Project Description
HTTP Module to allow HTTP Basic Authentication against non-Windows accounts in IIS

Problem Description
IIS supports most of the HTTP authentication techniques like Basic and Digest. The problem is that all built-in HTTP authentication modules are hardwired to Windows accounts. This means that you need a Windows user on your server for every account you want to HTTP-auth enable.
Having the ability to do plain Basic Authentication agains account stored e.g. in a database would be very handy for a range of situations like web applications, (WCF) web services, REST services, Silverlight service backends etc.

This is exactly what this module does.

The module comes in two flavours: for IIS 6 and 7. They are almost identical, but configuration and semantics wrt anonymous authentication are slightly different and I didn't spend the time to create a version that will work optimally in both environments. The IIS 6 version can be downloaded from the release section - but all the new work and improvements will go into the IIS 7 version.

The module implements the HTTP Basic Authentication protocol and does authentication against a Membership provider. You can use the built-providers or simply write your own (you only need to implement the ValidateUser method).
Furthermore the module includes some plumbing to enable WCF services to use basic authentication against non-Windows accounts in IIS.

The configuration integrates nicely with IIS 7 in the system.webServer/security/authentication section (as well as the graphical IIS 7 manager).

<customBasicAuthentication enabled="true"
                           requireSSL="true" />



I wrote a series of blog posts about the inner workings and features - you can find all the information here:

HTTP Basic Authentication
The HTTP Module
Setting up IIS 6
Adding WCF Support
IIS 7 Support

Last edited Apr 19, 2008 at 7:03 AM by DominickBaier, version 14