CommunityServer pass-through authentication

The following information can be useful if you want to build pass-through authentication from your .NET website to a separately installed CommunityServer site.

For Macaw's .NET XPortal system, I've recently build pass-though authentication to CommunityServer forums. This means that after a user is authenticated in XPortal, a special link 'Forums' will appear. If the user clicks this link, it will redirect the user to their CommunityServer site (installed on a separate server) without the need for the user to login again.

I've tried to integrate XPortal and CommunityServer into a single webapplication, but that just didn't work. The main problem here was that both XPortal and CommunityServer depend heavily on HttpModules for virtual url parsing (resulting in a Context.RewritePath), which can't live together. Also, XPortal authentication is based on a custom kind of Forms authentication, which gave some problems.

So I did need a solution to pass-through the authenticated user on the XPortal site, to become an authenticated user on the CommunityServer site. Fortunately for me, XPortal and CommunityServer could connect to a shared SQLServer database, giving me the connection to implement a pass-through. Also, CommunityServer uses plain FormsAuthentication to authenticate the user, so I could build a custom Portal_Passthrough.aspx page in the root of the CommunityServer website that handles the authentication automatically.

This is what happens in the pass-through authentication process (see figure below):

1. User clicks on the 'Forums' link on the portal, which calls the 'CS_Passthrough.aspx' page located on my portal.
2. The 'CS_Passthrough.aspx' page generates a token (Guid) and stores it (together with the current user's LogonName and UserHostAddress) into the shared database. Note that for security reasons the token has an expiration time of 1 minute and UserHostAddresses must match on both sides.
3. The 'CS_Passthrough.aspx' page redirects to the 'Portal_Passthough.aspx' page located on the CommunityServer site, sending the token as a querystring parameter.
4. The 'Portal_Passthough.aspx' page reads the token, and looks up the LogonName in the shared database (using Token and UserHostAddress).
5. If the LogonName is unknown in CommunityServer, an account is created automatically for that user.
6. FormsAuthentication.SetCookie(LogonName) is called, so CommunityServer will now recognize the user.
7. The 'Portal_Passthough.aspx' page now redirects to the 'Forums' homepage of the CommunityServer site, showing the authenticated user!