IIS Server Security - ASP and NTFS

Author

ASP and NTFS

Eddie B

2005-01-24, 2:47 am

Hello, I posted this in the .NET group, but no one seemed to have an
answer. I wrote a web app that prompts for the user name and
password, then redirects the user to the correct page depending on the
group they belong to.

The problem arrises when the user is redirected to the new asp page.
The security on these pages are set in NTFS. The group the user
belong to has Read and Read & Execute rights.

Example:
User1 belongs to Group1
User1 opens Default.aspx, and enters his name and password in the
boxes on the form, then clicks Submit
User1 is redirected to Group1.asp, Group1 is the only one that is in
the permissions list viewing this file's security settings.
User1 is then prompted by internet explorer for their user name and
password. If they enter it correctly, they are redirected with no
problem

I don't want Internet Explorer to prompt for their password, I want to
be able to redirect with the user name and password they already
entered in the .aspx form

I have tried:
FormsAuthentication.Authenticate - doesn't authenticate, but I am
getting the username and password from AD, not from web.config

System.Management.ManagementScope - won't connect

WindowsImpersonationContext - Impersonation doesn't seem to work using
response.redirect, not sure if I am sending the token right

URLbyNetworkCridentials (System.Net.NetworkCredential) - using basic
as authtype, won't redirect using response.redirect

I have to use AD and the .aspx logon screen, so setting the users in
web.config isn't really an option.

If anyone can help, I sure would appreciate it.

Ken Schaefer

2005-01-24, 2:47 am

Hi,

If you are using a HTTP based authentication mechanism (eg NTLM, Basic,
Digest etc), then the browser needs to send the appropriate credentials in
the HTTP request headers. The only way I know of to force that to happen is
for the webserver to send back a 401 HTTP status as well as WWW-Authenticate
headers. AFAIK, you can't just somehow "authenticate" the user on the
server, and then expect the browser to send the appropriate headers with
each subsequent request.

http://support.microsoft.com/?id=264921
INFO: How IIS Authenticates Browser Clients

may be worth reading.

If the browsers are Internet Explorer, and the user places the site into
their local "Intranet" security zone, and the authentication type is NTLM or
Kerberos, then you get the browser to "autologon" using the user's current
Windows credentials:

http://support.microsoft.com/?id=258063
Internet Explorer May Prompt You for a Password

on how to set this up.

Cheers
Ken

<Eddie B> wrote in message
news:thp8v0d6ptlfnel07d4ck0afd72n32i96g@
4ax.com...
> Hello, I posted this in the .NET group, but no one seemed to have an
> answer. I wrote a web app that prompts for the user name and
> password, then redirects the user to the correct page depending on the
> group they belong to.
>
> The problem arrises when the user is redirected to the new asp page.
> The security on these pages are set in NTFS. The group the user
> belong to has Read and Read & Execute rights.
>
> Example:
> User1 belongs to Group1
> User1 opens Default.aspx, and enters his name and password in the
> boxes on the form, then clicks Submit
> User1 is redirected to Group1.asp, Group1 is the only one that is in
> the permissions list viewing this file's security settings.
> User1 is then prompted by internet explorer for their user name and
> password. If they enter it correctly, they are redirected with no
> problem
>
> I don't want Internet Explorer to prompt for their password, I want to
> be able to redirect with the user name and password they already
> entered in the .aspx form
>
> I have tried:
> FormsAuthentication.Authenticate - doesn't authenticate, but I am
> getting the username and password from AD, not from web.config
>
> System.Management.ManagementScope - won't connect
>
> WindowsImpersonationContext - Impersonation doesn't seem to work using
> response.redirect, not sure if I am sending the token right
>
> URLbyNetworkCridentials (System.Net.NetworkCredential) - using basic
> as authtype, won't redirect using response.redirect
>
> I have to use AD and the .aspx logon screen, so setting the users in
> web.config isn't really an option.
>
> If anyone can help, I sure would appreciate it.

Eddie B

2005-01-24, 2:47 am

Damn, that was a fast reply!

I should have stated I am using Forms Authorization, Windows Auth
won't work because the user may not be logged in to their machine with
the same name and password as the server they will be logging in to.

This is for a bank with more than 20 branches, so the user may have a
different user name and password on the remote server than the one
they used to log in to their workstation computer.

Is there any way to send the users name and password to the server
with the request for the new page so they won't be prompted to
re-enter them?

On Mon, 24 Jan 2005 15:04:06 +1100, "Ken Schaefer"
<kenREMOVE@THISadopenstatic.com> wrote:

>Hi,
>
>If you are using a HTTP based authentication mechanism (eg NTLM, Basic,
>Digest etc), then the browser needs to send the appropriate credentials in
>the HTTP request headers. The only way I know of to force that to happen is
>for the webserver to send back a 401 HTTP status as well as WWW-Authenticate
>headers. AFAIK, you can't just somehow "authenticate" the user on the
>server, and then expect the browser to send the appropriate headers with
>each subsequent request.
>
>http://support.microsoft.com/?id=264921
>INFO: How IIS Authenticates Browser Clients
>
>may be worth reading.
>
>If the browsers are Internet Explorer, and the user places the site into
>their local "Intranet" security zone, and the authentication type is NTLM or
>Kerberos, then you get the browser to "autologon" using the user's current
>Windows credentials:
>
>http://support.microsoft.com/?id=258063
>Internet Explorer May Prompt You for a Password
>
>on how to set this up.
>
>Cheers
>Ken
>
>
><Eddie B> wrote in message
> news:thp8v0d6ptlfnel07d4ck0afd72n32i96g@
4ax.com...
>

Ken Schaefer

2005-01-24, 2:47 am

Without using an ActiveX control on the client, I don't know of any way. You
can't, using an trusted server, do things to the client like that.

Maybe if the server was in the client's trusted sites zone you could use
some VBScript or similar on the client to force the client to send headers
*BUT* you'd need a safe way of sending the credentials from the server to
the client for the client to then send them back to the server.

Why don't you just use Forms authentication instead of NTFS permissions?

Cheers
Ken

<Eddie B> wrote in message
news:o9t8v0hjc0viqv8uc8641kgh4oftcg8nea@
4ax.com...
> Damn, that was a fast reply!
>
> I should have stated I am using Forms Authorization, Windows Auth
> won't work because the user may not be logged in to their machine with
> the same name and password as the server they will be logging in to.
>
> This is for a bank with more than 20 branches, so the user may have a
> different user name and password on the remote server than the one
> they used to log in to their workstation computer.
>
> Is there any way to send the users name and password to the server
> with the request for the new page so they won't be prompted to
> re-enter them?
>
>
> On Mon, 24 Jan 2005 15:04:06 +1100, "Ken Schaefer"
> <kenREMOVE@THISadopenstatic.com> wrote:
>
>

Leythos

2005-01-24, 7:47 am

In article <thp8v0d6ptlfnel07d4ck0afd72n32i96g@4ax.com>, Eddie B <>
says...
> Hello, I posted this in the .NET group, but no one seemed to have an
> answer. I wrote a web app that prompts for the user name and
> password, then redirects the user to the correct page depending on the
> group they belong to.
>
> The problem arrises when the user is redirected to the new asp page.
> The security on these pages are set in NTFS. The group the user
> belong to has Read and Read & Execute rights.

Do not use NTFS with your application - setup the users to log on to the
site using a database/user/password lookup and then restrict them based
on that set of permissions you define.

I hate having users with OS accounts on web servers, it opens to many
holes.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Eddie B

2005-01-24, 8:48 pm

Well, it's a project for a friend, and that is what HE want's. I
will, however, suggest it to him

On Mon, 24 Jan 2005 15:37:02 +1100, "Ken Schaefer"
<kenREMOVE@THISadopenstatic.com> wrote:

>Without using an ActiveX control on the client, I don't know of any way. You
>can't, using an trusted server, do things to the client like that.
>
>Maybe if the server was in the client's trusted sites zone you could use
>some VBScript or similar on the client to force the client to send headers
>*BUT* you'd need a safe way of sending the credentials from the server to
>the client for the client to then send them back to the server.
>
>Why don't you just use Forms authentication instead of NTFS permissions?
>
>Cheers
>Ken
>
>
><Eddie B> wrote in message
> news:o9t8v0hjc0viqv8uc8641kgh4oftcg8nea@
4ax.com...
>

Jeff Cochran

2005-01-24, 8:48 pm

On Sun, 23 Jan 2005 22:44:20 -0500, Eddie B <> wrote:

>Hello, I posted this in the .NET group, but no one seemed to have an
>answer. I wrote a web app that prompts for the user name and
>password, then redirects the user to the correct page depending on the
>group they belong to.
>
>The problem arrises when the user is redirected to the new asp page.
>The security on these pages are set in NTFS. The group the user
>belong to has Read and Read & Execute rights.
>
>Example:
>User1 belongs to Group1
>User1 opens Default.aspx, and enters his name and password in the
>boxes on the form, then clicks Submit
>User1 is redirected to Group1.asp, Group1 is the only one that is in
>the permissions list viewing this file's security settings.
>User1 is then prompted by internet explorer for their user name and
>password. If they enter it correctly, they are redirected with no
>problem
>
>I don't want Internet Explorer to prompt for their password, I want to
>be able to redirect with the user name and password they already
>entered in the .aspx form

Try adding the domain to the Inbtranet Group of Internet Explorer's
security tab. That way IE will pass credentials.

You could always use session variables to handle this as well.

Jeff

>I have tried:
>FormsAuthentication.Authenticate - doesn't authenticate, but I am
>getting the username and password from AD, not from web.config
>
>System.Management.ManagementScope - won't connect
>
>WindowsImpersonationContext - Impersonation doesn't seem to work using
>response.redirect, not sure if I am sending the token right
>
>URLbyNetworkCridentials (System.Net.NetworkCredential) - using basic
>as authtype, won't redirect using response.redirect
>
>I have to use AD and the .aspx logon screen, so setting the users in
>web.config isn't really an option.
>
>If anyone can help, I sure would appreciate it.

Eddie B

2005-01-24, 8:48 pm

You could always use session variables to handle this as well.

How do I do this? Will it work with the NTFS permissions? That is
kind of what I am trying to do, I think,

On Tue, 25 Jan 2005 00:48:08 GMT, jeff.nospam@zina.com (Jeff Cochran)
wrote:

>You could always use session variables to handle this as well.

Jeff Cochran

2005-01-25, 8:47 pm

On Mon, 24 Jan 2005 21:11:26 -0500, Eddie B <> wrote:

>You could always use session variables to handle this as well.
>
>How do I do this? Will it work with the NTFS permissions? That is
>kind of what I am trying to do, I think,

Session variables wouldn't be meant to deal with NTFS permissions,
just checking if a user is logged in or not and if so allow access.

Jeff

Eddie B

2005-01-26, 2:48 am

Xref: TK2MSFTNGP08.phx.gbl microsoft.public.inetserver.iis.security:36498

Bummer, thanks anyway!

On Wed, 26 Jan 2005 02:09:50 GMT, jeff.nospam@zina.com (Jeff Cochran)
wrote:

>On Mon, 24 Jan 2005 21:11:26 -0500, Eddie B <> wrote:
>
>
>Session variables wouldn't be meant to deal with NTFS permissions,
>just checking if a user is logged in or not and if so allow access.
>
>Jeff