How to disable IIS credentials in ASP.NET

Question

Is there a way to disable IIS default authentication in global.asax or somewhere else depending on passed parameters.

A client requests the same form would be secured using IIS authentication and by providing authentication information in POST variables

Answer 1

This is not a complete answer, but may give you direction. If you are using IIS 7, then HttpModules are now native to IIS. That is, you can get an implementation of the IHttpModule interface to be used by IIS, regardless of what type of content is being served.

I suspect that you can wire such an HttpModule so that it will notice when IIS is failing a request due to a failure of Windows Authentication. If that is possible, then you might still be able to examine the POST variables and give the request a "second chance".

I also wonder if it might be possible with IIS 7 to turn this around - have the main site use anonymous authentication so that your code can check the form POST parameters. If that authentication fails, then redirect to the Windows Authentication site.

Answer 2

IIS authentication happens before the request is passed to the ASP.NET egine. Therefore, the answer to your question is "no".

However, by enabling anonymous access on IIS only, you can process any authentication (including Basic etc.) in your application without being "intercepted" by IIS.