HTTP Module to allow HTTP Basic Authentication against non-Windows accounts in IIS
Problem Description
IIS supports most of the HTTP authentication techniques like Basic and Digest. The problem is that all built-in HTTP authentication modules are hardwired to Windows accounts. This means that you need a Windows user on your server for every account you want to HTTP-auth enable.
Having the ability to do plain Basic Authentication agains account stored e.g. in a database would be very handy for a range of situations like web applications, (WCF) web services, REST services, Silverlight service backends etc.
This is exactly what this module does.
The module comes in two flavours: for IIS 6 and 7. They are almost identical, but configuration and semantics wrt anonymous authentication are slightly different and I didn't spend the time to create a version that will work optimally in both environments. The IIS 6 version can be downloaded from the release section - but all the new work and improvements will go into the IIS 7 version.
Features
The module implements the HTTP Basic Authentication protocol and does authentication against a Membership provider. You can use the built-providers or simply write your own (you only need to implement the ValidateUser method).
Furthermore the module includes some plumbing to enable WCF services to use basic authentication against non-Windows accounts in IIS.
The configuration integrates nicely with IIS 7 in the system.webServer/security/authentication section (as well as the graphical IIS 7 manager).
<customBasicAuthentication enabled="true"
realm="leastprivilege"
providerName="default"
cachingEnabled="true"
cachingDuration="15"
requireSSL="true" />
I wrote a series of blog posts about the inner workings and features - you can find all the information here:
Intro
HTTP Basic Authentication
The HTTP Module
Setting up IIS 6
Adding WCF Support
IIS 7 Support