Okay I'm not talking about turning off Anonymous user (IUSR_<<MachineName>>) and giving rights to a specific user on the directory.
I am talking about giving the user two text boxes, one for Password and one for username, and authenticate them against a known domain (which you could accept as a textbox too). Somewhat like in a forms based environment. Here is a ConsoleApp below, but the code is easily copy-paste-able in ASP.NET.
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(
out IntPtr phToken
public enum LogonType : int
LOGON32_LOGON_INTERACTIVE = 2,
LOGON32_LOGON_NETWORK = 3,
LOGON32_LOGON_BATCH = 4,
LOGON32_LOGON_SERVICE = 5,
LOGON32_LOGON_UNLOCK = 7,
LOGON32_LOGON_NETWORK_CLEARTEXT = 8,
LOGON32_LOGON_NEW_CREDENTIALS = 9
const int LOGON32_PROVIDER_DEFAULT = 0;
static void Main(string args)
Console.Write("Enter your username without domain (example smalik):");
username = Console.ReadLine();
"\nEnter your password (btw password will be shown as cleartext, so make sure no one is looking):");
password = Console.ReadLine();
(int)LogonType.LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, out hToken))
You can also use the hToken to switch the current running WindowsIdentity to access a resource using the remote browser user's credentials :-). Can anyone say "Integrated Authentication with SQL Server without using Kerberos" ;-).
For the security minded of you, I know you are dying to let this out (like gas when on a first date), so let me speak it before you pull your hair in angst and frustration - I must point out that since this doesn't use Kerberos tickets, it is technically not as secure as Kerberos, and the easy easy way to get around that is secure http (https). That way, it's "secure enough" ;-).