I recently had a request to build a prototype web application that could act as a SSO (Single Sign On) solution in an ASP.NET/IIS environment. Basicly; the question is could I answer the following list of requirements ASP.NET, IIS and Active Directory without any additional software.
- Internal users should not have to enter uid/password.
- External and non-IE users should have forms based authentication
- ASP.NET forms, not pop-up dialog provided by windows authentication
- URL security - All files need to be sure; not just files ending in aspx
Before I start let me site the works I used to compile this how-to:
usingtangent.blogspot.com and Richard Dudley
So; here is a high level overview of the process for mixing windows and forms authentication.
Step 1: Edit web.config
Step 2: Make sure the whole website has the ‘Enable Anonymous Access’ enabled.
IIS->Website->Properties->Directory Security->Edit->Enable Anonymous Access
Step 3: Create a page named FormsLogin.aspx
Add an ASP.NET Login control to the page and the following code in the code behind.
Step 4: Create a page named WinLogin.aspx
Put the following into the code behind:
Step 5: Secure WinLogin.aspx with “Intergration Windows Authentication”
IIS->Website->WinLogin.aspx->Properties->Directory Security->Edit
Step 6: Create a Redirect401.htm page
Add the following JavaScript to the page:
<script type="text/javascript" language="javascript">
window.location = "FormsLogin.aspx?failedlogin=1"
</script>
Step 7: Setup Redirect for failed Auth
change all the 401 errors to point to Redirect401.htm
IIS->Website->WinLogin.aspx->Properties->Custom Errors
Optional Step 8: URL security - secure non-aspx files ( doc, gif, pdf, images, documents, etc)
With IIS alone it is really hard to mimic the same type of URL security you would get form an ISAPI filter. I find the best option is to map any file type that may contain sensitive information to the aspnet_isapi.dll. The are two minor problems with this type of security.
1. You must know what you want to secure
2. You must diligent on keeping your IIS configruation up-to-date
IIS->Website->Properties->Configration
You’ll see a list of file mappings. Highlight the listing for ASPX, click Edit, and copy the entire entry in the “Executable” box.
Click Cancel so you don’t accidentally mess anything up.
From the list of mappings, click Add. Paste the executable path in the box, enter the extension in its box. Limit verbs to “GET, POST” and uncheck the other two boxes.
