Authentication using exchange

my client has an exchange server and offers free email accounts to his clients and partners. His clients need access to some web applications through login and password and need to be authenticated .

i thought about creating a custom asp.net membership provider that hits exchange instead of the regular aspnetdb store.

Is开发者_StackOverflow中文版 there a way to authenticate these users against exhange with their exchange provided email/username and password ?

thank you.

If I'm not mistaken Exchange authenticates via and only via Active Directory. So you might as well use some of the built-in LDAP authentication mechanisms.

There are already quite a few viable approaches to this if you do a search for ASP.NET LDAP Authentication

However, IMO, the easiest way would be to simply use ASP.NET windows authentication mode:

<system.web>
  ...
    <authentication mode="Windows"/>
  ...
</system.web>

And join the machine where your website will be deployed to the same domain as Exchange. There will be more implementation details of course. But I think this is most painless one.

You can access domain information for the current user like this:

var user = (WindowsPrincipal)HttpContext.Current.User; // assume Windows auth.

NOTE: that however, there are various security risks that should be properly assessed before implementing.

I suspect you're being authenticated in a client controlled AD domain. This article should help

Typically I would use the ActiveDirectoryMembershipProvider in combination with Form-based authentication. This will use the same Active Directory store that Exchange is using. There's a detailed article at MSDN on the various implementation possibilites. You could also use Windows-based authentication as @chakrit suggests, but be aware that once you've authenticated the browser will remain authenticated until it is closed -- there is no logout. One nice feature of Windows authentication is that, if the site is in your intranet or trusted sites zones, you never get prompted to enter your credentials. On the other hand, you don't want to let anyone borrow your workstation while you're logged in then either. I'd only use it for things that need to be secured, but aren't necessarily sensitive -- such as an intranet site.