IIS Mixed Anonymous and Windows Authentication

Question

I need to create an ASP .NET web page (hosted on Windows Server 2008R2 with IIS 7.5) which should be visible by domain users and anonymous users without prompting credential

Answer 1

The term for this is Mixed-Mode Authentication. I have done this multiple times.

This can be accomplished by using a windows authenticated site that does no more that pull the users credentials from AD and pass those to the anonymous site. I have done this using a custom ticket (GUID in a database) that expires in 5 seconds. The anonymous site takes the GUID passed, queries the DB and obtains the user id. Other ways I have done this with an encrypted URL parameter that contains the user id and time-stamp.

Internal Site

Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your anonymous site and passes the user credentials (login id).

a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.

b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.

External Site - No Changes required. Let the users login as-is.