Securing a ASP web application

[Graeme Coutts]

Developed a web application which adopts a custom security model which displays a login page and requests a username/password combination. The username works in a mixed-mode of usernames matched with the windows login name and some extra accounts (similar to SQL mixed-mode security). Web application is executed both in the corporate intranet and externally on the web.
Getting user complaints about having to login to the web application when they have already logged-on to windows. I have coded a challenge/response (response.status=401) to get a user's window login through the ServerVariables. This seems to work OK for the intranet access. If the user's windows account is not located in the application database then I redirect to the standard login page for the username/password combination. When the application is executed across the internet through a firewall, the user is prompted by IE to enter the windows domain, username, and password. There seems to be no mechanism to avoid this because of the challenge/response code. I wish that with external access from the internet that users are automatically directed to the application login screen and not faced with the IE windows authentication dialog.
Anyone care to offer a solution?

 

[Jeff Dillon]

You would need both Anonymous and Integrated Authentication turned on.

Jeff

Developed a web application which adopts a custom security model which

displays a login page and requests a username/password combination. The
username works in a mixed-mode of usernames matched with the windows login
name and some extra accounts (similar to SQL mixed-mode security). Web
application is executed both in the corporate intranet and externally on the
web.

Getting user complaints about having to login to the web application when

they have already logged-on to windows. I have coded a challenge/response
(response.status=401) to get a user's window login through the
ServerVariables. This seems to work OK for the intranet access. If the
user's windows account is not located in the application database then I
redirect to the standard login page for the username/password combination.
When the application is executed across the internet through a firewall, the
user is prompted by IE to enter the windows domain, username, and password.
There seems to be no mechanism to avoid this because of the
challenge/response code. I wish that with external access from the internet
that users are automatically directed to the application login screen and
not faced with the IE windows authentication dialog.