One set of code, two authentication schemes Forms

2019-06-10 04:14发布

问题:

We have an application that is currently required to be accessed using two authentication schemes, Forms Auth and Active Directory or NTLM / Windows Auth.

The way the application is now, there are two IIS sites pointing to different folders with the same set of files, everything identical except the web.config.

Before anyone flames me this was an inherited application, but nevertheless one I am now responsible for. We have an opportunity to do some refactoring and I'm trying to figure out the best way to proceed.

Let's say the requirements for straight NTLM authentication for the application stands. You have to be able to access the app with an integrated AD prompt, allowing the employees on the internal network to access the site without manually logging in at all.

Now suppose the same application also needs to be accessible from users outside the organization as well. Using forms authentication and the Membership provider. What's the least horrible way to configure this application?

Is there any possible way to configure IIS to use a file named something other then web.config for it's config file? That could nip this in the bud right there.

In source control I'm thinking the way to go is to have all the source files in one project, a 'shared' project, and use build time events to copy themselves into the two consuming web projects on build of either of the consuming projects. Then we can continue to deploy the application in two different folders but at least in source control the common source files will exist in only one place. The downside of this is we would lose dynamic compilation, which really sucks. But better that then a ton of duplication.

I did some experimentation with routing but it seems as if you can't route to a file outside of the application's root, which would need to be different to define the different authentication schemes, so I don't think that would work.

Any thoughts, feedback or ideas are greatly appreciated,

bd

回答1:

You can try one web site with kind of mixed mode authentication. Check this article: http://www.pluralsight-training.net/community/blogs/craig/archive/2004/07/24/1699.aspx.

The idea is to have Forms Authentication in ASP.NET configuration and have both anonymous access as well as windows authentication marked in IIS. So whenever server sends an 401, browser will supply windows credentials otherwise login form will be display. The article author has provided a checkbox on login form that would issue 401 to get windows credentials and then use them to issue the authentication ticket.

Another variation (from user experience perspective) is to have a default page that will request integrated windows authentication in IIS (no anonymous access). Internal users can visit site and get authenticated via this default page and then default page will redirect to application main/home page. External users are requested to use login page that does forms authentication and then redirect to main page.