IIS7: Allow users to identify themselves with either "Windows Authentication" or "Basic Authentication" on the same file

Question

Is it possible to have both windows authentication and basic authentication enabled on one .asmx page in IIS7?

What I want is:

• Someone calls webservice
• If possible, use windows authentication (e.g. when calling from another Microsoft based application)
• If the client doesn't know how to handle windows authentication: allow him to use basic authentication (for example when the client is a program that we can't really modify).
• If that still doesn't work, send a 401

It looks like - as soon as I enable windows authentication - all basic authentication attempts are ignored / answered with an 401, even though the login credentials worked before I enabled windows authentication.

Answer 1

In IIS (website props):

• Uncheck "Anonymous access"
• check "Integrated Windows authentication" and "Basic authentication"

Make sure that in web.config you have:

<identity impersonate="true"/>
<authentication mode="Windows" /> 

The default is set to:

<authentication mode="None" />

If "Someone calls webservice" is not on the same machine,
then you will need to configure computer for trusted delegation in AD in order windows authentication to work.

On client's IE
menu Tools--> Internet Options --> Advanced --> under Security check "Integrated Windows Authentication"

Answer 2

This may be overly simplistic, but it seems that you'd have 2 options:

• Windows & basic users log in via different pages

or

• Windows users log in with domain\username & basic users log in with servername\username

It's likely the bargain-basement solution, hopefully someone has something better to offer. ;)