Custom authentication when mapping network drive - is this possible?

3

I've got a virtual directory set up in my web site in IIS 7.5 that users can map a network drive to. What I'd like to do is set up some sort of custom authentication where the user chooses "connect with different credentials" when they map the drive, and then I can use those credentials to log them into my website before letting them view the contents of the virtual directory. Is this possible?

I can't seem to find a way to (programatically) get the credentials used when mapping the drive. Right now I've got an HttpModule and HttpHandler executing on each request to the virtual directory, but I'm not seeing a way to detect credentials. Has anyone ever done anything like this?

If this isn't possible, can someone explain what the purpose is then for choosing to connect with different credentials? Where are those credentials used, is it used by a certain form of Authentication in IIS? Surely there has to be some sort of setup for using the different credentials?

UPDATE:

Using Digest Authentication, I can now see the Authorization header showing up in Fiddler, but I'm not yet sure if it is possible to parse the password out somehow. I've also seen some articles online that suggest Digest Authentication is fundamentally flawed, but according to Authentication in ASP.NET: .NET Security Guidance, I shouldn't use Basic Authentication if my users are stored in a custom database.

So let me lay out a simpler scenario that will hopefully be easier to answer:

I'm trying to implement custom authentication used when mapping a network drive to a virtual directory in my site. I'm using IIS 7.5. I need to parse out the username and password to handle the custom log-in, either in an HttpModule or a Global.asax event. Has anyone ever done anything like this or have any advice/suggestions?

I've found this example which seems like it could work - but it's meant for a browser. I've got it implemented now on my test site but the problem is when mapping the drive, the 401 challenge is returned (which is supposed to prompt for a log-in) but Windows instead displays an error that says:

Windows cannot access Http://myServer/mySite/myFolder

Check the spelling of the name. Otherwise, there might be a problem with your network.

Error code: 0x80070043 The network name cannot be found

I'm wondering if I can format/build a Basic/Digest Authentication-style challenge response so that Windows will prompt for a log-in rather than displaying the network can't be found? Does anyone know if this is possible?

UPDATE 2:

I saw using Fiddler, that Windows Authentication includes a Negotiate header. So I tried including that header in my challenge response in addition to the WWW-Authenticate: Basic header. This seems to have fixed my problem with the "network name cannot be found" error described above, but unfortunately now there is no Authorization header included in the subsequent request (after I provide my credentials) so I can't pull out the username and password.

I'm running out of ideas here, and while there seems to be a lot of documentation on Authentication, there doesn't seem to be much on WebDAV Authentication (or how to use it), or custom authentication when mapping drives.

Does anyone have any insight or ideas?

SOLUTION:

It's not looking like I'll be able to do what I want exactly. I'm going to do further testing with @AdamV 's suggestion with Windows Authentication as it looks like it might be my only option.

.net
authentication
iis-7.5
webdav
mapped-drive
asked on Stack Overflow Oct 29, 2012 by lhan • edited Nov 8, 2012 by lhan

1 Answer

3

I am assuming you are trying to use Active Directory in conjunction with IIS to map network drives. If this assumption is correct, I have an idea for you.

You have your first website at http://www.mysite.com/ and you can login to it. Then, as a subfolder and new Web Application in IIS you setup http://www.mysite.com/networkdrive/ which recieves the network path they want to use via http://www.mysite.com/ in a post parameter or cookie.

The kicker is, this new application will simply use Windows Auth and the root site can use whatever authentication you like. This way, the user logs into your site, then selects or types in the network drive path, this is sent to the sub app, and automatically asks for windows credentials, and the first action it does is map the drive using the Windows Auth token. You will need to turn off Identity Impersonation as well as setup the rights to execute code via their credentials to achieve this.

When they want to switch drives, log them out of the /networkdrive/ app and send them back to the drive selection page/form.

For info on Windows Authentication: http://msdn.microsoft.com/en-us/library/907hb5w9(v=vs.100).aspx

Updated: In response to the WebDAV comment, here is some documentation I found on configuring WebDAV but it still uses Windows Authentication. http://www.iis.net/learn/install/installing-publishing-technologies/installing-and-configuring-webdav-on-iis

answered on Stack Overflow Nov 7, 2012 by AdamV • edited Nov 7, 2012 by AdamV

User contributions licensed under CC BY-SA 3.0