Imagine this (quite common) scenario: You have some web content/resources (e.g. static files, aspx pages, asmx or WCF services) in IIS that you want to protect using HTTP Basic Authentication. The problem is, that when you enable Basic Authentication in IIS – all authentication is done against Windows accounts. That means that IIS grabs the username/password pair from the HTTP header and tries to create a Windows token using these credentials. This is a problem when you don’t have Windows accounts for your clients, but rather want to store the accounts in e.g. a database (which is much more common IMHO).
Unfortunately IIS (including IIS 7) does not support this out of the box. And to make things worse, WCF with the new support for usernames over transport can’t help here either.
A while ago I wrote all the necessary code to enable this scenario for IIS 6/7 and since I get a lot of questions about this, I will post the bits here step-by-step.
In the next days I will post the following series of blog entries:
- How does Basic Authentication work
- The Basic Authentication HTTP module
- Using the module in IIS 6
- Adding WCF support
- Adding IIS7 support (configuration and UI module)