Help get this topic noticed by sharing it on Twitter, Facebook, or email.
I’m thankful for all the other people that helped me with this!

Solved: Mixed-mode authentication in IIS6

Implementing a mixed-mode authentication system in a CodeOnTime generated application, using IIS6.

Step 1:
Add a new Web Form to the root of the site, called ActiveDirectoryLogin.aspx

Step 2:
The Page_Load code for this webform is:


protected void Page_Load(object sender, EventArgs e)
{
bool Fail = false;
string userName = null;
if (!Convert.ToBoolean(Session["Fail"]))
{
userName = Request.ServerVariables["LOGON_USER"];
}

if (!String.IsNullOrEmpty(userName))
{
MembershipUser user = Membership.GetUser(userName);
if (user != null)
{
FormsAuthentication.RedirectFromLoginPage(user.UserName, false);
}
else
{
Fail = true;
}
}
else
{
Fail = true;
}

if (Fail)
{
Session["Fail"] = Fail;
Response.Redirect("~/Login.aspx?u="+userName);
}

}


Step 3:
Modify /Controls/Login.ascx.cs as follows:


protected void Page_Load(object sender, EventArgs e)
{
if (IsIntranetUser(Request.ServerVariables["REMOTE_ADDR"]) && !Convert.ToBoolean(Session["Fail"]) && Request.QueryString["logout"] != "true")
{
Response.Redirect("~/ActiveDirectoryLogin.aspx");
}
else
{
if (!Page.User.Identity.IsAuthenticated && Request.QueryString["logout"] != "true")
{
string userName = null;
userName = Request.Headers["UserName"];

if (!String.IsNullOrEmpty(userName))
{
MembershipUser user = Membership.GetUser(userName);
if (user != null)
{
FormsAuthentication.RedirectFromLoginPage(user.UserName, false);
}
}
}
else if (Request.QueryString["logout"] == "true")
{
if (!Request.Url.AbsolutePath.Contains("Login.aspx") || Request.Params["ReturnUrl"] != null)
{
Response.Redirect(FormsAuthentication.LoginUrl + "?logout=true");
}
}
}
}

private bool IsIntranetUser(string IP)
{
return !string.IsNullOrEmpty(IP) && Regex.IsMatch(IP, "^XXX.XXX.XXX");

}


Step 4:

On the Web Server screen of the project settings (in COT), add this to the Web.Config modification instructions:


InsertAfter: /configuration/system.web.extensions

<location path="Login.aspx">
<system.web>
<authorization>
<allow users="?,*" />
</authorization>
</system.web>
</location>
<location path="ActiveDirectoryLogin.aspx">
<system.web>
<authorization>
<allow users="?,*" />
</authorization>
</system.web>
</location>



Step 5:
In IIS, Configure the root of the server to use Anonymous access only.

Step 6:
In IIS, select ActiveDirectoryLogin.aspx, and click 'File Security'.
Uncheck "Anonymous Access"
Check the box for "Integrated Windows Authentication"

Step 7:
Modify Web.Membership.js to include this:


Sys.Services.AuthenticationService.logout("Login.aspx?logout=true", a, a, a)


(Note, you will need to redo this if you ever regenerate the code)

Step 8:
To allow a logged out person a method to log back in using AD, we simply give them a link that removes logout=true. To do this, modify /Controls/Login.aspx to include this:


<div style="padding-left:3px;margin-top:-3px;"><a href="/login.aspx">Login with Active Directory</a></div>


Step 9:
On a windows machine (I don't know how to do this on a mac, sorry) you need to add your site to the Intranet zone, in order for your windows authentication to be sent to the server automatically. Here's a procedure to do that:


a. In IE, click Tools >>> Security
b. Click Local Intranet, click Sites
c. Click Advanced
d. Click Add
e. Click Close
f. Click Ok
g. Click Ok
h. Restart IE9


Hopefully this will help others attempting to do this with COT. Please let me know if you have any questions or suggestions for improvement, and I'll answer / update this accordingly!
2 people like
this idea
+1
Reply