I have an MVC application for our intranet that uses NTLM authentication, but I want to be able to allow external users access to the application. All external connections to our intranet come through NAT and therefore have one IP address, which can be used to indicate an external request or not. I want all internal users to pass NTLM authentication, as they already do, but any connection coming from an external IP to automatically receive anonymous authentication ("anonymous" - any potential user by default, for example, a standard network account or IUSR_ , the specified domain user (strictly locked for other purposes, of course), etc.). As a result, no one should see a password request if it is not internal and has a browser,which uses NTLM by default.
I know that basic mixed-mode authentication is awkward at best, but I was wondering if this particular use case could somehow solve the problem. Some of the features that I have reviewed are as follows:
- Intercepting requests before they reach the WindowsAuthenticationModule module, either in IIS, or in the global.asax event, or in the HTTPHandler, so that we can implement authentication for the designated user.
- There is a way in NAT to embed NTLM headers in an HTTP request for a designated user.
- As external users access it through a different host (DNS is processed at the end to match their naming conventions), IIS should serve a simple proxy site that accepts the request, redirects the request to the main website using the assigned NTLM user, then sends the response back to the original requester.
source
share