our case it was admin users).

1 comment:

Jon said...

Out of curiosity, which did you go for, Im doing exactly the same at the moment and could do with a little direction....