brady gaster

I watched the first couple minutes of that video, and to answer your Application_AuthenticateRequest... I've worked quite a bit with custom authentication schemes and "mixed-mode" authentication (mixed meaning MY auth OR windows authentication running at the same time) and I've seen AuthenticateRequest fired twice and it confused the heck out of me for a while and I finally came up with a conclusion...

Basically when integrated authentication is enabled, IIS does the whole challenge/response thing. My authentication module would get called once and AuthenticateRequest would get called and the IIdentity of the current request would be anonymous. When I let my authentication module skip the first request, it would be executed immediately afterwards but this time with a WindowsIdentity object as the IIdentity of the current request. Basically the first request happened and since nobody changed the IIdentity from anonymous, the request finished and a second request was made, this time with IIS handling the authentication.

I tested this by placing a breakpoint in Application_BeginRequest and Application_AuthenticateRequest and BeginRequest happened twice also, which led me to believe that what I was seeing was nothing more than IIS letting my browser know it doesn't know who I am, challenging me to identity myself, which my browser then does for me silently (since it's IE, it supports integrated windows auth). I tested with Netscape 4.7 and the exact same thing happened, except before the second AuthenticateRequest, Netscape got control and asked for a username/password. I entered my info and hit return and AuthenticateRequested fired again.