I originally posted this over on Reddit but got no feedback, so crossposting here.
I'm trying to determine if there's a way I can programmatically authenticate a user's session.
The user will browse to a page (hosted in IIS 7.5, if it matters). The site will be configured with anonymous access and basic authentication both enabled in IIS.
When the user gets to the page, as far as IIS/ASP is concerned, they're anonymous and aren't logged in.
On this page, I want to display a sign-in form where the user enters their e-mail address / AD password, then validate the supplied credentials against Active Directory, and if valid I want to somehow convert their session from anonymous to instead be authenticated as their AD account such that request.serverVariables("auth_user") would return their AD account.
I have the AD validation working, but I can't figure out how I can convert their session from anonymous to authenticated.
At present, I have anonymous access disabled in IIS so when users visit the site they get a windows login dialog. This works fine, but for some reason our employees can't seem to remember their usernames so I want to make a friendlier login page for them.
I'm essentially trying to roll my own forms authentication for functionality similar to what you get out of the box with ASP.net. I know that it's possible to integrate classic ASP code with .NET FBA, but I'm trying to implement my own FBA without using any .NET functionality, mainly just to see if I can because I have a lot of classic ASP code and to me I'd rather have a 100% ASP solution (personal preference).
Any suggestions on how I might approach this?
Googling turns up mostly stuff about how to authenticate users against a table in SQL server, etc. I can't seem to find the right search terms to get info on what I'm trying to accomplish.
EDIT: After validating AD credentials, I've tried doing a response.redirect to https://user:pass@host/script.asp, and that works as far as the page loading, but auth_user is still null. So it appears that even though the browser has the user's credentials, since anonymous access is enabled in IIS, that's taking precedence over basic authentication and is preventing the session from authenticating. After trying this, I disabled anonymous access in IIS and refreshed the page and auth_user was populated as expected. So, it seems like since anonymous access is enabled, IIS isn't challenging the browser for authentication so the browser isn't sending the credentials it has.