I am working on a website for my company that is both available on our internal network and on internet. And I am asked something that does not seem possible to me but I wanted to ask the question before actually saying that !

We have two types of users in our company, those who are actually registered in the Active Directory (and so forth have a Windows login account) and those who are not.

On our internal network we use the identity given by HTTPContext.Current.User.Identity.Name With this authentication I am able to check in the Active Directory if the user really exist and authorize him to access the website. This is for the access via our internal network. That is fine because everyone accessing the website via internal network need to have an AD account.

Now, the main issue is for the internet access ! For the moment, I have a popup that shows up and asks for a login / password (pretty basic, the same for everyone who is not on the AD, don't ask me why, this is a requirement.....). If the user give correct login password, he can access to the website even though we don't know his real identity. But what I am asked is to have a link on this pop up saying "Login using your windows credentials". Then I need retrieve the credentials and check in the AD if they are correct.

After looking on Internet I found the Windows Identity Fundation that is supposed to manage several ways of Identification, but I don't feel like this is what I need, It seems to be a bit Overkill for what I want to do !

Anyone ever tryed this ?? I know (and I told them) this is a VERY weird requirements but I said I will have a look anyway...

[EDIT 2013/09/13] I tryed something but this is not working maybe you can explain me why. I set my website in IIS to allow anonymous connection. I have added a page with a login form (for the basic authentication and you can access without being authenticated) and a link towards another page that is configured in the web.config to deny the anonymous connection. I was hopping it would have poped up the Internet Explorer window for Authentication but instead I just got a 401 - Unauthorized access. Is that a normal behavior or a configuration issue ?

I have done something almost exactly like this for multiple applications at my company, and we solved it like this:

1. Have a login page in your application and authenticatio mode set to forms
2. When the user logs in, check if that user is valid in Active Directory

3. If the credentials were not successfully validated against Active Directory, check if the credentials are valid for your custom provider.

   Then, we also provide "auto login" for people who are authenticated on their domain-connected machine. This is a separate application in IIS which is configured with Windows Authentication. Then, all the machines are set to trust *.ourcompanyname.com for intranet applications, which then, when a site on that domain request windows credentials, the machine provides automatically. In this case, we detect the identity, set a machine-key encrypted cookie, and redirect back to the original application.

In the original application, prior to login, we check for the existence of this cookie, decrypt it (both applications share a machine key), and log the user in automatically.

This gives us the following results:

1. Non-company users can authenticate with custom username/passwords managed by our app
2. Company users can authenticate manually with their active directory credentials
3. Company users don't have to type credentials when using their domain-connected PC.

If I understand correctly, you are faced with 2 difficulties:

1. Having 2 distinct authentication methods in one ASP.NET application
2. Manually testing if a certain username and password pair is valid, inside you company's AD

I have one suggestion concerning each of the problems:

1. Use 2 different web.config files placed in different folders. Make one use Windows Integrated authentication and the other FormsAuthentication. Have unauthenticated users land on the Windows Integrated mode login page first and fallback on the FormaAuthentication login lage in case of failure.

2. Within the FormsAuthentication login page, ask for username and password and use the DirectoryEntry class to communicate to your AD via LDAP. You don't need any secret credentials to do that. You can use the actual pair you just received from the user. Just ask the AD "what is my name ?" using those exact credentials. If it succeeds they are ok, if not, they're not.