Hi all,

I am currently stuck finding a concept to satisfy the following requirement: a "portal" site is to be created, hosted on Microsoft IIS, Laravel 5.x. The plan is having an "unprotected" bunch of sites, including the default site, anyone can see them, bookmark them and return to them as often as he wishes, without any authentication.

Digging deeper into the document hierarchy however, there are some pages with more confidential contents, and users need to authenticate before beeing granted access.

Easy, you'll say, configure IIS for anonymous access, and let the laravel auth facade do the job.

Now employees don't want to authenticate if they are already authenticated by Active Directory, and admins don't want to maintain a separate users/password database for Laravel. Easy as well, you'll say, let IIS do the work, configure Windows authentication and use the $_SERVER['AUTH_USER'] variable. Jep, but for this to work I have to switch IIS from anonymous access to authenticated access, and access to the public pages gets lost, IIS will block access long before Laravel gets a chance to do anything.

Possible way out: IIS 7.0 does also allow access control on a per-route (URL) basis, which looks promising, but Microsofts docs do - as far as I know - only cover use of this feature when one uses their Active Server Pages interface. I found no documentaions on wether something like this can also be done in PHP, and final question, does this approach make sense at all?

Thx for your thoughts

Armin.