Friday, June 06, 2008

Mixing Forms and Windows authentication in ASP.NET

In ASP.NET it is easy to set the prefered authentication method in the web.config file.
For external websites this is set mostly to Forms authentication through a own Login.aspx. When you use Windows authentication the authentication is handled by Windows, and you will get a Windows logon window automatically if the authentication failed.
In forms authentication users will be logged in based on, for example credentials which are located in the applications database. With windows authentication users are logged in based on their Windows domain account.
How can you mix those two? 
In this situtation a client wanted to enable Windows authentication for the domain users, and Forms authentication for external users.
You can't do this through the web.config file. Let's first look at methods:

Windows authentication
If you choose Windows authentication you can get the user name with the  server variable LOGON_USER.

string user = Request.ServerVariables["LOGON_USER"];


If the user, is not autorized a IIS 401 security error page will appear. The server variable is then an empty string.

Forms authentication
With forms authentication the user will be redirected to given login page. (Mostly likely login.aspx). In this page you can check the user in you database and authenticate it based on that result.

In the mix
If you mix those two you probably want to match the Windows user with the application users. However first you must setup your application to accept both users.

I found a solution here. Basically it drills down to the following:

1. Set Forms authentication in you web.config

2. Create an extra login page, Winlogin.aspx and let that be the forms login page. (in the web.config)

3. In IIS set security on Winlogin.aspx so, that it won't allow anonymous users.

4. In Winlogin.aspx determine if the user is authenticated based on his windows account. If you have the user you can also (if needed) check if he is in your own database, and if OK, redirect from this page:

FormsAuthentication.RedirectFromLoginPage(UserId, false);

5. If the user is not authenticated, the IIS 401 security error will be shown. You can hower redirect to your own HTML page in IIS, by setting the custom error redirect.

6. In your OwnRedirect401.html redirect to the your 'normal' Login.aspx with for example a META redirect, like this:

<meta http-equiv="refresh" content="0;URL=Login.aspx" />

Note that you must exclude login.aspx as a protected page in you web,config. I.o.w allow anonymous users, other wise you will end up again on your Winlog.aspx.
<location path="login.aspx">
  <system.web>
    <authorization>
      <allow users="?"/>
    </authorization>
  </system.web>
</location>
Some references:
Above method described in detail (MSDN article)
A alternate approach to the problem

40 comments:

Anonymous said...

But this triggers login/password popup dialog to appear for external users if they go to winlogin.aspx. How to prevent this? Thanks, m

Anonymous said...

Not work for not domain users

Anonymous said...

for the issue with external users, I guess you will have to check if the user request is coming from intranet or internet, if internet user, redirect it to the form authentication page.

mukesh arora said...

toI'm getting login/password popup dialog to appear for external users if they go to winlogin.aspx. How to prevent this? Thanks, MA

Anonymous said...

For external users, the login Page is what I want. Credentials are verified against database.dbo.table. Some of these users might not even be part of Active Directory. So that's fine. But for internal users, whom are part of Active Directory, I want to bypass login Page amd get username from Active Directory and go directly to process Application. How do I get that userName from Active directory. Everything I've tried comes up empty, unless I'm debugging from localhost. Thanks.

Meta Forum said...

Great post , Thanks for sharing with us.

Web Designing Training in Chennai

Mutual Fundwala said...

Nice blog, Get the mutual fund benefits and there investment schemes at Mutual Fund Wala.
Best Performing Mutual Fund

Kala Kutir said...

Keep more update, I’ll wait for your next blog information. Thank you so much for sharing with us.
Lifestyle Magazine

Chiến SEOCAM said...

Շատ ուրախ եւ ուրախ կարդացեք ձեր հոդվածը: Շնորհակալություն բաժանման համար:

cửa lưới chống muỗi

lưới chống chuột

cửa lưới dạng xếp

cửa lưới tự cuốn

Maketting SEO said...

Vanskeligheter( van bi ) vil passere. På samme måte som( van điện từ ) regnet utenfor( van giảm áp ) vinduet, hvor nostalgisk( van xả khí ) er det som til slutt( van cửa ) vil fjerne( van công nghiệp ) himmelen.

mahi said...

Please refer below if you are looking for best project center in coimbatore

Java Training in Coimbatore | Digital Marketing Training in Coimbatore | SEO Training in Coimbatore | Tally Training in Coimbatore | Python Training In Coimbatore | Final Year IEEE Java Projects In Coimbatore | IEEE DOT NET PROJECTS IN COIMBATORE | Final Year IEEE Big Data Projects In Coimbatore | Final Year IEEE Python Projects In Coimbatore

Thank you for excellent article.

Kartik Web Technology said...

Kartik Web Technology is one of the most leading IT Service provider company which is listed in Gurgaon. Gurgaon is now big IT sector where lots of famous companies are located. If you want to grow your business at higher level then you need a good website to represent your self in the Marketing. Hire us to design your company's website. We will convert your all mind imagination into reality. Give us chance to serve our services.

website design company in India

Mr Rahman said...

Really Great Post & Thanks for sharing.

Oflox Is The Best Website Designer Dehradun or Website Developer Dehradun

Unknown said...

management decision
management development programme
management department
management discussion and analysis
management disaster act

Event Management services in chennai said...

This is not the first of your posts I've read, and you never cease to amaze me. Thank you, and I look forward to reading more.
Event Management services in chennai
Catering Manpowers in chennai
Male and Female Promoters in chennai
Wedding Event Management Companies In Chennai
Event staffing services Chennai

永远祝福 said...

legit online dispensary shipping worldwide
AK-47
buy weed online
AK-47 dank vape
Afghan Kush
legit online dispensary shipping worldwide
Amnesia Haze
buy weed online

Online Front said...

Thanks for sharing such a great information.. It really helpful to me..I always search to read the quality content and finally i found this in your post. keep it up!
Our Services:
Digital marketing Company
Seo Packages India
Website Design & Development Packages
Digital Marketing Agency

Narendra said...

very helpful and informative article, I hope this article helpful for everyone, we will wait for the next article.
Web Development Company in Haldwani

buy vyvanse online said...

We are more than delighted to share with you all our awesome blog , just follow the link for lots of stories and events .

buy Vyvanse online ,

buy adderall XR online ,

cocaine for sale ,

buy Colombian cocain online ,

buy cocaine online  ,

buy Mexican cocaine online  ,

Buy Crack Cocaine Online ,
 


Buy Fishscale Cocaine Online ,
 


Buy Crack Cocaine Online ,
 


Buy Fishscale Cocaine Online ,
 


We are the best and hope after checking out out awesome blogs you are happy .


easycareshop.com said...

Xanax belongs to the benzodiazepines drug, which is using to address anxiety, panic disorder, and stress by stimulating the disturbed and unbalanced chemicals in the brain. Xanax offers calming effects in the brain to enhance the productivity evaluator's consultation and guidelines. Buy Xanax online

buy xanax online

easycareshop.com said...

This combination medication is used to alleviate moderate to severe pain. Hydrocodone contains both the things an opioid (narcotic) pain reliever (hydrocodone) and a non-opioid pain reliever (acetaminophen). Hydrocodone works inside the brain to vary how your body adjusts feels and responds to pain. buy hydrocodone online

buy hydrocodone online

easycareshop.com said...

Adderall Online is being used under the observation of health experts to address ADHD and narcolepsy without causing any future health issues. Therefore, it works to promote a healthy and progressive mindset by reducing the impact of aggression, stress, and anger. and the formula of Adderall is C9H13N.buy Adderall online

buy adderall online

easycareshop.com said...

Oxycontin may be a brand of Oxycodone, this is often the controlled-release Oxycodone tablets, intended to be taken every 12 hours. Oxycodone may be a semi-synthetic opioid synthesized from thebaine, an opioid alkaloid found in the Persian poppy, and one among the various alkaloids found within the Papaver somniferous. buy oxycontin online

buy oxycontin online

easycareshop.com said...

This drug helps in relieving moderate to severe pain. Vicodin contains a narcotic analgesic (hydrocodone) and a non-opioid pain reliever (acetaminophen). Hydrocodone helps the brain to change how your body feels and responds to pain. Buy Vicodin online

buy vicodin online

Jon Hendo said...

event planner. partnership also significantly reduces the lift for event planners by recruiting partners on each end of the production and virtual and onsite also who can anticipate each other’s needs and coordinate accordingly behind the scenes and Their experience working together on a number of events. thank you letter after event

420 Marijuana Thrives said...

can you buy weed online/ Best Marijuana Dispensary Online USA
While cannabis plants have been grown since at least the 3rd millennium BCE, evidence suggests that it was being smoked for psychoactive effects at least 2,500 years ago in the Pamir Mountains; the earliest evidence found at a cemetery in what is today western China close to the tripoint with Tajikistan and Afghanistan.

Franticpro said...

Hi, I am John Smith I am Web Developer, It is an amazing blog thanks for the sharing the blog. Frantic infotech provide the mobile app development such as an information about software development for costumer service. Frantic infotech also provide the custom software development. The development of advanced web applications is Orient Software’s specialty and we will successfully fulfill all your web application development requirements, from small-sized to wider-ranged projects. We Also do work multiple platforms like:
Flutter app development
android app development
react native app development
Hardware Mobile App Development
penetration testing
angularjs web development

Hi Every One said...

I found that is a useful and delectable plug so I think thusly it is really valuable and learned. i'd with to thank you for the endeavors you have made recorded as a hard copy this article. Edius X Crack

jahanzaib33 said...

Fine page, in which did u come happening a distant memory the assessment concerning this posting?i have right of access the majority of the articles with respect to your web website now, and I as a matter of fact in addition to your style. much thanks to you a million and absorb save happening the vivacious deed. Re-loader Activator

Jay said...

Thank you for sharing a great information with us.
..CyberArk Training in Hyderabad

Anonymous said...

CyberArk is a security tool or information security software that companies use to protect their data from being stolen or misused. If you are looking to start your career as a CyberArk expert, then we are here to help you.

SEO Thops said...


Thanks for shairng such a useful information SEO Training in Hyderabad

Prompt Learnings said...

Best prompt egineering training in Hyderabad
Prompt Engineering Salary in singapure

digitalbadi said...

digital marketing course in hyderabad
digital marketing course in telugu

wordpress training in hyderabad
video editing course in hyderaba
seo training in hyderabad

mulesoft training said...

THANKS FOR VALUABLE INFORMATION
NICE ARTICLE

DELL BHOOMI TRAINING

eshwar said...

nice article

thanks for sharing with us

Azure Admin Training In Hyderabad

Just naturals said...

This is a very interesting blog You are such a great blogger. visit Just Natural Resort for wellness programs, wedding venues, honeymoons, short stays, and spa and Best honeymoon resorts in nainital location.

digital john said...

Nice post
digital marketing trainer
digital marketing course in hyderabad

digitalbadi said...

nice post
https://digitalbadi.com/digital-marketing-course-in-hyderabad/
https://digitalbadi.com/digital-marketing-course-in-telugu/

https://digitalbadi.com/wordpress-training-in-hyderabad/
https://digitalbadi.com/video-editing-course-in-hyderabad/

https://digitalbadi.com/seo-training-in-hyderabad/

excel logic site said...

Nice article


vba macros course
advanced excel course
power bi course in hyderabad
microsoft office essentials course
advanced excel course in hyderabad

Use an image as your UIBarButtonItem

Using an image as your UIBarButtonItem in your navigationcontroller bar can only be achieved by using a common UIButton as the BarButtonItem...