August
16

I recently had a request to build a prototype web application that could act as a SSO (Single Sign On) solution in an ASP.NET/IIS environment. Basicly; the question is could I answer the following list of requirements ASP.NET, IIS and Active Directory without any additional software.

  • Internal users should not have to enter uid/password.
  • External and non-IE users should have forms based authentication
    • ASP.NET forms, not pop-up dialog provided by windows authentication
  • URL security - All files need to be sure; not just files ending in aspx

Before I start let me site the works I used to compile this how-to:
usingtangent.blogspot.com and Richard Dudley

So; here is a high level overview of the process for mixing windows and forms authentication.

Leave the site with ‘Anonymous Access’ enabled, setup “Forms” authentication in the web.config and create a process to check if the user can be authenticated via windows authentication if not gracefully fall back to forms authentication.

Step 1: Edit web.config

Step 2: Make sure the whole website has the ‘Enable Anonymous Access’ enabled.

IIS->Website->Properties->Directory Security->Edit->Enable Anonymous Access

Step 3: Create a page named FormsLogin.aspx

Add an ASP.NET Login control to the page and the following code in the code behind.

Step 4: Create a page named WinLogin.aspx

Put the following into the code behind:

Step 5: Secure WinLogin.aspx with “Intergration Windows Authentication”

IIS->Website->WinLogin.aspx->Properties->Directory Security->Edit

Note: Be sure to remove anonymous access

Step 6: Create a Redirect401.htm page

Add the following JavaScript to the page:

<script type="text/javascript" language="javascript">
window.location = "FormsLogin.aspx?failedlogin=1"
</script>

Step 7: Setup Redirect for failed Auth

change all the 401 errors to point to Redirect401.htm

IIS->Website->WinLogin.aspx->Properties->Custom Errors

Optional Step 8: URL security - secure non-aspx files ( doc, gif, pdf, images, documents, etc)

With IIS alone it is really hard to mimic the same type of URL security you would get form an ISAPI filter. I find the best option is to map any file type that may contain sensitive information to the aspnet_isapi.dll. The are two minor problems with this type of security.

1. You must know what you want to secure
2. You must diligent on keeping your IIS configruation up-to-date

IIS->Website->Properties->Configration

You’ll see a list of file mappings. Highlight the listing for ASPX, click Edit, and copy the entire entry in the “Executable” box.

Click Cancel so you don’t accidentally mess anything up.

From the list of mappings, click Add. Paste the executable path in the box, enter the extension in its box. Limit verbs to “GET, POST” and uncheck the other two boxes.

Something to say?

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.