When using the Basic Authentication method of IIS, you end up generally placing all restricted content within one folder, and all non-restricted content elsewhere. But what if you need to restrict access to a particular type of file, or to a URL request that has no physical file to change the IIS security settings on, such as trace.axd, without having all users logged in, but still use IIS to perform the authentication.
This could be achieved by writing your own
HttpModule that handles all requests, and perform the Basic Authentication yourself. However, with a few configuration settings changes and a small amount of code, the same effect can be achieved a lot easier.
The first step is to set your main application to use the Forms Authentication.
<authentication mode="Forms" >
<forms loginUrl = "Authentication\Login.aspx" name=".ASPNETFRM"/>
The Forms Authentication will only force a user to login if a particular resource has been denied to them. As we are not specifying an authorization section, all users will have access to all resources.
To restrict access for trace.axd to only those users who are authenticated, we need to add in a location tag to the web.config file.
Off the root of your web site, create a new web application called Authentication. This is the folder where ASP.NET will redirect the users who need to be authenticated. It should match the first part of the
loginUrl attribute that you added to the
forms element in step 1.
With IIS, change the security settings of this folder, remove anonymous Digest and Windows authentication, and enable Basic.
Within the Authentication folder, create a file called Login.aspx. This file name should match the last part of the
loginUrl attribute. It will contain the code that maps the Windows authentication to the ASP.NET forms based application.
Within Login.aspx, copy the following code:
<%@ Page language="c#" AutoEventWireup="true"
<%@ Import Namespace="System.Web.Security" %>
<%@ Import Namespace="System.Configuration" %>
<SCRIPT language="C#" runat="server">
private void Page_Load(Object Src, EventArgs e )
string user = HttpContext.Current.User.Identity.Name;
FormsAuthenticationTicket ticket =
new FormsAuthenticationTicket( user, false, 30 );
string encTicket = FormsAuthentication.Encrypt(ticket);
encTicket ) );
FormsAuthentication.GetRedirectUrl( user, false ) );
When the Page Load event runs, the code grabs the name of the current user from the
HttpContext. A new
FormsAuthenticationTicket is created and then this is returned to the user in a cookie. The cookie name must be the same name that was defined in the web.config.
The users who will be authenticating will need valid NTFS permission to access both the Authentication folder and the Login.aspx page. You do not have to restrict the access to these files, just ensure that all users are able to reach them.
Within the Authentication folder, create a new web.config file. Within this file, we need to add the application settings value for the cookie that is picked up in Login.aspx, and we need to bind ASP.NET to the IIS Authentication to ensure that the
User property of the
HttpContext is populated with the details of the user authenticating against IIS.
<add key="AuthCookie" value=".ASPNETFRM"/>
Finally, the default behavior for Form Authentication is that each application within a web site will receive its own unique encryption key that is used to encrypt the cookie value. Because we need the cookie created within the Authentication application to be valid across all other applications in the web site, we need to switch off this behavior.
Within the web.config file of the root application, add the additional entry:
Now, try and access the trace.axd output. If everything is setup correctly, you will be asked to login before the data is sent back to you.