NTLM and automatic Anonymous authentication IIS

Question

I have an MVC application for our intranet which uses NTLM authentication however I want to be able to allow external users to access the application. All external connections to our intranet come via a NAT and therefore have a single IP address which can be used to denote if the request is external or not. I want all internal users to undergo NTLM authentication as they already do but any connection coming from the external IP to automatically get anonymous authentication ("anonymous" being any potential default user eg the standard Network Service or IUSR_ account, a specified domain user (severely locked down for other purposes of course) etc). The result being no one should see a password request unless internal and having a browser that does use NTLM by default.

I know usually mixed mode authentication is awkward at best but I was wondering if this specific use case might have some other way round the problem. Some of the possibilities I've considered are:

1. Intercepting the requests before they get to the WindowsAuthenticationModule, either in IIS, one of the events in global.asax or an HTTPHandler, so that we can inject authentication for a designated user.
2. At the NAT is there a way to inject NTLM headers in the HTTP Request for a designated user.
3. As the external users get to it via a different host (the DNS is handled at their end to fit in with their naming conventions) get IIS to serve a simple proxy site that takes a request, forwards the request to the main website using NTLM of a designated user then sends the response back to the original requester.

Answer 1

I developed a website using the request interception method you describe. Here is a link with the details.