Is this IIS configuration possible, and if not, what would you suggest? - asp.net

Is it possible to configure an IIS website to provide domain credentials to an ASP.Net application if the user is logged into a particular domain, and use anonomous if they are coming in from the internet?
Will I need seperate virtual directories, one with domain only and one with Anon only?
I have an application follows different code paths depending on wether or not the user is autenticated against the intranet domain, but also need to allow login attempts from outsite the intranet, so the site itself is hosted outside of the intranet.

Looks like if anon access is on it will only use that, and I will need to setup two virtual directories.

Related

Two web applications on a single domain

A client has a business application installed on their local server, with a database of their customers. I have to implement an application (web or win) which will query the database and send mails to customers based on certain rules.
However, one of the requirements is that a mail should have a link allowing their customers to confirm or cancel certain appointments, and the problem is that my client wants to have these links having the same domain as their web site, which is already hosted somewhere else.
The way I see it, the only way to do this is for them to allow me to access their existing site, and add the necessary functionality there directly, but they are no too happy about it.
Is it possible to add a separate application to that same hosting provider, which would sit in the same domain?
Or do you have a better idea?
You could use subdomains or use a subdirectory and make it an application in IIS.
1) Subdomain
Add a new website in IIS and add binding to a subdomain. So lets say their main website is www.company.com you will add binding yourwebapplication.company.com
2) in IIS select the website, right click and choose: Add Application
The website does not have to be fysically in a subfolder, it can be anywhere as long as you have the rights set correctly.
You can use an IIS Virtual Directory for this.
Create a Virtual Directory (IIS 7)

Is it possible to have both Forms Authentication and Windows Authentication in an ASP.NET site?

I have a site where the vast majority of the content will be secured using Forms Authentication. However there is one sub folder that will be used internally by the administrative staff. I would like to secure this folder using Windows Authentication. Is that possible? Would I have to make the admin folder a virtual directory?
CLARIFICATION: There is no need for the administrative staff to access the main site. They are really two separate sites/apps. Regular users will access the main application via Forms Authentication (and never access the admin folder). And admin users will access the admin application via Windows Authentication (and never access the main site).
Thanks,
Corey
Yes, it's possible but you have to build a custom membership provider or an interface to allow for it. It is not possible to specify individual authentication methods on sub-folders unless they are in completely separate projects/application domains.
One method to accomplish this would be to use an LDAP membership provider and change the ldap connection based on the username (if there is a discernible method of doing this).
One other method would be to provide a separate website that uses the Windows authentication to perform the login and then constructs a custom cookie for the user and transfers them back to the original website identifying the individual as a member of the administrative staff.
Then the folder could be secured using the <location> elements in the web.config.
If I was going to build a site with Mixed authentication, I would setup the site to use webforms. I would then setup a virtual application inside of this application that consisted of the same forms auth web.config information but set to use Windows Auth.
On the login page of the windows auth site after you validate their credentials I would then manually call FormsAuthentication to create the auth token. At this point you can then redirect the user to the Forms Auth site and they should be logged in (as long as all the forms auth cookie information is the same for both sites, this might also include needing to setup the same machine keys for both applications).
I haven't done this specifically but this should definitely be a viable (and probably one of the most optimal) solutions.
It may be as simple as right-clicking on the admin folder in Windows Explorer and setting the rights in the Security tab.
Put the administration site in its own application - by right clicking on the folder in IIS manager and and choose convert to application.
Once that's done you can adjust the authentication method on the application by highlighting the application folder in IIS manager and then choosing authentication and adjusting them (or you can do it the hard way via web.config if you can't remote into the machine).

cross domain integrated windows authentication in IIS for ASP.NET intranet website

I built an INTRANET ASP.NET website for which authentication is set to "integrated windows authentication" and in authorization section of web.config, I have specified the AD groups (domain\groupname) to restrict the access to only to the members of those AD groups. multiple AD groups are specified in web.config (domain1\group1, domain2\group2 etc). now this works fine for users of one domain1 (where it is hosted), but for users of another domain (domain2), they get a prompt to enter their windows credentials and if they enter it, then it works and they can access the site without any problem. but I would like to avoid this login prompt, because I granted access to groups of both domains. why are they getting this prompt and is it possible to suppress it? do I need to configure something in IIS or web.config for it? Thanks in advance.
I believe users in Domain2 can add your website, hosted in Domain1, to their list of Intranet Sites in Internet Explorer->Internet Options->Security->Local Intranet Zone. This zone should automatically log on with the current user name and password. You could make this an AD policy.
I'm not sure that you can do this - I believe that users from outside the hosted domain will always be prompted for credentials with 'integrated' security.
You could probably use forms authentication to handle multiple domains. I am heading down the Windows Indentity Foundation path myself (which I have no desire to learn) so I'd love for someone to tell me I'm wrong about this!

Windows authentication - testing for different users

My application does not have any roles.
However I use windows authentication to stop anonymous users from accessing the webpages.
I need to test different users using the system.
I do not want to know different users passwords and I cannot set up dummy users in Active Directory.
So how do I do this?
Set up a virtual server with Active Directory Domain Services and IIS on it. Build yourself a domain for your testing and create your dummy users there. Then you can put your ASP.NET application on it and test your app using the different users, but it'll be completely sandboxed from your live Active Directory setup.

Sharing authentication between IIS applications on same domain

I have an IIS website on www.example.com
and a virtual directory at www.example.com/demo/
How can I use the authentication cookie from www.example.com in my virtual directory?
You are looking for a Single Site Login solution. If the article I linked to doesn't help you, there's plenty more on google when you know what to search for ;)
The cookies are shared in the same domain, even shared between applications.
I have used the same cookie to share authentication between a Classic ASP app and a .net app without problems.
Just use the same rules to encrypt or store the cookie.
A solution would be to use integrated authentication. This way the user look up, and authentication authority used, will be the same accost all sites with the servers on the same domain. If you are using something like basic or kerberos authentication then your authentication will not pass between sites even on the same server and possibly between parts of the site that run under different threads, eg a different app pool.
Use session data in asp or cookies to share session information on the same site between pages. Cookies will work even if the virtual folders are shared in a different pool. Just code around the requirements of your virtual directory, in case its shared between multiple sites.
P.S. If you are already using cookies, just have the code in your virtual be the same as what you are using on the other pages.
What are the additional requirements for the virtual? Is it on the same server?

Resources