I have an ASP.NET MVC 1.0 application that uses Forms Authentication. We are using Windows Server 2008. I need to lock down the site so that only certain users (in AD Groups) can access the site. Unfortunately, though, when I set the site to not allow anon users and use windows authentication, due to the integration of the site and IIS, it shows the user as signed in as their domain account, instead of allowing them to sign in through Forms Auth.
So, I need a mixed mode authentication. I need the site to be only accessible through windows auth, without anon users, but once you are in, it needs to use forms auth only. How would I go about doing this the right way?
You should disable Windows integrated authentication, and use the Provider functionality of IIS and the "AD Role Provider". An example is provided here:
https://stackoverflow.com/questions/726837/user-group-and-role-management-in-net-with-active-directory/728808#728808
I've not tested this, but I will tonight and get back to you tonight. You could set up your MVC app to be forms authentication as your are currently. But under IIS7, click on the Site (under Sites folder) and select authentication, set anonymous authentication to disabled, and Windows Authentication to Enabled. Then, right click on your website and select edit permissions. Then click the Security tab, and the AD group(s) you want to have access to the site.
EDIT: Also, please check this out as it looks helpful for what you're doing: http://learn.iis.net/page.aspx/142/understanding-iis-70-url-authorization/