Better approach for SSO to cater windows integrated auth as well as users not on domain

This may be a duplicate(not sure), but since I am unable to quench my thirst for the right answer (0: so here it goes:

I have to provide single signon for my asp.net web application. Where:

Case 1. User is allowed to login without credentials, if the user is already on domain (logged on windows domain).

Case 2. User is allowed to login if the user is not on domain, by asking/validating the user login credentials from active directory.

Question 1a. I would be interested in the comments about the steps that I "am following" and "should follow" to achieve the requirement. How can I improve this? Improve meaning, is this the right way/approach of providing the above required functionality?

Question 1b. Also, currently I have hard coded roles in my database; I am planning to move it within the active directory user roles; so that I could use .IsInRole method functionality. What do you think about that?

Right no开发者_如何学Gow, I have implemented it in the following way.

For case 1, the application uses: Windows authentication; basically like following:

return ((WindowsIdentity)(HttpContext.Current.User.Identity)).IsAuthenticated;

The application proceeds if its an authenticated user.

For case 2, the application: Provides page that asks for domain name, user id, and password. Checks if the user exists on active directory; following is a snip.

DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + username + ")";
search.PropertiesToLoad.Add("cn");
SearchResult result = search.FindOne();

The application proceeds if it finds a record of the user.

Please note that this includes the changes recommended in the web.config file, like following snip:

<authentication mode="Forms">
  <forms  loginUrl="~/UI/Pages/Login.aspx" defaultUrl="Default.aspx"  name="adAuthCookie" timeout="60" path="/" />
</authentication>

<authorization>
  <deny users="?"/>
  <allow users="*"/>
</authorization>
<identity impersonate="true"/>

Seems like adding roles(admin, supervisor, guest) to active directory roles is much better, but then when I would deploy my application how would I go about adding those hard coded roles in active directory? Well.. just thinking out loud.

I had to research this a few months back, and found an excellent article on how to mix Forms and Windows Security in ASP.NET. I never got the chance to implement it, so I am unsure as to actual results. If you use any of this, please let me know how it works out for you.

Mixing Forms and Windows Security in ASP.NET