Im tasked with rebuilding a website and part of it is now to be made secure.  The problem is that both internal (domain account users) and external users will need access to this content.  We have a forms based authentication setup that i want to use to handle the external users, but its been mentioned that it would be better if domain users didnt have to login (using the forms authentication).  So, my question is - can I handle both with the same web app ?

Hi BitShift,

I had a similar situation. What i did was when a user comes to my website, I checked whether he was from within my company domain. If he was i would automatically log him into the site using the following statement. Here i give his browser the authentication ticket

FormsAuthentication.SetAuthCookie("Username",true)

If its an external user, then they go through the normal process of forms authentication.

This way my problem was completely solved.
 

 Ok, that sounds reasonable.  How are you checking if they are a domain user ?  In my case, I would need to check the user's ACL to verify a certain domain group membership, otherwise require a form login for external users.

 txtUserName.InnerText = User.Identity.Name;

this will have the output as

DomainName\Username

So the string before the '\' gives you the domain name. Split the string by '\' and then compare the dervied domain name with yours.

Ok, so how do you set this up in IIS ?  You cant mix authentication types, and if for the virtual directory, if you have windows auth selected, everyone will get prompted for a domain login.  If "allow anonymous" is checked, then your users who are signed on to the domain, will have the user.identity value empty.

comments ? 

I had a similar requirement and did the following:

 I check the IP address of users who hit the login page to determine if they are Intranet (192.168.*.*) users or not.  If they are not Intranet users, they go through the conventional forms authentication login routine.  If they are Intranet users, I pull their login user name ("domain\username") and log them in with forms authentication using that name.  (I have a website application account for each user in our active directory). The catch is this:  When an anonymous user accesses your site, they have no login name until they attempt to access a page that requires integrated windows authentication and restricts anonymous access.  I have a special directory on our server called "intranet" which has IIS security set to "Integrated Authentication" and Anonymous access is unchecked (it is also set to allow all users in my web.config file).  My ASP.NET login page, when it detects that a user is accessing the site from the Internal lan, will access a page in that directory using javascript.  If successful, the user now has an identity, which is their Active Directory login name. I use that name to log them in programatically using forms authentication.  If not successful, no javascript error is displayed, the user receives the standard login error message and is unable to login.

dvallaone - check your email please 

Hi all.

I have a similar requirement, except that all users are from external sources. There are 2 groups of users with different access rights. High and low.

The web application is based on forms authentication. All users will logon to the web application via "Login.aspx" (1st login) and it authenticates against SQL Server 2000.  

High access group can access additional services (via a url link) which require logging on  (2nd login) to the web server (Windows Server 2003) and is authenticated against the Active Directory.

Currently, when the high access users click on the url link, a Windows login pops up, prompting the user to enter user name and password. I would like to automate this process, ie, the 2nd login process done "behind the scenes", so that from the view point of high access group users, they only need to login once. How can I go about doing this?

 Any advice and help is deeply appreciated.

Thank you

Danny.