Is it possible to mix all these access controls in one site?
I have a requirement saying
- a) Users from the AD must be allowed access, using integrated security
- b) Users from some other AD must be allowed access; potentially by logging in
- c) Users not in the AD’s should be able to create a new account on the site.
Now, ofcourse, i would like the site not to care about where a user was authenticated; just that he was.
What is the best way to achieve this?
I did something like this on a project a while ago, and it worked like this:
I set the application to use Forms Authentication, with anonymous access enabled in IIS.
I created a standard Forms Authentication login page that accepted a user ID and password to do non-integrated logins.
I also made a special .aspx page for integrated security login and set ONLY that one page to use integrated security (and not anonymous access) in IIS. This page manually created a Forms Authentication ticket based on the credentials from IIS.
In the main Forms Authentication login page, I looked at the incoming address on the request to see if it was from the LAN, and if so, redirected to the integrated security login page (so the user did not get prompted for user ID and password, it just logged them in with integrated security).
I also made the Forms Authentication login page smart enough to determine, based on your user ID, if you were an AD user, and do an LDAP lookup against the AD if so to check your password. This enabled users who had AD accounts to log using their AD credentials even when not on the LAN (and thus not using integrated security). For non-AD users, verification was done against a separate list of user IDs and password hashes maintained by the application.