ASP.NET Form Authentication + NTLM + LDAP

Question

I'm trying to add LDAP support to an existing ASP.NET website that uses Form Authentication. This is not a big problem, I just build a simple login dialog (ordinary HTTP POST), query the LDAP directory and log the user in via Form Authentication ticket.

It would be extremely nice to automatically get the users credentials via NTLM (Integrated Windows Authentication) without the need for a login dialog (like what you get when using ASP.NET Windows Authentication with computers in the same Active Directory). Is there an easy way to do this (keep in mind, I can't use Windows Authentication for my ASP.NET app and the server is not in an Active Directory Domain, I need to be able to query LDAP directory manually)? Or would I have to manually do all the LDAP handshaking / challenge/response thingy?

Thanks for your help, ~ saxx

Answer 1

I do just this on my intranet here. These are the steps I use...

• Create a login page (login.aspx seems good) & set the web app up for forms authentication. Set authorisation as deny anonymous. These means any attempt to use your app will cause the user to be redirected to your login page if they don't have a auth ticket.
• Now the important step. In IIS, set the app to allow anonymous only. On your login page change this to only be Windows Integrated. Now what happens is when the user is bounced to your login page, IIS forces an NTLM authentication. We now have the users name in the headers.

• 2nd important step. in the page_load method add:

  FormsAuthentication.RedirectFromLoginPage(Request.ServerVariables["Logon_user"], false); What this does is take the username IIS will always give us and put into a forms auth ticket.

There's of course a certain amount of tidying up you may want to do, perhaps adding a logout feature, or stripping the domain name of the username.

Simon