1

Our client requested from us to make our web application accessible from Intranet and Internet. When user tried to access the website from Intranet, The user should be logged in immediately (Windows Auth) ... The user should have public access also (e.g. Home, Coffee shop), But in this case he should use his credentials and the server will check if its valid.

Any advises?

bunjeeb
  • 1,096
  • 1
  • 17
  • 32
  • This is tricky because the IIS usually filters Windows Auth requests. I think you would need to create a login service which proofs the request and redirects to the main application (if you're in the Intranet) or to a login screed (if you're on the Internet). – Andrei V Oct 08 '14 at 08:14
  • So do you think that I should use two URLs :( ? One for Intranet and the other one for Internet? – bunjeeb Oct 08 '14 at 08:19
  • No. You might achieve all this trough a custom authorization filter without the need for two URL or applications. There are several examples out there on how to implement one. I'm no expert in ActiveDirectory and network identification, but I think it can be done. If you set the IIS (and the application) to "Windows Auth", the IIS will first prompt for credentials regardless if you're on Intranet or Internet. I think you need to set a pseudo Forms Auth and do a custom authorization based on the info received from the client. – Andrei V Oct 08 '14 at 08:26
  • I will try yo go with this tricky solution http://stackoverflow.com/questions/8396813/asp-net-mvc-3-login-and-windows-authentication – bunjeeb Oct 08 '14 at 13:58

2 Answers2

1

This is the standard way Integrated Windows Authentication works. If you're inside the intranet (logged onto the domain), IE will automatically send your credentials when the website returns 401.2 (no auth method specified). When you're not inside the domain, the credentials will have to be prompted for, since the domain server cannot be contacted from the client machine.

This is not the same as the "tricky" solution you referred to. That solution is tricky because it also uses forms authentication, which you don't need here (AFAIK).

Matt Small
  • 2,182
  • 1
  • 10
  • 16
  • Sorry for being late ... Actually the customer want to add his credentials if he is in the internet, with ability to loggout in intranet and internet!!! – bunjeeb Oct 14 '14 at 05:05
0

We decided not to use Windows Auth at all. The customer want to stay logged in if he is in the Intranet. so we did the following (and the customer is ok with that)

  1. Forms Auth + 'Keeps me logged in' checkbox
  2. Validate Credentials with AD.
  3. Check if User in trusted IP Addresses Range (Something like allowed IP addresses in SQL Azure)
  4. If trusted IP Range, user becomes authenticated.
  5. If its not, Two factor auth by sending SMS.

One more reason for not using Windows Auth. The user want to log-out at anytime to use different credentials to do some special tasks.

Usually customers do not know what exactly they want, so we will start dreaming and make things complicated. 'Simply keeps me logged in' for trusted IP addresses and he will stay logged in for N days.

bunjeeb
  • 1,096
  • 1
  • 17
  • 32