Custom Hybrid (Form+ Windows) authentication in asp.net

Out of the box .net gives numerous authetication models which are sufficient enough for most application but not for all application. In one of our application we had to design a combination of "Form" + "Windows" authentication. We tried to workaorund all build in authentication but none of the authetication worked for us. Finally we wrote our custom "HttpModule" to authenticate. Another reason we had to take this route was that our authetication layer was written as COM object and we could not pass the windows credentials to this COM layer directly. So Here is what we did

1. Change the authentication mode to "None" in web.config

2. Wrote a delegate for "OnState" event

3. In the OnState delegate - based on custome config we check if we need Windows authenication or custom authentication. If we need Windows authentication we return the status code "401" to the browser so that browser can show the NT chanllenge/response dialog to the user.

4. Once we get the credentials the trick was how to pass them to COM layer so we came up with this

HttpContext.GetService(typeof (HttpWorkerRequest).GetUserToken()

GetUserToken will give us an pointer to the user authetication token which we can pass to COM layer which in turn can call MFC functions to validate the ownership of current thread.