0

In IIS 7.5 under Windows 7 Utilmate, I have an application which is configured for authentication as follows: Anonymous & Windows

In the ASP.NET Website, I have turned Forms authentication and identity impersonate = true I also deny any anonymous users.

<authentication mode="Forms">
</authentication>
<identity impersonate="true"/>
<authorization>
<deny user="?">
</authorization>

IIS complains. What am I doing wrong... What I want to achieve :I want the windows Logged On User so I can build a FormsAuthentication ticket and pass it to a Passive STS. So in IIS I have anonymous and windows...If have only windows ticked, I cannot go onto the Login.aspx page as I have an extra parameter to be passed from there. So now in webconfig, I then disable anonymous users by saying deny user="?" , so it leaves me with the authenticated windows user but using Forms Authentication.You know what I mean??

http://msdn.microsoft.com/en-us/library/ff649264.aspx

If you see Table 4 IIS Integrated Windows for IIS then Web.config setting 3rd row, accordingly WindowsIdentity is Domian\Username .It works on IIS 6.0 win2003/IIS 5.1 under XP

chugh97
  • 9,602
  • 25
  • 89
  • 136
  • When IIS complains, what is the error message/status code? – Kev May 19 '10 at 11:34
  • I think you may need to review the asp.net authentication documentation. This is not a trivial concern and should be fully understood, not gleaned from a 2 paragraph show-me, even if it is right. – Sky Sanders May 19 '10 at 12:53
  • http://msdn.microsoft.com/en-us/library/ff649264.aspx If you see Table 4 IIS Integrated Windows for IIS then Web.config setting 3rd row, accordingly WindowsIdentity is Domian\Username – chugh97 May 20 '10 at 08:19

1 Answers1

0

If this is an application that leverages claims based identity, then the responsibility of authenticating users is in the STS itself, not in the app.

If you are configuring your (web) application to trust an external STS, then your authentication mode would be "None" and you'd have a whole section in the config file for "Microsoft.identityModel". You would then configure the STS address there (the issuer attribute). Something like this:

<microsoft.identityModel>
<service>
  <audienceUris>
    <add value="https://aexpense-dev.adatum.com/" />
  </audienceUris>
  <federatedAuthentication>
    <wsFederation passiveRedirectEnabled="true" issuer="https://localhost/Adatum.SimulatedIssuer/" realm="https://aexpense-dev.adatum.com/" requireHttps="true" />
    <cookieHandler requireSsl="false" />
  </federatedAuthentication>
  <serviceCertificate>
    <certificateReference x509FindType="FindBySubjectDistinguishedName" findValue="CN=localhost"/>
  </serviceCertificate>
  <certificateValidation certificateValidationMode="None"/>
  <applicationService>
    <claimTypeRequired>
      <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
    </claimTypeRequired>
  </applicationService>
  <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
    <trustedIssuers>
      <add thumbprint="f260042d59e14937984c6183fbc6bfc71baf5462" name="https://localhost/Adatum.SimulatedIssuer/" />
    </trustedIssuers>
  </issuerNameRegistry>
</service>

The STS itself might use Forms authentication or something else, depending on the implementation.

Eugenio Pace
  • 14,094
  • 1
  • 34
  • 43