50

I have an (ASP.NET 3.5) intranet application which has been designed to use forms authentication (along with the default aspnet membership system). I also store additional information about users in another table which shares its primary key with the aspnet_users table.

For users who are part of our domain I store their domain account name in the secondary users table, and I want to automatically log in users whose domain account name matches a name stored in the table.

I have read the guides which are available - they're all from two years ago or more and assume that you are able to activate Windows Authentication on a separate login page that allows you to extract the domain account name. From what I can tell, though, this is not possible in IIS7 (the overall authentication method is applied on all pages and cannot be selectively deactivated, and both authentication methods can't be applied on the same page).

Is there a way of getting IIS to pass through the windows domain account name of the requesting user? I don't need proper AD authentication, just the domain name.

dr_draik
  • 688
  • 1
  • 6
  • 9

7 Answers7

49

Actually, you can do it. Bit late for @dr_draik, but this cropped up in a google result for me so I thought I'd share some knowledge.

If you're in classic mode - Enable both Windows and Forms auth. You'll get a warning about not being able to do both at once, but you can ignore it. Then, you can spelunk around various properties like Code:

HttpContext.Current.Request.ServerVariables["LOGON_USER"]

and fish the username out of there.

If you're in integrated mode - 4021905 IIS7 Challenge-based and login redirect-based authentication cannot be used simultaneiously leads to IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication which is a module that allows you to selectively change the auth for different pages.

Community
  • 1
  • 1
Dan F
  • 11,958
  • 3
  • 48
  • 72
  • Switching accepted answer since evidently this question is getting quite a few hits, and it'll be clearer this way. – dr_draik Sep 28 '11 at 09:56
  • The solution for integrated mode does not work with .NET 4.5 and IIS8. Anyone cracekd this? – Fiffe Dec 06 '13 at 15:04
  • 1
    I disabled windows authentication and only use forms authentication and this HttpContext.Current.Request.ServerVariables["LOGON_USER"] still works. I need to do this because sometimes our users need to be able to logout from their windows account and use other credentials to login. i noticed if windows authentication is enabled then it will not use the new forms userid after user switches account. – Niloofar Aug 24 '17 at 09:27
  • How ***disabled windows authentication*** ? in ***IIS*** ? and using ***ASP.NET Core*** ? and using ***Powershell*** ? – Kiquenet May 09 '18 at 06:53
4

You could always set up 2 separate application in IIS7. One would have Windows Authentication enabled. The other would be the main app with forms authentication. If a user went to the windows authentication app, the page could grab their credentials and pass it to the forms authentication app.

David
  • 34,223
  • 3
  • 62
  • 80
  • 1
    Thanks, the two application solution seems the most workable, but I reckon we'll just have to go with forms auth. It feels rather clumsy to have a separate app just for the login. – dr_draik Feb 15 '10 at 06:56
  • 2
    "the page could grab their credentials and pass it to the forms authentication app" that's the part I don't understand... pass it how? – Arthur Hylton Aug 23 '18 at 14:46
4

(More for completeness of information really)

I asked a .Net security guy this question at a conference a while back. His response was that it is technically possible, but he'd never seen it done (and to let him know if I did it and it worked!).

He suggested the way it could be done was by making your own ISAPI filter and installing it into IIS. The ISAPI filter would intercept the requests and basically do the job that IIS does when using integrated authentication, but fall back to using forms if this was not present. This involved some complicated challenge/response logic in the filter. This was for IIS6 though, so it might be different in IIS7.

Whilst this might be technically possible, I wouldn't suggest this route as it feels like a bit of a hack, and rolling your own security is never really a good idea (unless you really know what you are doing).

adrianbanks
  • 81,306
  • 22
  • 176
  • 206
  • 1
    Thanks for the input - it's a tad annoying that this is no longer possible (or is practically no longer possible) but I suppose it's the price of progress. – dr_draik Feb 16 '10 at 14:12
  • Thanks for sharing this info! i do agree with what you said as not to roll our own Security Feature unless we are pretty sure – D Simm Oct 13 '15 at 13:36
1

I found a solution using no special add-ons. It was tricky and involved cobbling together elements from all the pages referenced here. I posted about it: http://low-bandwidth.blogspot.com.au/2014/11/iis7-mixed-windows-and-forms.html

In essence, forms, windows and anon authentication have to be enabled. The login screen should be forms based, and contain a button to trigger Windows login, that issues an HTTP 401 response challenge which if successful creates a forms based login ticket.

The issues are rather complex, and the post goes through the principles and the solution in detail.

Ben McIntyre
  • 1,972
  • 17
  • 28
1

There are plenty articles on mixing the authenticaton by setting config to use the forms with allowing anonymous access to the app. Secondly, a page for integrated auth should be created with IIS settings set to deny anonymous and use Intgrated Authentication. There you would the magic trick by checking the "Logon_User" variable of the requets's ServerVariables collection. And finally for integrated authentication to silently sign in the user it has to have short hosted name. So if your forms authentication piece is exposed to internet via FQDN there should be some kind of redirect to the short host page. I think it is possible to achieve with just one application under IIS with 2 virtual directories.

dexter
  • 7,063
  • 9
  • 54
  • 71
  • 1
    as far as I know, this solution works on IIS6, but doesn't in IIS7. that's because in IIS6 you can assign auth mode on a per folder (even per file) basis, while on IIS7 the auth settings are global for the whole application. – pomarc Dec 21 '10 at 13:39
0

I've got something you can try - not sure if it will work.

In the past we've used Request.ServerVariables["LOGON_USER"] but obviously for this to return a non-empty value you need to disable Anonymous access.

See this article: http://support.microsoft.com/default.aspx/kb/306359

It suggests keeping Anonymous access on the IIS side, and Forms authentication, but denying the anonymous user as follows:

<authorization>
   <deny users = "?" /> <!-- This denies access to the Anonymous user -->
   <allow users ="*" /> <!-- This allows access to all users -->
</authorization>
Phil3992
  • 1,059
  • 6
  • 21
  • 45
Krip
  • 854
  • 1
  • 7
  • 15
  • 1
    Thanks - gave it a try but it's still an empty string even with the settings as recommended. I doudble checked the article and it doesn't apply to IIS7, unfortunately. – dr_draik Feb 12 '10 at 12:48
0

Unfortunately, what you are trying to do just isn't supported. In order for ASP.NET to know the Windows username, you must use Windows Authentication.

You could set up another site / virtual directory that just forwarded the username information to another page. But what happens when non-Windows authenticated users try to log in?

Bryan
  • 8,748
  • 7
  • 41
  • 62
  • 1
    Thanks, the two application solution seems the most workable, but I reckon we'll just have to go with forms auth. It feels rather clumsy to have a separate app just for the login. – dr_draik Feb 15 '10 at 06:58