Is it possible to combine NTLM authentication and forms authentication on IIS7?
The setup I need to achieve is internal users authenticated via integrated windows authentication and external users authenticated via forms. So only external users have to login via a form; internal, already authenticated users, navigate straight to the site.
I've already tried the approach detailed at:
http://mvolo.com/blogs/serverside/archive/2008/02/11/IIS-7.0-Two_2D00_Level-Authentication-with-Forms-Authentication-and-Windows-Authentication.aspx
but that setup forces all users to authenticate with *both* windows *and* forms authentication, 2 level authentication, not an 'either/or' situation.
I had this working on IIS6 using a IP range check to redirect to the appropriate page as detailed here:
http://beaucrawford.net/post/IIS-ldquo3bmixed-moderdquo3b-authentication-for-ASPNET-Application.aspx
but it breaks in IIS7. I think it's because you can't remove forms auth from the integrated windows page once it's enabled for the site...
The core problem seems to be that anonymous authentication must be disabled for NTLM auth but enabled for forms auth. I read in the Wrox Pro IIS7 book that forms auth is code based, all other authentication types rely on credentials transported in HTTP headers - 302 redirect for forms, 401 challenge for integrated, so they should be incompatible?, but as IIS7 has an integrated pipeline I think I should be able to customize authentication? but if that requires writing a custom HttpModule that's a pretty advanced subject.
Can the pattern Mike used in the first link be modified to achieve what I want? Or is that approach completely wrong for this situation? Perhaps I can achieve this more simply via configuration?
Any suggestions would be much appreciated, as I've worked through 2 wrox IIS7 books and still can't solve this problem.