Friday, May 7, 2010

Forms authentication integrated with IIS7

If you have worked on application, you would have definitely used forms authentication in your applications. The new IIS7 brings a new feature which integrates forms authentication with IIS. On IIS 6 you could see authentication options of anonymous, Basic, Digest and Windows. On IIS7 you could also find Forms authentication when you have ASP.Net components installed. Let us look at how to make use of this for our application.

Forms Authentication and Membership providers:

In a brief, forms authentication and membership providers are integrated from the .net 2.0 version. When you set up your application to use membership provider, it take care of all membership related functionalities also the member validations.

I will set up a sample app to use the forms authentication with IIS7 integrated pipeline and see how we can take advantage of this feature.

Lets create a Web Project.

Create 3 pages: About.aspx, Login.aspx, Default.aspx
Set up the application to use sql Membership provider. The detailed explanation on how to set up sql membership provider is available on

On Our login page, lets add a login control

<asp:LoginView ID="LoginView" runat="server">
<asp:Login ID="Login" runat="server" DestinationPageURL="About.aspx"
onloggedin="Login_LoggedIn" />
<asp:LoginName ID="LoginName" runat="server" />
<asp:LoginStatus ID="Logout" runat="server" />
<asp:ChangePassword ID="ChangePwd" runat="server" />

When you login using login.aspx, the login control internally invoke sql membership provider ValidateUser method and set the authentication cookie. These are all done by ASP.NET and you don’t have to do anything from your code. If you need any custoim logic to be appended on login process, then you need to inherit MemberShip class and build your own custom Membership provider. For now let us just use the sql DB provider.

OK. We are all set with the application side to use the forms authentication. With IIS 6, we had to use Anonymous access, so that any user can hit the page and ASP.Net would validate the cookie and authenticate the users. With IIS7 this part is moved over to IIS itself. Here is how we can do it.

Go to IIS manager

Select Authentication

Here keep forms authentication as enabled and disable rest of the authentication methods. Now if you try to browse any of your pages, you will get below error

So even if you have configured login.aspx as your login page, the IIS doesn’t allow you to go to login.aspx since IIS cannot find authentication token for any request and anonymous access is restricted.

Let us allow login.aspx for anonymous access. Go to content view, select login.aspx . Right click and Select Switch to feature view and allow anonymous access

Now browse the site, you will be redirected to login.aspx if you have not logged in to the site. If you have logged in, the site will allow you to browse other pages.

Another factor you need to remember to get this working is that you need to select integrated mode on application pool for the web site which is configured.

There is couple of disadvantages when we plan to deploy it on different server and use the application on load balancer. The authentication ticket which is created by and used by IIS to determine the authentication of user is actually encrypted using machine key. So if the request is sent to different server, the token will not be valid. The only way to get that working on different server is to keep the machinekey same.

No comments:

Post a Comment