MVC Web App Windows Auth (Intranet) and Credentials if (Internet)

Question

Our client requested from us to make our web application accessible from Intranet and Internet. When user tried to access the website from Intranet, The user should be logged in immediately (Windows Auth) ... The user should have public access also (e.g. Home, Coffee shop), But in this case he should use his credentials and the server will check if its valid.

Any advises?

Answer 1

We decided not to use Windows Auth at all. The customer want to stay logged in if he is in the Intranet. so we did the following (and the customer is ok with that)

1. Forms Auth + 'Keeps me logged in' checkbox
2. Validate Credentials with AD.
3. Check if User in trusted IP Addresses Range (Something like allowed IP addresses in SQL Azure)
4. If trusted IP Range, user becomes authenticated.
5. If its not, Two factor auth by sending SMS.

One more reason for not using Windows Auth. The user want to log-out at anytime to use different credentials to do some special tasks.

Usually customers do not know what exactly they want, so we will start dreaming and make things complicated. 'Simply keeps me logged in' for trusted IP addresses and he will stay logged in for N days.

Answer 2

This is the standard way Integrated Windows Authentication works. If you're inside the intranet (logged onto the domain), IE will automatically send your credentials when the website returns 401.2 (no auth method specified). When you're not inside the domain, the credentials will have to be prompted for, since the domain server cannot be contacted from the client machine.

This is not the same as the "tricky" solution you referred to. That solution is tricky because it also uses forms authentication, which you don't need here (AFAIK).