I should know this by now but I forget as I usually handle authentication via forms auth. So we have a single sign-on type app where in IIS I have enabled Windows Auth only of course and disabled Anonymous. I also have a sql table called User that allows us to have a user administration screen to select Active Directory users and it add that user to our user sql server table with Username etc. So essentially I could take the User.Identity.Name and check that table because I want to setup custom roles for users and I also don't want to allow all users on the network to use the application.
My question is if Window Auth is set in IIS that allows us to hit the site without having a login page but I don't want to allow everyone to hit the site without validating first against my user table.
Is it common that once they hit the site you take the User.Identity.Name then validate against a SQL Server table of users then set in Forms Authentication cookie at that point? This way any URL they hit within the site it is MVC based application so any route that hits the IIS box forms authentication would kick them out? Confused on how to allow the user to access any URL based on Windows Auth. I dont think forms auth would work anyway because you cant enable Anonymous on the IIS as well or the identity does not work.
Hope this makes some sense.