windows and anonymous authentication on IIS 7.5, allow auto login for internal and manual login for external

ssq picture ssq · Sep 4, 2012 · Viewed 8.4k times · Source

Scenario:

  • https asp/asp.net website running of IIS 7.5 (windows server 2008)
  • IIS currently configured to allow anonymous authentication and forms authentication ,asp.net impersonation are disabled while windows authentication is not installed (I understand that windows authentication needs to installed for this.)
  • a single custom login page for both internal and external users

Requirment:

  • Internal users seamlessly login while capturing their LOGON name (window authentication)
  • External users (not on domain) should be prompted a manual login

Questions:

  • What approach can be used to implement this?
  • Looking for the IIS 7.5 and web.config settings

Approaches Found:

  1. make 2 pages within 1 website, winlogin and weblogin(front page). Allow windows auth=true and anonymous auth=false on winlogin.aspx and vice versa on weblogin.aspx user with a ip hits weblogin, if ip is known redirect to winlogin to capture logon and redirect to weblogin if the ip is unknown
  2. have winlogin.aspx as the main page and redirect 401 errors to weblogin.aspx

Answer

Wiktor Zychla picture Wiktor Zychla · Sep 4, 2012

This is how to configure IIS for integrated authentication.

http://netpl.blogspot.com/2012/06/iis-75-integrated-security-with-no.html

This will make your site available for intranet users WITHOUT the prompt for credentials.

Note that this also works for web users. A built-in web browser window is displayed as a result of HTTP 401. A user provides his/her credentials and is in.

If you rather want to show your custom web form as a result of 401 (unauthorized), you'd have to trick the browser a little:

http://www.codeproject.com/Articles/11202/Redirecting-to-custom-401-page-when-quot-Access-de

This way you can redirect an unauthorized response to a web form of your choice (for example, to show an asp.net login form).

Although the integrated authentication can be easily configured, prepare for a lot of experiments when setting up your mixed (integrated/forms) authentication. Things change with every version of IIS; also IIS7 behaves differently if a pool is in classic vs integrated mode.