c# - IIS Mixed Anonymous and Windows Authentication

Question

I need to create an ASP .NET web page (hosted on Windows Server 2008R2 with IIS 7.5) which should be visible by domain users and anonymous users without prompting credential requests for both of them. Domain Users should be authorized to see the entire page, while anonymous users can see the public part of the page.

• When I enable Windows authentication: domain users can see the entire page, but anonymous users are prompted for credentials.
• When I enable anonymous authentication or both (anonymous and windows): anonymous users can see public part of the page, but domain users do not see the entire page (they are like anonymous users).

I use the following string to discriminate anonymous users and domain users:

WindowsAccountName = HttpContext.Current.Request.LogonUserIdentity.Name;

If WindowsAccountName is empty user is anonymous, otherwise is a domain user. Unfortunately, when anonymous authentication is enabled WindowsAccountName is always empty (even for domain users), but when anonymous authentication is disabled non-domain users are prompted for credentials.

Do you have any solution for these problem? Keep in mind that domain users are spread among different networks so IP address is not a good choice to discriminate domain users and non-domain users.

it looks like a catch-22 for me

Thanks.

Answer 1

The term for this is Mixed-Mode Authentication. I have done this multiple times.

This can be accomplished by using a windows authenticated site that does no more that pull the users credentials from AD and pass those to the anonymous site. I have done this using a custom ticket (GUID in a database) that expires in 5 seconds. The anonymous site takes the GUID passed, queries the DB and obtains the user id. Other ways I have done this with an encrypted URL parameter that contains the user id and time-stamp.

Internal Site

Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your anonymous site and passes the user credentials (login id).

a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.

b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.

External Site - No Changes required. Let the users login as-is.