Hi all, I am working on a scenario whereby I need to implement the following features: - Users inside my business can log on to our CRM from inside our network using NTLM (i.e. no typing of usernames and passwords, authenticating against Active Directory). - Users outside my business can log on to the same CRM from outside our network using Forms authentication, authenticated against SQL Server (using the ASP.NET SQL Membership features). - I need to be able to use a unique key in entities such as discussion threads to identify the author contributing the content - e.g., if I were using a discussion board on the CRM, and posted from inside using an NTLM account, or outside using Forms, the system should know how to find my name from the membership provider. So far, I have implemented a simple method which takes a ProviderUserKey from an unknown provider and then, using a check to see if the key is a Guid, will look up the user the key belongs to in SQL Membership (if the key is indeed a Guid), or from Active Directory (if the key is not a Guid, but a SID instead). I realise this solution is not very elegant so my question is this: Is it possible to create one site, from one codebase, which will authenticate users with NTLM against AD, Forms against SQL and with the ability to find users in either membership provider by storing just the ProviderUserKey in tables in my application? I hope this questions makes sense, and I'd appreciate some feedback from those wiser than me in this area (most of you!). Best Regards, Daniel

Hi

Base on my understanding, you want to implement a mixed-mode authentication (Forms and Windows) system.User could be authenticated against with SQL or Active Directory. What about challenge for the Windows name/password (NTLM) up to 3 times. If the user cannot login after the third attempt, redirecting them to your own custom logon screen to get their forms credentials. like in this article

http://technet.microsoft.com/en-us/library/ms972958.aspx

Please correct me if I'm not on the point.

Hello. Sorry for the late response. You are partly right, I do indeed want to use mixed-mode authentication. The plan is that our customers will log in to our CRM system from across the internet, providing their credentials in forms authentication which will be checked against a username and password held in our SQL database. Additionally, our staff will use Windows authentication to log in across our internal network authenticated against our Active Directory, without typing their credentials.

 I don't like the idea of prompting after 3 NTLM failures? My main question is how to go about using the two authentication systems - do I need to define two IIS sites, or can they run in the same site?