CODEWITHSUNDEEP
c#asp.netauthenticationiisiis-7.5
Michele
Michele

Reputation: 111

IIS Mixed Anonymous and Windows Authentication

I need to create an ASP .NET web page (hosted on Windows Server 2008R2 with IIS 7.5) which should be visible by domain users and anonymous users without prompting credential requests for both of them. Domain Users should be authorized to see the entire page, while anonymous users can see the public part of the page.

I use the following string to discriminate anonymous users and domain users:

WindowsAccountName = HttpContext.Current.Request.LogonUserIdentity.Name;

If WindowsAccountName is empty user is anonymous, otherwise is a domain user. Unfortunately, when anonymous authentication is enabled WindowsAccountName is always empty (even for domain users), but when anonymous authentication is disabled non-domain users are prompted for credentials.

Do you have any solution for these problem? Keep in mind that domain users are spread among different networks so IP address is not a good choice to discriminate domain users and non-domain users.

it looks like a catch-22 for me

Thanks.

Upvotes: 9

Views: 10661

Answers (2)

Rishu Ranjan
Rishu Ranjan

Reputation: 574

I don't know if it's too late to post this.I recently worked on enabling anonymous authentication on one page in the .NET 4.8 MVC application.

Let's say the page was accessible via URL: User/MyCustomPage

Application configuration was as follows:

1. In web.config authentication mode was specified and authorization was 
   set to deny for anonymous users.

    <system.web> 
       <authentication mode= "windows"/>
       <authorization>
          <deny users="?"/>
       </authorization>
    </system.web>


2. In the controller, authorize tag was there.

3. In IIS, windows authentication was enabled, and anonymous mode was disabled.

I did the below steps:

1. Removed authorize tag from the specific controller and added 
   [AllowAnonymous] tag.

2. Enabled anonymous authentication in the IIS server. Go to
   server->authentication-> Anonymous-> click Enable in the right pane.

3. I had to add the particular path, to exclude it from regular
   windows authentication by writing the below code in web.config file.

    <location path="User/MyCustomPage"/>
      <system.web>
         <authorization>
           <allow users="?"/>
         </authorization>
      </system.web>
    </location>

But Still, I was getting prompt for windows credentials on accessing the above URL. The reason I found that was: The View that MyCustomPage was returning, was consuming another resource.

So, I have to add that path too in the web.config.

 <location path="Bundle/Content/css"/>
    <system.web>
       <authorization>
         <allow users="?"/>
       </authorization>
    </system.web>
 </location>

Upvotes: 1

Elim Garak
Elim Garak

Reputation: 1817

The term for this is Mixed-Mode Authentication. I have done this multiple times.

This can be accomplished by using a windows authenticated site that does no more that pull the users credentials from AD and pass those to the anonymous site. I have done this using a custom ticket (GUID in a database) that expires in 5 seconds. The anonymous site takes the GUID passed, queries the DB and obtains the user id. Other ways I have done this with an encrypted URL parameter that contains the user id and time-stamp.

Internal Site

Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your anonymous site and passes the user credentials (login id).

a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.

b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.

External Site - No Changes required. Let the users login as-is.

Upvotes: 4

Related Questions