8

I need to create an ASP .NET web page (hosted on Windows Server 2008R2 with IIS 7.5) which should be visible by domain users and anonymous users without prompting credential requests for both of them. Domain Users should be authorized to see the entire page, while anonymous users can see the public part of the page.

  • When I enable Windows authentication: domain users can see the entire page, but anonymous users are prompted for credentials.
  • When I enable anonymous authentication or both (anonymous and windows): anonymous users can see public part of the page, but domain users do not see the entire page (they are like anonymous users).

I use the following string to discriminate anonymous users and domain users:

WindowsAccountName = HttpContext.Current.Request.LogonUserIdentity.Name;

If WindowsAccountName is empty user is anonymous, otherwise is a domain user. Unfortunately, when anonymous authentication is enabled WindowsAccountName is always empty (even for domain users), but when anonymous authentication is disabled non-domain users are prompted for credentials.

Do you have any solution for these problem? Keep in mind that domain users are spread among different networks so IP address is not a good choice to discriminate domain users and non-domain users.

it looks like a catch-22 for me

Thanks.

Michele
  • 101
  • 1
  • 5

2 Answers2

4

The term for this is Mixed-Mode Authentication. I have done this multiple times.

This can be accomplished by using a windows authenticated site that does no more that pull the users credentials from AD and pass those to the anonymous site. I have done this using a custom ticket (GUID in a database) that expires in 5 seconds. The anonymous site takes the GUID passed, queries the DB and obtains the user id. Other ways I have done this with an encrypted URL parameter that contains the user id and time-stamp.

Internal Site

Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your anonymous site and passes the user credentials (login id).

a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.

b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.

External Site - No Changes required. Let the users login as-is.

Elim Garak
  • 1,728
  • 1
  • 16
  • 21
  • You wrote "Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory.", but if a non-domain user access this site it is prompted for credentials, right? – Michele Jan 24 '16 at 12:27
  • Michele, this is a two step approach. Setup a site that is Windows Auth for the purpose of getting the user account from active directory. The user will not get prompted, you then pull the user id from AD. Then encrypt it (as mentioned above) and pass it to the Anonymous site where you handle the login on that site. To the end user this is transparent. If a person should have anonymous access only they go directly to the target (non Active Directory / Anonymous) site. – Elim Garak Jan 25 '16 at 15:19
  • @RegencySoftware - Can I assume this would effectively result in two URLs for the same application? Would this still be the case for IIS8 (WIn2012) – Chris Hammond Mar 11 '16 at 10:22
  • @RegencySoftware 2nd question - Once you've passed the credentials to the anonymous version of the system, where do you store it? Session variable? – Chris Hammond Mar 11 '16 at 11:43
  • Chris, Yes you are correct. These are two sites. One example, where I did not use any database. When the User ID gets passed on the URL it is encrypted, when the target site decrypts that user id a Forms Authentication Ticket is created (forms auth cookie). If you are using a custom auth such as session, then you would have to store it in the session. They target site should handle it the same was as-if the user logged into that site. Hope this helps. – Elim Garak Mar 12 '16 at 15:58
  • 1
    This answer doesn't seem to answer the question being asked. @Michelle wanted to check the security context and determine if a user had been authenticated (read the para before the question). Having two endpoints - one authenticated, one not doesn't help - how does the consumer know which endpoint to hit when you want to attempt authentication first and fail over to anonymous? – QA Collective Sep 04 '17 at 13:37
  • Which site to Authenticate Against? In the post where it says Internal vs. External Site. Intranet vs. External Site. – Elim Garak Sep 04 '17 at 15:21
  • 1
    The question assumes that there is no difference between Internal Site vs. External site. That is, its the exact same web address. The question is focused on the different types of user approaching the exact same web address. – QA Collective Sep 11 '17 at 04:14
0

I don't know if it's too late to post this.I recently worked on enabling anonymous authentication on one page in the .NET 4.8 MVC application.

Let's say the page was accessible via URL: User/MyCustomPage

Application configuration was as follows:

1. In web.config authentication mode was specified and authorization was 
   set to deny for anonymous users.

    <system.web> 
       <authentication mode= "windows"/>
       <authorization>
          <deny users="?"/>
       </authorization>
    </system.web>


2. In the controller, authorize tag was there.

3. In IIS, windows authentication was enabled, and anonymous mode was disabled.

I did the below steps:

1. Removed authorize tag from the specific controller and added 
   [AllowAnonymous] tag.

2. Enabled anonymous authentication in the IIS server. Go to
   server->authentication-> Anonymous-> click Enable in the right pane.

3. I had to add the particular path, to exclude it from regular
   windows authentication by writing the below code in web.config file.

    <location path="User/MyCustomPage"/>
      <system.web>
         <authorization>
           <allow users="?"/>
         </authorization>
      </system.web>
    </location>

But Still, I was getting prompt for windows credentials on accessing the above URL. The reason I found that was: The View that MyCustomPage was returning, was consuming another resource.

So, I have to add that path too in the web.config.

 <location path="Bundle/Content/css"/>
    <system.web>
       <authorization>
         <allow users="?"/>
       </authorization>
    </system.web>
 </location>
Dharman
  • 30,962
  • 25
  • 85
  • 135
Rishu Ranjan
  • 494
  • 4
  • 7