M
Michael Ames
I want to allow both anonymous and integrated access to a web service
simultaneously. That is, if the calling user can be authenticated on the
server, I want the calling user's username. If not, I still want them to be
able to access the web service.
The documentation suggests that this is not possible, because if IIS allows
anonymous, it doesn't pass the caller's credentials on to ASP.NET. This
must not be true, however, because I can allow anonymous in IIS, but set
<deny users="?" /> in web.config and get the WindowsIdentity for the caller
that way. So it seems to me that IIS *must* pass those credentials on to
ASP.NET, which then makes the decision to reject the request if it's from an
unrecognized user.
So. Is there a way to "tap in" to that process, so that I can get the
username of a recognized user, but still allow access by unrecognized users?
Thanks!
-Michael Ames
simultaneously. That is, if the calling user can be authenticated on the
server, I want the calling user's username. If not, I still want them to be
able to access the web service.
The documentation suggests that this is not possible, because if IIS allows
anonymous, it doesn't pass the caller's credentials on to ASP.NET. This
must not be true, however, because I can allow anonymous in IIS, but set
<deny users="?" /> in web.config and get the WindowsIdentity for the caller
that way. So it seems to me that IIS *must* pass those credentials on to
ASP.NET, which then makes the decision to reject the request if it's from an
unrecognized user.
So. Is there a way to "tap in" to that process, so that I can get the
username of a recognized user, but still allow access by unrecognized users?
Thanks!
-Michael Ames