IIS/ASP.Net Mixed Authentication
So I'm working on an application that is going to be used be Internet users as well as External users, with the app itself written in .Net and running on Win 2003 and above (hopefully with Win 2K support also).
The interesting part is combining the security mechanisms that come with IIS and .Net. In the case where there is a pretty significant Active Directory in-house, with Groups and Roles and so on, you probably want to use that and so you'd likely go with Integrated Auth. When coming some outside the firewall you don't have this option and so you would go for forms auth (or even basic auth). In my situation, i want those users who are staff to be authenticated against the AD and for those who are not, to be authenticated against a custom SQL Server database we have.
Now, IIS/.Net doesn't allow you to use both at the same time, but doesn't offer much in between. I have read Paul Wilson's article over at MSDN and although this was a nice article with a solution, it against points towards only one security solution, which is forms.
The problem i have with this is that i cannot then easily use my AD to find the groups a user is in or protect my resources without the user being prompted for a username/password - because i am in forms auth world! To get round this i would have to programatically check whether the forms user has access to that resource (and so on).
I would prefer if you could use both. So if you are Windows authed, then when you request DisplayDoc.aspx file which reads a resource which has NTFS privilages set on it, you are denied (where appropriate). If you are forms authed, then this will have to be done programatically using some security rules which is fine. Without NTLM support in this way it makes it very difficult to use the cool impersonation features of IIS/.Net along with your AD implementation.
It's not often that I use SQL Server Windows Auth mode (mainly as it kills the connection pooling features), but in these cases where I would, then it would be tricky in this situation.
One "quick-fix" way around this which I believe would work would be to redirect to a NTLM protected web page (say by reading that this was a previously NTLM authed user from the forms cookie data section) when requesting a restricted resource and as you logged on once you should still have those privilages and so impersonation at that level would work fine. It's not something I like the sound of but it would work. I'd be interested in other people's experience of this, if you've tried.
A single identity por favor.
Steven.