Archive for the 'Membership' Category

ASP.Net Hybrid Authentication

We are working on a large .Net website that will have users both on and off of our domain.

  • We want to use the ASP.Net Membership framework
  • We want Windows authentication for people on our network
  • All users will be required to have an account (If a windows user on our domain does not have and account (A generic log on ‘kiosk01’) they should receive the Forms logon page
  • We do not want people with Windows accounts to be able to log on outside of our domain. (An employee here should not be able to log on as an employee from home)

This was actually very easy to setup.

First we setup the website. It should have two folders for authentication.


The WebLogin folder should take the default security setting from the websites web.config


As you can see we are using Forms authentication for the whole site and setting the logon URL to the WinLogin folder.

We create an HTML file (401-2.htm) containing a redirect to the WebLogin page. This will handle the 401-2 access denied error thrown when a user who can’t authenticate because the are off the domain or don’t have a ASP.Net account.


(You may want to do your redirect with aspx and code behind instead of html, if you don’t want to hard code the redirect address)

The ‘Weblogin/Default.aspx’ page should be a aspx page with a standard or customized Asp.Net Login control.

In IIS the site level authentication should be set like this…



Now for the WinLogin folder only, we set the Authentication like this…


Right click WinLogin and edit its properties alone

Now while still on WinLogin properties set a custom error HTTP Error 401;2 pointing to the 401-2.htm file created earlier.



Now all that is left is to write the code for the users who where able to Authenticate to the WinLogin page.


Add what ever custom logic you want for your windows authentications.

As you can see we don’t need to do anything with the password. If this code is executing then the user has Authenticated and we are calling the FormsAuthentication.RedirectFromLoginPage method with just the username and the createPersistantCookie boolean variable alone. The call to the RedirectFromLoginPage method  is also actually logging the user in. This confused me at first.

If the user account is not found (as in our generic log on ‘domain\kiosk01’) the user will be directed to the forms logon.

Now you can create membership accounts for the domain users assigning them roles etc. Just make sure the user name includes the domain and userid, ‘mydomain\j.user.01’ You can create a randomly generated password for the membership account preventing the domain user from logging in without the Windows authentication. (You would also have to have logic to prevent these users from resetting there password.)

And that’s it. The best of both worlds without making things to complicated.