Reputation: 289
Mixing Forms and Windows authentication in .Net 4.5
This has been possible up to .Net4.0 and IIS 7.5.
The general idea is that you enable anonymous and forms authentication for your intranet site and in a subdirectory you enable windows authentication together with forms authentication and turn off anonymous. By disabling the forms 401 => 302 redirection with some custom code you will be able to get a hold of the users username and domain.
If you google for a solution all roads seem to lead to this blog/solution: http://mvolo.com/iis-70-twolevel-authentication-with-forms-authentication-and-windows-authentication/
However when upgrading to .net 4.5 and IIS8 it breaks, Always forcing a 302 redirect to the login page and no means of getting a hold of the usernamen.
Has anyone solved this yet?
Upvotes: 9
Views: 12393
Answers (2)
Reputation: 5149
I made a MVC 5 solution that makes it look like an external provider, the full source code here:
https://github.com/MohammadYounes/MVC5-MixedAuth
I didn't have the chance to test it on IIS 8, try it and let me know.
Upvotes: 8
Reputation: 6253
Per my testing of this setup (.NET 4.5 / IIS 7.5 with both windows authentication and forms authentication enabled), the following condition
(System.Web.HttpContext.Current.User.Identity is System.Security.Principal.WindowsIdentity)
is true (after the user successfully authenticates via Windows auth), which can be theoretically used to determine a way around this issue. You did not post any code, so I can't say for sure how you would solve your problem. Are you creating a custom forms authentication ticket?
It seems that Windows authentication now trumps the Forms authentication, and Request.IsAuthenticated == true even before the code creates the Forms authentication ticket! Very annoying, this caused problems for one of my customers when they decided to install .NET 4.5, after they had been working fine for several years by mixing both Windows and forms auth. For now (until a patch is ready, and customer has time to test and deploy it) the solution was to remove .NET 4.5 and re-install 4.0. If they really think they need 4.5 for something, they will use a diff machine.
For example, you could create a custom identity class with your own version of bool IsAuthenticated instead of relying solely on Request.IsAuthenticated (again, you didn't post code so I can only assume this is what you are doing). Then the solution involves checking whether the forms authentication ticket exists in the case where these two factors are true:
System.Web.HttpContext.Current.Request.IsAuthenticated && (System.Web.HttpContext.Current.User.Identity is System.Security.Principal.WindowsIdentity)
You can no longer rely solely on Request.IsAuthenticated because, technically, the request was authenticated when the user authenticated via Windows auth. (Whereas before, when mixing windows auth and forms auth, Request.IsAuthenticated was not true until the forms authentication ticket was created.)
Upvotes: 0
Related Questions
- Mixing Forms authentication with Windows authentication
- .NET MVC Authentication - Forms + Windows Authentication
- ASP.NET Forms Authentication and Windows Authentication
- Windows authentication and Forms authentication in same application
- ASP.Net -- How to do both Forms and Windows Authentication in IIS 7 and higher?
- Mixing Windows and Forms Authentication in ASP.NET MVC
- Windows Authentication and Forms Authentication
- .Net authentication for both web and winforms
- Windows Authentication and Forms Authentication together for ASP.NET
- Asp.net and windows authentication