IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

IIS 7.0 Server-Side : Breaking Changes for ASP.NET 2.0 applications running in Integrated mode on IIS 7.0

Mon, 11 Feb 2008 20:16:44 GMT

PingBack from http://mvolo.com/blogs/serverside/archive/2007/12/08/IIS-7.0-Breaking-Changes-ASP.NET-2.0-applications-Integrated-mode.aspx

Two-Level Authentication with Forms Authentication and Windows Authentication

MVolo's Blog — Mon, 11 Feb 2008 20:52:46 GMT

The integration of IIS and ASP.NET authentication stages in Integrated mode applications brings a lot

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Claudiov — Wed, 13 Feb 2008 09:37:50 GMT

Hi Mike, I have followed your instructions but I receive HTTP 503, the service is unavailable, I'm I missing something?...

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Mike Volodarsky — Wed, 13 Feb 2008 17:49:20 GMT

Hi Claudiov,

Please follow http://mvolo.com/blogs/serverside/archive/2006/10/19/Where-did-my-IIS7-server-go_3F00_-Troubleshooting-_2200_service-unavailable_2200_-errors.aspx and see whether you are getting an error message in the event log.

Thanks,

Mike

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Steve — Fri, 14 Mar 2008 11:55:34 GMT

will this approach work with web services? Is it possilbe to use one url which allows integrated authentication + user name password to be passed via soap header properties. The if the caller is not a windows user, use passed in credentials?

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Mike Volodarsky — Fri, 14 Mar 2008 18:03:36 GMT

Hi Steve,

You wouldnt use this exact approach, but something similar. If you can extract the credentials in AuthenticateRequest, you can run after the WindowsAuthenticationModule and authenticate as that user. Otherwise, let the request go forward and be rejected with the NTLM / Negotiate challenge to authenticate with Windows credentials.

If you cannot extract credentials until later when WCF has processed the request/SOAP payload, then just authenticate as special "interim" user in AuthenticateRequest to avoid the request being rejected, then in your web service either authenticate with the SOAP credentials or reject the request with 401 to allow Windows authentication to take place.

Just a note: this information is intended for WCF web services hosted in IIS 7.0 running in Integrated mode.

Thanks,

Mike

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

AndrewHa — Wed, 21 May 2008 23:30:43 GMT

Mike what if you wanted to add to this module for x509cert authentication and SecureID. What happens if your internal users don't have passwords and you don't want to distribute another ID. So your users that may use windows auth when they are logged onto your network are hitting the same site from the internet and have the same certificate they would use when they log onto their workstations. Or some of your users have secureID cards.

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Mike Volodarsky — Fri, 23 May 2008 17:21:39 GMT

Hi Andrew,

Theoretically, you would configure the the required authentication (cert auth or secureId) for the gateway page, and flow their authenticated identity to the forms ticket the same way I do it here using Windows Auth.

The way you determine the identity in the gateway is completely up to you, so it should support any authentication protocol you'd like to use. As long as you then take that identity and issue a forms auth ticket to represent it.

Keep in mind though that Forms Authentication is a ticket-based scheme, which has inherent security limitations. Using it to represent a stronger authentication scheme (like x509) is essentially downgrading the security of that scheme - if someone manages to exploit the forms auth ticket.

For more info on ticket security, search "client ticket security" in my old article, http://msdn.microsoft.com/en-us/magazine/cc163702.aspx.

Thanks,

Mike

[转]Breaking Changes for ASP.NET 2.0 applications running in Integrated mode on IIS 7.0

Benny_NET — Tue, 22 Jul 2008 07:48:40 GMT

[原文：http://mvolo.com/blogs/serverside/archive/2007/12/08/IIS-7.0-Breaking-Changes-ASP.NET-2.0-applic...

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Neeraj Tomar — Wed, 13 Aug 2008 17:53:27 GMT

Hi Mike, My project requires windows Authentication and if user do not provide correct credentials or don't have valid credentials, then to display login page and use ADAM (Form authentication). I tried your sample application. Challenge response dialog appears but if i cancel it then HTTP Error 401.2 appears. I need to display login page instead. Let me know how can i override 401.2 Unauthorized error page with my login page. Your help is highly appreciated. Regards, Neeraj Tomar

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Chaos_Crafter — Fri, 19 Sep 2008 04:42:21 GMT

What if you wanted the reverse of this. You have a web page that may be internally or externally accessed. You'd like the internal users to be automatically recognised by their window id, with no data entry at all. You want external users to be directed to a forms login page. Presumably you can set it to windows login, and then recognise that there is no user auth, but how do you surpress the username/password box if you can't detect a windows user?

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Chuang — Mon, 06 Oct 2008 04:10:20 GMT

Hi Mike. There is this button called "Log on To" in Active Directory where an admin can specify which machines a user can log on to. My situation is that the admin sets all the users to be able to log on only to their own desktop PCs. It seems that Forms authentication doesn't work in this case unless I'm accessing the web application from my own PC. Is there any way around this without needing the admin to allow the server as one of the computers the user can log on to?

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Basel — Sun, 26 Oct 2008 11:21:46 GMT

hi Mike. I was working on web application on .net 2.0 , deployed into win server 2003 and IIS 6.0 , and after i moved it to windows server 2008 and IIS 7.0 , the form based authentication didn't redirect correctly like the way you describe in the article above, so i decide to change the Application Pool from integrated to Classic , even through it didn't work, so are there away other than using a wrapper module you,ve create.

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

fuzzlog — Wed, 17 Dec 2008 20:38:27 GMT

Is the "Login.aspx" page stated in the web config file mandatory? I created a new page (LoginNext.aspx) and replaced "Login.aspx" with that in the web config file. Now when I direct IE to "Login.aspx" the code module does nothing. Meaning that it doesn't redirect to "LoginNext.aspx" (I was under the impression the module redirected to whatever page was specified in the within the "location" tag. The reason I'm doing this is because we have many existing sites that need to be converted to this hybrid login scenario. If someone is attempting to login from within the network, they should be redirected to the requested page, or at least a default "authenticated" page, if not, they should be shown the login page. Since most of our users have our various login pages already saved as favorites, I wanted apply this so that it was seamless to them (thus leaving the existing "Login.aspx" under forms Authentications so that it would redirect to "LoginNext.aspx" and be handled accordingly). Any suggestions? Thanks

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Mike Volodarsky — Wed, 17 Dec 2008 22:10:23 GMT

fuzzlog,

You can change the login page url in the <forms> configuration element.

Thanks,

Mike

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

fuzzlog — Wed, 17 Dec 2008 23:35:49 GMT

Mike,

Thanks for the response. In your code (web.config), the "Login.aspx" file was only mentioned in the "path" attribute of the "location" tag that contained the "" tag. Why wouldn't just replacing the new file name in that "path" attribute work accordingly?

Below are the changes I've done to the web config file. The result after those changes is that all pages act as if Authentication had been set to "None". I'm using IIS 6.0, integrated authentication plus anonymous (to prevent the credentials request popup). This setup works just fine with your code unmodified.

Thanks again for any input.

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Mike Volodarsky — Wed, 17 Dec 2008 23:48:52 GMT

fuzzlog,

You'll need to change both the location path and set the loginUrl in the <forms> element to the new login url. See http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx for the latter.

Thanks,

Mike

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

fuzzlog — Wed, 17 Dec 2008 23:51:57 GMT

Darn,

some tags were stripped. Anyhow, what I did was to add the "LoginNext.aspx" path to the "forms" tags as well as replace "Login.aspx" with "LoginNext.aspx" in the "location" tag.

This produces the "Authentication mode='None'" behavior described in post above.

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

fuzzlog — Thu, 18 Dec 2008 01:06:19 GMT

Mike,

The problem I was having was due to the following, "FormsAuthentication.SetAuthCookie(wi.Name, true);". Setting the second parameter to "true" saved a cookie in the my system. This authentication cookie persisted even after I made the changes to the web.config, so when I ran it again, I was already authenticated and would always go directly to any page a chose.

After I cleared the cookies in IE and changed the parameter to "false" the code works correctly.

Thanks for your willingness to share you knowledge.

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Nick Watt — Mon, 12 Jan 2009 10:54:29 GMT

Mike,

Many thanks for sharing your knowledge. You won't believe how much time you have saved me. I developed our intrant on server 2k3 with iis6 for the school I work in which takes advantage of student and staff AD logins, but also uses forms authentication for their parents to login externally (we didn't want to create AD logins for the parents because that would just be silly to manage!).

We have recently just bought a brand new server for the intranet and as we are in the process of upgrading our servers to 2k8 the intranet server was subsequently installed with this version. This article has helped me tremendously in getting the application migrated to the new server quickly.

Thanks again.

Nick (nwatt@hotmail.com)

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Ron Klose — Fri, 20 Mar 2009 21:04:25 GMT

I tried to follow the example. I had some success. The authentication types it switched between were windows integrated, and http-auth (not sure what the current term of the firefox/ie popup authentication challenge). Is there some configuration I have to adjust to get it to switch between windows integrated and forms. Thanks

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

David Steadman — Sun, 05 Apr 2009 18:17:17 GMT

I am getting an error when I am trying to add the location the system.webserver complains it is not a valid child element of location. Any help would be great...

Authentification par formulaire « minimaliste »

Blog de l'équipe support IIS France — Fri, 10 Apr 2009 13:30:44 GMT

L'authentification par formulaire – également appelée authentification par cookie – est aujourd'*** énormément

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

William Lin — Thu, 30 Apr 2009 23:23:18 GMT

Hi Mike. Thanks for providing this solution. We have implemented your solution and it works. But, my question is, Why not enable both forms and windows authentication in IIS7. Then in the location element for login.aspx only have Thanks, Will

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Brad — Fri, 15 May 2009 18:01:57 GMT

Mike, This sounds very close to what we are wanting to implement. We have multiple domains and want to connect to our web applications using forms authentication. We would like to use Active Directory as the data store for the forms authentication and we need our web applications to impersonate the domain user that logged on through forms authentication. The catch is the users may or may not be logged on to the domain at the time they connect to our web application. Is there a way to use forms authentication to authorize a user and "convert" to windows authentication once inside the application?

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

mcm — Tue, 02 Jun 2009 01:12:31 GMT

Here's my scenario, when a page needs to make changes to the file system, instead of giving access to the IIS user I use impersonate to get the page to run under a different account that does have write access. This prevents things like the folder getting recreated loosing the permission changes given to the IIS user.

Would there be a better way of achieving that or will your solution be the only way.

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Saiangu — Wed, 15 Jul 2009 19:51:56 GMT

Hi, I followed this sample, but my login page images are not displayed even though I have given them in the location attributes. Please help. Thanks

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Mike Volodarsky — Thu, 16 Jul 2009 11:53:21 GMT

Hi Saiangu,

Please check the logfiles or get a failed request trace to identify why your images arent loading.

See http://mvolo.com/blogs/serverside/archive/2007/07/26/Troubleshoot-IIS7-errors-like-a-pro.aspx.

Thanks,

Mike

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Eric — Sat, 08 Aug 2009 18:22:15 GMT

mcm, we do the same thing. It is unfortunate that MS never considered this as an option, which you can see from the article:

"For some reason, you want all users to first log in using their Windows credentials"

I think that this is a really good reason. It limits damage to the site in the event that there's a flaw in the anonymous portion of the site.

Note that this config works just fine in the Classic Pipeline mode. You just have to ignore the error/warning message that the IIS manager gives you.

I would also like to know if there is another way to achieve this w/o having to keep it running in Classic mode, which I'm assuming will go away at some point in the future.

One possibility is to set up a second site with the same webroot, in a different app pool and with a different app pool user, but you do then run into some problems with the shared config files.

www.macdueltd.co.uk

www.macdueltd.co.uk — Sun, 06 Sep 2009 06:31:58 GMT

MacDue provide complete turnkey production lines and really do have the most technologically advanced machinery of it’s type

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Denayer — Mon, 05 Oct 2009 11:32:51 GMT

Hello Mike, I had a look at your coding. There is a function public static void EnableFormsAuth(HttpContext context, bool enable) but I do not see any call to this function. Can you please tell me in which situation this function is called. Thanks, Wim.

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Vishal Banker — Fri, 23 Oct 2009 09:53:59 GMT

Hi Mike, Actually i am usnig custom authentication in my application and i also want to use windows authentication at application level. But after enabling windows authentication i am getting error on all my pages. Need your help

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Dietrich — Thu, 19 Nov 2009 18:20:23 GMT

Great post! Is there anyway to avoid the user getting a dialog box when there AD user credentials are not passed or authenticated? I would like to be able to fallback to a custom login form if the credentials are not authenticated. Any ideas?

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Sri — Fri, 20 Nov 2009 19:53:04 GMT

Hi Mike, Is it possible to use the same windows authentication to use in Windows Application. Thank you Sri

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Dietrich — Mon, 30 Nov 2009 16:14:39 GMT

Great post! When I try this workaround, if the user cannot be authenticated through windws auth, they get the browser prompt to enter username and password. After the third time they are redirected to an error page. Instead of the browser prompt, I want my users to get the login form. I thought that is what this solution did. Is there something I am missing?

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Chris Miller — Thu, 07 Jan 2010 14:58:34 GMT

This looks great and thanks for including the source code. Is this solution limited to IIS7 or can it be used as well with IIS6 (or IIS7 in classic mode)

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Thodsapon — Tue, 19 Jan 2010 07:56:37 GMT

This great for me and can it be used on Windows Identity Foundation in part of Security Token Service Web Site

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Daniel — Sat, 06 Feb 2010 20:17:36 GMT

How do I impersonate a Actice Directory user from code? I have asp.net web service supposed to run in IIS 7 on windows server 2008. The user is already authenticated using custom authentication method. I need the code to be executing with a AD user that is logged on and authenticated.

re: IIS 7.0 Two-Level Authentication with Forms Authentication and Windows Authentication

Maddy — Mon, 17 May 2010 14:09:44 GMT

Hi Mick, After implementing the above mentioned dual mode authentication, I published it to IIS7. In the site binding I specified the IP address to the same machine rather having 'all unassigned'. Then when I try to access this using the url (http://192.168.1.54:8123/page.aspx or http://192.168.1.54:8123/login.aspx) it always promts a window to enter windows credentials. It says authentication required.(Enter username and password for http://192.168.1.54:8123). I know this is due to: configuration. So... how can I get ride of this promting window when I publish to IIS7? Thanks in advance.