Why is web user authenticated through NTLM?

Question

I'm using forms authentication and launching a site from Visual Studio 2010. It is using the Visual Studio Development (web) Server and not IIS. The web.config has:

<authenticaion mode="Forms">
  <forms name=".MyApp" protection="All" cookieless="UseCookies"/>
</authentication>

The login page is using the ASP.NET login control. Before the user even logs in, I can see following:

HttpContext.Current.Request.LogonUserIdentity.AuthenticationType == "NTLM"
HttpContext.Current.User.Identity == System.Security.Principal.GenericIdentity
HttpContext.Current.User.Identity.AuthenticationType == "NTLM"

This user seems to be authenticated as a local system user and not a web user. Doesn't this mean the user will always be authenticated, regardless if they logged into the site or not?

How is a web user NTLM?

Answer 1

If I'm not mistaken you're seeing yourself as being the User (being authenticated) running Visual Studio (in your user context) when you are debugging using VS and it's dev server.

Visual Studio runs in your context (your Windows user account/permissions, etc.) - Request.LogonUserIdentity.User

It shouldn't affect your debugging of Web Forms/Forms Authentication. After successful Forms Auth Login, you can obtain HttpContext.User.Identity.Name of the "forms auth user" (web user).

Answer 2

As far as I know cassini does does not support Windows authentication.

Its runs as a local system account and thats what you see as NTLM authenticated.

If you are developping/debugging security features for an Asp.Net application (or WCF) I highly suggest you deploy to IIS.