二级身份验证IIS7

Question

I know the question of mixed mode authentication and IIS7 has been done to death but I have a slightly different question.

I am developing an extra net to host many applications (running under their own app pools) for testing.

These applications have their own forms authentication, as when they are in a live, this is their authentication mode and ideally i dont want to have to change anything there.

What i need, is another authentication check before they even get to the applications to check whether they are allowed to be on the extranet. I dont even want them to see the login page of the applications.

Clearly, i can set windows authentication on the extranet website, and only people we have set up will be able to see it. But the inner applications use forms authentication and if you just type the whole url (eg http://extranetsite/applicationtotest/login ) then it doesnt check the windows authentication.

Has anyone got any suggestions how i could acheive this?

(FYI, im using IIS7, .net 3.5, mvc2) ps. I really want to avoid running this in Classic pipeline as i am using MVC.

Answer 1

Do you have a firewall in front of this Extranet? You could restrict access to the entire site by limiting the IP ranges allowed to see it.

Alternatively, you can set up another site that is the entry point of the applications that is secured with Windows Authentication. Then on the login page of each application you can check to see if the user has a valid referrer reference from this landing page. If not, you can redirect them back to the landing page or display a message. Not foolproof by any means but might get part of the result you are looking for.