I would like to reply to my own post so you know how far I got. I still need help but I am very close to an acceptable scenario.
• Unreal Skin
• Windows Server 2008 R2
• IIS 7.5
Trying to accomplish:
• Intranet site using Integrated Windows Authentication against domain accounts
• Secure access to the intranet from outside of our network using Windows Auth challenge so no one can even see the first page
• Auto login of users internally
• Auto login to the site by way of external access after successful challenge
• Auto account creation both internally and externally
• App pool set to Classic
• Anonymous Authentication in IIS turned off everywhere.
• Forms and Windows Authentication selected at the site level as well as the \DesktopModules\AuthenticationServices\ActiveDirectory\Windowssignnin.aspx
• Web.config file modified. I had to add the line “
• I left the existing line commented out
• ACL at the site level grants Domain Users read-only
What Works Now:
• Because we are using both Windows and Forms authentication in IIS, I can log out as myself and login as Host directly into the site which is desired because I cannot seem to assign superuser rights to a domain user(me)
• From a workstation logged into the domain with the site entered into the Intranet zone, A user can hit the main URL https://portal.medicushcs.com and have his/her account auto-created and logged in
• Subsequent logins for existing accounts will also auto-log in with no problems.
• From the outside using a non-domain member computer, the user can hit the main page https://portal.medicushcs.com and get presented with a Windows Auth challenge. They can log in as DOMAIN\username and have their account auto-created and auto-logged in.
This is 90% of what I need. I am not sure if this is optimal from a security standpoint but from what I am seeing, it is getting better.
• If the user hits the logout button, or if the site logs them out automatically, they cannot log back it using the Windows login option. To recover, I have to delete cookies and access the site again which will log the user in automatically. *I need to solve this problem*
• Related to the above, when I am in as superuser it eventually times out and defaults me to my personal AD based account but it is limited. I can only see two of the 5 tabs I have created for pages. This is frustrating.
• The requirement to supply a domain name before the username still exists due to Windows Authentication. I have the domain assumed in the site settings but I will need to tell IIS to default to my domain name when people are presented with the challenge.
I will be performing more tests this evening as time permits. In the meanwhile, Mike, if you have any suggestions to clean this up, I am all ears. Thanks in advance for everyone’s help.