Passing form credentials to windows security

Ok to explain my scenario here is my goal

I have an intranet site that is available internally as well as externally.
Currently it is just html files on the intranet (that change may come later
which will make it easy to secure via an application, unfortunately right now
that is not an options)

What i would like to do is essentialy mix windows and forms based
authentication however the articles I have found wont exactly accomplish what
i need since I do not have my intranet as an application.

I have anonymous turned off and integrated authentication turned on so that
anyone internally does not get prompted for a username and password, the
external side first hits my redirection to ssl page (shich is set to allow
anonoymous access) and then the user gets prompted for a username and
password via the standard windows popup since I have windows NTFS permissions
set on the entire directory.

What I want to do is if a user is not authenticated via integrated, i want
to present them with a pretty form to log into instead of the windows pop up
box, and then authenticate them against Active Directory and then pass the
authenticated credentials to IIS as they were logged into the computer with
those credentials exactly as Microsoft has done with Exchange webmail.

Is this possible and any steps in the right direction would be appreciated.
I have the form written and is authenticating via Active Directory and then
doing the redirect to the home page via ssl, the only problem I have to work
the details on is passing those credentials to windows security so they are
not prompted for the user name again via the windows pop up box. It looks as
though the OWA logon passes those credentials to a .dll file that is handling
this.


Thanks in advance for any tips helping me out on this one.
Please let me know if any of this is unclear.




Doug

Re: Passing form credentials to windows security

CustomAuth from IIS Platform SDK shows how to pass form credentials.
http://blogs.msdn.com/david.wang/archive/2006/01/24/HOWTO_In stall_and_Use_CustomAuth_on_IIS_6.aspx

However, the custom scheme you describe (try Windows first and if it fails,
try forms) cannot be configured. Lots of people want that behavior, but
sorry, the standardized browsers and the authentication protocols just don't
work that way.

You can configure two websites, one Intranet that is Windows only, the other
Extranet that is Forms auth only.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Doug" wrote in message
news:0393219E-EDF5-4B07-994B-9251F78A9947@microsoft.com...
> Ok to explain my scenario here is my goal
>
> I have an intranet site that is available internally as well as
> externally.
> Currently it is just html files on the intranet (that change may come
> later
> which will make it easy to secure via an application, unfortunately right
> now
> that is not an options)
>
> What i would like to do is essentialy mix windows and forms based
> authentication however the articles I have found wont exactly accomplish
> what
> i need since I do not have my intranet as an application.
>
> I have anonymous turned off and integrated authentication turned on so
> that
> anyone internally does not get prompted for a username and password, the
> external side first hits my redirection to ssl page (shich is set to allow
> anonoymous access) and then the user gets prompted for a username and
> password via the standard windows popup since I have windows NTFS
> permissions
> set on the entire directory.
>
> What I want to do is if a user is not authenticated via integrated, i want
> to present them with a pretty form to log into instead of the windows pop
> up
> box, and then authenticate them against Active Directory and then pass the
> authenticated credentials to IIS as they were logged into the computer
> with
> those credentials exactly as Microsoft has done with Exchange webmail.
>
> Is this possible and any steps in the right direction would be
> appreciated.
> I have the form written and is authenticating via Active Directory and
> then
> doing the redirect to the home page via ssl, the only problem I have to
> work
> the details on is passing those credentials to windows security so they
> are
> not prompted for the user name again via the windows pop up box. It looks
> as
> though the OWA logon passes those credentials to a .dll file that is
> handling
> this.
>
>
> Thanks in advance for any tips helping me out on this one.
> Please let me know if any of this is unclear.
>
>
>
>
> Doug
>
>
>

Re: Passing form credentials to windows security

David,

Thats awesome and exactly what I am looking for. Thanks.. My next question
is there any sample custom login forms available. I familiar with posting
forms however does the form post back to the dll?
i assume that the inherent login form is compiled into the dll file however
im ok with creating just an html file or asp file and was wondering if you
knew of some samples out there?

Thanks again!

Doug



"David Wang [Msft]" wrote:

> CustomAuth from IIS Platform SDK shows how to pass form credentials.
> http://blogs.msdn.com/david.wang/archive/2006/01/24/HOWTO_In stall_and_Use_CustomAuth_on_IIS_6.aspx
>
> However, the custom scheme you describe (try Windows first and if it fails,
> try forms) cannot be configured. Lots of people want that behavior, but
> sorry, the standardized browsers and the authentication protocols just don't
> work that way.
>
> You can configure two websites, one Intranet that is Windows only, the other
> Extranet that is Forms auth only.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> "Doug" wrote in message
> news:0393219E-EDF5-4B07-994B-9251F78A9947@microsoft.com...
> > Ok to explain my scenario here is my goal
> >
> > I have an intranet site that is available internally as well as
> > externally.
> > Currently it is just html files on the intranet (that change may come
> > later
> > which will make it easy to secure via an application, unfortunately right
> > now
> > that is not an options)
> >
> > What i would like to do is essentialy mix windows and forms based
> > authentication however the articles I have found wont exactly accomplish
> > what
> > i need since I do not have my intranet as an application.
> >
> > I have anonymous turned off and integrated authentication turned on so
> > that
> > anyone internally does not get prompted for a username and password, the
> > external side first hits my redirection to ssl page (shich is set to allow
> > anonoymous access) and then the user gets prompted for a username and
> > password via the standard windows popup since I have windows NTFS
> > permissions
> > set on the entire directory.
> >
> > What I want to do is if a user is not authenticated via integrated, i want
> > to present them with a pretty form to log into instead of the windows pop
> > up
> > box, and then authenticate them against Active Directory and then pass the
> > authenticated credentials to IIS as they were logged into the computer
> > with
> > those credentials exactly as Microsoft has done with Exchange webmail.
> >
> > Is this possible and any steps in the right direction would be
> > appreciated.
> > I have the form written and is authenticating via Active Directory and
> > then
> > doing the redirect to the home page via ssl, the only problem I have to
> > work
> > the details on is passing those credentials to windows security so they
> > are
> > not prompted for the user name again via the windows pop up box. It looks
> > as
> > though the OWA logon passes those credentials to a .dll file that is
> > handling
> > this.
> >
> >
> > Thanks in advance for any tips helping me out on this one.
> > Please let me know if any of this is unclear.
> >
> >
> >
> >
> > Doug
> >
> >
> >
>
>
>

Re: Passing form credentials to windows security

I am also having troubles getting customauth to redirect to a specified logon
page. is there any tricks to this.

my page is named logon.htm
and i have specified the full url in the ini
LogonURL=https://www.mydomain.com/logon.htm

Thanks in advance

Doug


"Doug" wrote:

> David,
>
> Thats awesome and exactly what I am looking for. Thanks.. My next question
> is there any sample custom login forms available. I familiar with posting
> forms however does the form post back to the dll?
> i assume that the inherent login form is compiled into the dll file however
> im ok with creating just an html file or asp file and was wondering if you
> knew of some samples out there?
>
> Thanks again!
>
> Doug
>
>
>
> "David Wang [Msft]" wrote:
>
> > CustomAuth from IIS Platform SDK shows how to pass form credentials.
> > http://blogs.msdn.com/david.wang/archive/2006/01/24/HOWTO_In stall_and_Use_CustomAuth_on_IIS_6.aspx
> >
> > However, the custom scheme you describe (try Windows first and if it fails,
> > try forms) cannot be configured. Lots of people want that behavior, but
> > sorry, the standardized browsers and the authentication protocols just don't
> > work that way.
> >
> > You can configure two websites, one Intranet that is Windows only, the other
> > Extranet that is Forms auth only.
> >
> > --
> > //David
> > IIS
> > http://blogs.msdn.com/David.Wang
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> > //
> >
> > "Doug" wrote in message
> > news:0393219E-EDF5-4B07-994B-9251F78A9947@microsoft.com...
> > > Ok to explain my scenario here is my goal
> > >
> > > I have an intranet site that is available internally as well as
> > > externally.
> > > Currently it is just html files on the intranet (that change may come
> > > later
> > > which will make it easy to secure via an application, unfortunately right
> > > now
> > > that is not an options)
> > >
> > > What i would like to do is essentialy mix windows and forms based
> > > authentication however the articles I have found wont exactly accomplish
> > > what
> > > i need since I do not have my intranet as an application.
> > >
> > > I have anonymous turned off and integrated authentication turned on so
> > > that
> > > anyone internally does not get prompted for a username and password, the
> > > external side first hits my redirection to ssl page (shich is set to allow
> > > anonoymous access) and then the user gets prompted for a username and
> > > password via the standard windows popup since I have windows NTFS
> > > permissions
> > > set on the entire directory.
> > >
> > > What I want to do is if a user is not authenticated via integrated, i want
> > > to present them with a pretty form to log into instead of the windows pop
> > > up
> > > box, and then authenticate them against Active Directory and then pass the
> > > authenticated credentials to IIS as they were logged into the computer
> > > with
> > > those credentials exactly as Microsoft has done with Exchange webmail.
> > >
> > > Is this possible and any steps in the right direction would be
> > > appreciated.
> > > I have the form written and is authenticating via Active Directory and
> > > then
> > > doing the redirect to the home page via ssl, the only problem I have to
> > > work
> > > the details on is passing those credentials to windows security so they
> > > are
> > > not prompted for the user name again via the windows pop up box. It looks
> > > as
> > > though the OWA logon passes those credentials to a .dll file that is
> > > handling
> > > this.
> > >
> > >
> > > Thanks in advance for any tips helping me out on this one.
> > > Please let me know if any of this is unclear.
> > >
> > >
> > >
> > >
> > > Doug
> > >
> > >
> > >
> >
> >
> >