Vulnerability in EPiServer.Forms
The Customer has an extranet solution with Multiplexing providers. The customer wants the domain users (AD users) to be automatically logged in. I have digged in to it quite deep, but I don't find any solutions (I have found some solutions that mix Forms and Windows auth. but it is not useful on EPiServer, because we must use Multiplexing). I can't find so much about this issue in the forum, but there is a couple of topics. Theese topics says it can't be done.
Is it really so? Isn't there any solution for this?
We are using EPiServer 5
Could it be possible to run two instances with slightly different configuration, and make sure AD users from the intranet are routed to one instance set up for windows auth directly against AD provider? This would require an additional license of course.
It was actually one of the thoughts that went past, but I realized it would need an additional license.
I will propose this to the customer.
Thanks for the reply.
Just to be clear I have never tried a setup like that, it's just a shot in the dark :)
Maybe "Mixing Forms and Windows Security in ASP.NET" http://msdn.microsoft.com/en-us/library/ms972958.aspx could be helpful?
I have tried a similar description, but I had some problems with ReturnURL. In this solution they use Global.asax to set the ReturnURL. Thank you for the information. It should work.
All that remains is a problem with the ISA Server, but that is not EPiServer related. It prompt the user for username and password when Integrated Windows Authentication is used and anonymous users are disabled.