I've posted this on Server Fault, but as there is sort of a programming aspect to it, I'll post it here too.
I have an ASP.NET MVC 1.0 application that uses Forms Authentication. We are using Windows Server 2008. I need to lock down the site so that only certain users (in AD Groups) can access the site. Unfortunately, though, when I set the site to not allow anon users and use windows authentication, due to the integration of the site and IIS, it shows the user as signed in as their domain account, instead of allowing them to sign in through Forms Auth.
So, I need a mixed mode authentication. I need the site to be only accessible through windows auth, without anon users, but once you are in, it needs to use forms auth only. How would I go about doing this the right way?
EDIT:
Here's a clarification. The site must work like this.
- You go to the URL and a windows auth login pops up. You sign in with a domain accout that has access. If you don't have access, it shows you the 401 error.
- If you have access, you hit the site. However, the site doesn't use your windows auth username. It uses forms Auth. So, you have to sigh in to the site using the forms auth.
The problem is, when I set it up to do step 1, it uses your windows username in step 2. I don't want it to do that.