question

PiyushMeshram-7317 avatar image
0 Votes"
PiyushMeshram-7317 asked BruceZhang-MSFT commented

Does IIS supports Multiple Authentications for a single website?

Website configured for MTLS authentication with Self Signed Certificates; is it possible to enable IPSecurity authentication, Allowing a particular IPAddress access to the website even if MTLS fails or the user does not have a client certificate?


In general, MTLS authentication fails when a user does not have a valid client certificate. But a user wants to access the website even if that user fails to provide a valid client certificate for authentication.

So questions:

  1. Is there another way to allow a user to access the IIS hosted website if MTLS fails?

  2. There are many types of authentication supported in IIS (Digest, Basic, IISClientCertMapping etc. ); Can a website develop in ASP.NET hosted in IIS use these auth types in combination?

  3. If any code changes are required or only with the IIS configurations? (Note there are some paths in ASP.Net application decorated with "Anonymous" access)

  4. Is it possible to use IISClientCertMapping with IPSecurity? (please mention what other options/IIS configurations are needed to be tweaked as well)





windows-server-iis
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You can always disable IIS default authentication methods and develop your own IIS module to take over.

0 Votes 0 ·

If a user has a valid Client Cert or user's IP Address is allowed access to the resource (either one of the two)
then only allow the user to access the website
else return unauthorized or access denied.

What should be the approach in such a case?

0 Votes 0 ·

1 Answer

BruceZhang-MSFT avatar image
0 Votes"
BruceZhang-MSFT answered BruceZhang-MSFT commented

Hi @PiyushMeshram-7317 ,

When the browser makes a request, it always considers the first request to be Anonymous. Therefore, it does not send any credentials. If the server does not accept Anonymous OR if the Anonymous user account set on the server does not have permissions to the file being requested, the IIS server responds with an Access Denied error message and sends a list of the authentication types that are supported by using one of the following scenarios:

  • If Windows NT Challenge/Response is the only supported method (or if Anonymous fails), then the browser must support this method to communicate with the server. Otherwise, it cannot negotiate with the server and the user receives an Access Denied error message.

  • If Basic is the only supported method (or if Anonymous fails), then a dialog box appears in the browser to get the credentials, and then passes these credentials to the server. It attempts to send these credentials up to three times. If these all fail, the browser is not connected to the server.

  • If both Basic and Windows NT Challenge/Response are supported, the browser determines which method is used. If the browser supports Windows NT Challenge/Response, it uses this method and does not fall back to Basic. If Windows NT Challenge/Response is not supported, the browser uses Basic.



If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our  documentation  to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Bruce Zhang




· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.



If a user has a valid Client Cert or user's IP Address is allowed access to the resource (either one of the two)
then only allow the user to access the website
else return unauthorized or access denied.

What should be the approach in such a case?

0 Votes 0 ·

Hi @PiyushMeshram-7317 ,

I cannot understand what you want. If a user has a valid Client Cert, he can access the site, else will be denied. That's right and no problem. In this case, nothing need to do. So what do you mean approach in such a case?

0 Votes 0 ·

To Simply put,

I have two users both using different browsers (their own client application), one wants to connect after providing a valid client certificate and other wants to connect without client cert (in such case we can identify 2nd user by user's IP address).


Can a single site hosted in IIS grant access to both of these users? (meaning can both users access to this url: https://www.example.com)


After reading your first answer I can say that:

If we have enabled 4 Different Types of authentication for a single website then

  1. User 1 - Browser 1 can Connect using Basic Auth

  2. User 2 - Browser 2 can connect using Windows NT Challenge/Response

  3. User 3 - Browser 3 can connect using Digest Authentication Module

  4. User 4 - Browser 4 can connect using IISClientCertificateMapping

119140-image.png

Meaning if Any one of the Auth succeeded then the site is accessible?

Please correct me if I misunderstood.


If I am correct, then can I create Custom Authentication IIS Module to allow user based on his IP address?





0 Votes 0 ·
image.png (58.3 KiB)
Show more comments