|
Home > Archive > IIS Server Security > December 2005 > Creating Basic Authentication in IIS 6.0
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Creating Basic Authentication in IIS 6.0
|
|
| dsquared@newsgroups.nospam 2005-12-27, 6:06 pm |
| Yes, Creating.
I have a working site, which requires Basic Autentication against the Active
Directory of a Win 2003 Server/Domain. There are several "sub-webs", all also
requireing the same authentication. Everything there is working just fine.
Code is all VB using VS 2003.
The problem is that I have a need to allow "public users" (not contained in
the active directory) limited access to these sites. Limited I can handle
with internal coding, testing user name. I can establish a user in the AD,
such as "PubAcc", with a password, and permissions.....
What I want to do is create another "web", (parallel to the main web in the
tree) which will allow anonymous access, and then internal to the VB "page
load" code, force a authentication request, from code, bypassing the
username/password popup, and supplying a name such as "PubAcc" and a
password. Then following the basic authentication, use a response.redirect to
the regular pages, thus allowing access using the now established basic
authentication.
Can this be done? I cannot seem to find answer in the help files....
--
dsquared
| |
| Yuan Ren[MSFT] 2005-12-28, 2:54 am |
| Hi,
Welcome to MSDN newsgroup!
Based on my understanding of your post, you wonder whether anonymous users
can use the special account (such as ˇ°PubAccˇ±) in AD to access resources
in other sites. If I have misunderstood, please let me know.
As far as I know, we can not pass credential information crossing page
under the ˇ°Basic Authentication Modeˇ±. For example, when I visit a site
which allows anonymous to access, I can not give another site current
credential information which I defined (such as
ˇ°User:PubAcc\Password:xxxˇ±) unless I input a username and password
explicitly in the pop-up window.
Actually, this scenario is supported by earlier versions of IE. We can
attach credential info to URL like ˇ°http:username:password\\...ˇ± format.
But now, due to security reasons, this function has been eliminated.
So, for your issue, I suggest you supply the account and password in the
page so that the user can input the credential info in the pop-up window if
he wants to access some granted resources by himself.
I hope the above information helps, if you have any questions or concerns,
please do not hesitate to let me know. I am standing by to help you.
Regards,
Yuan Ren [MSFT]
Microsoft Online Support
| |
| dsquared@newsgroups.nospam 2005-12-28, 6:10 pm |
| Thank you for your reply. In the original project, a user authenticated
(basic) on the first page. He can then navigate throughout the various webs
(all subwebs of the main page, and all requiring basic authentication).
The idea is to create new web entry point (for a public user - who does not
know a user name or password), which will allow limited access to the main
web pages.
If in this web, I require basic authentication, then the credientals are
passed and all is well. The problem is, the user does not know that
information, and the challenge is before the page opens. I want to allow
anonymous users in to the new page, and then, in code, pass a user name and
password to the basic authentication engine, and following authentication, do
a response.redirect to the main page.
On Nov 4th, there was a post here by Kenneth Koh (Desperate - Bypass Basic
Authentication), and answered by David Wang(MSFT). He referenced doing this
using a modification of CustomAuth (Platform SDK). Unfortunately, I do not
use C++, and was looking for a call within VB to the autentication engine.
I have found the Microsoft article about using "Form Authentication" against
the AD, and that works fine, but will not satisfy the Basic Authentication
requirment for the main web pages.
Is there a way to obtain "Basic Authentication" without using the pop-up
window, such that the user can be re-directed to another page "authenticated"?
--
dsquared
""Yuan Ren[MSFT]"" wrote:
> Hi,
>
> Welcome to MSDN newsgroup!
>
> Based on my understanding of your post, you wonder whether anonymous users
> can use the special account (such as ¡°PubAcc¡±) in AD to access resources
> in other sites. If I have misunderstood, please let me know.
>
> As far as I know, we can not pass credential information crossing page
> under the ¡°Basic Authentication Mode¡±. For example, when I visit a site
> which allows anonymous to access, I can not give another site current
> credential information which I defined (such as
> ¡°User:PubAcc\Password:xxx¡±) unless I input a username and password
> explicitly in the pop-up window.
>
> Actually, this scenario is supported by earlier versions of IE. We can
> attach credential info to URL like ¡°http:username:password\\...¡± format.
> But now, due to security reasons, this function has been eliminated.
>
> So, for your issue, I suggest you supply the account and password in the
> page so that the user can input the credential info in the pop-up window if
> he wants to access some granted resources by himself.
>
> I hope the above information helps, if you have any questions or concerns,
> please do not hesitate to let me know. I am standing by to help you.
>
> Regards,
>
> Yuan Ren [MSFT]
> Microsoft Online Support
>
>
| |
| Yuan Ren[MSFT] 2005-12-29, 7:50 am |
| Hi,
Thanks for your reply!
From your description, I think I need explain my understanding first as
below:
You have a main site which uses ˇ°Basic authentication modeˇ± and there are
some resources and subdirectories in it. You want to allow some anonymous
users access to specific resources in the site. If I have misunderstood
anything, please let me know.
For this scenario, I think there is no need to create another site to
implement. Actually, the ˇ°CustomAuthˇ± you mentioned is not the ideal
method. I suggest you create a sub directory that contains the resource
which anonymous users are allowed to access (such as ˇ°public resourcesˇ±
folder). Then, you can enable both ˇ°Allow anonymousˇ± and ˇ°Basic
authenticationˇ± in configuration of the main site. Creating a default page
in the folder and add a hidden iframe element in it. Inside the iframe
element, please add the resource file which the anonymous user is
prohibited to access.
Finally, when an anonymous user accesses the page, he/she can click the
ˇ°cancelˇ± button after the prompt is showed. But the user who has
credential to access, he/she can input username and password so that he/she
can access more pages.
I appreciate your understanding and hope the above information helps, if
you have any issues or concerns please let me know. I will be happy to be
of further assistance.
Regards,
Yuan Ren [MSFT]
Microsoft Online Support
| |
| David Wang [Msft] 2005-12-30, 3:00 am |
| I suggest:
1. creating a new website accessible for the public user. Point it at the
same content as your original project
2. Enable ONLY anonymous authentication for this website
3. Configure the anonymous user of this website to be your special PubAcc
user
Thereafter, from IIS perspective, users that anonymously access this website
are all using PubAcc NT user to do its tasks, so you should do your
anonymous-user lockdown against the PubAcc NT user account.
The only issue that should remain is that your web application should use ""
(empty string) in AUTH_USER as indication of anonymous login. All other
authenticated user login should have non-empty string as AUTH_USER.
FYI:
Creating a Win32 DLL that exports the ISAPI function signatures is the only
way to extend IIS functionality. VB cannot create these signatures so cannot
be used to extend IIS.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<dsquared@newsgroups.nospam> wrote in message
news:62BEE160-3C46-4178-A92D-F340435EB473@microsoft.com...[vbcol=seagreen]
> Thank you for your reply. In the original project, a user authenticated
> (basic) on the first page. He can then navigate throughout the various
> webs
> (all subwebs of the main page, and all requiring basic authentication).
>
> The idea is to create new web entry point (for a public user - who does
> not
> know a user name or password), which will allow limited access to the main
> web pages.
>
> If in this web, I require basic authentication, then the credientals are
> passed and all is well. The problem is, the user does not know that
> information, and the challenge is before the page opens. I want to allow
> anonymous users in to the new page, and then, in code, pass a user name
> and
> password to the basic authentication engine, and following authentication,
> do
> a response.redirect to the main page.
>
> On Nov 4th, there was a post here by Kenneth Koh (Desperate - Bypass Basic
> Authentication), and answered by David Wang(MSFT). He referenced doing
> this
> using a modification of CustomAuth (Platform SDK). Unfortunately, I do not
> use C++, and was looking for a call within VB to the autentication engine.
>
> I have found the Microsoft article about using "Form Authentication"
> against
> the AD, and that works fine, but will not satisfy the Basic Authentication
> requirment for the main web pages.
>
> Is there a way to obtain "Basic Authentication" without using the pop-up
> window, such that the user can be re-directed to another page
> "authenticated"?
>
> --
> dsquared
>
>
> ""Yuan Ren[MSFT]"" wrote:
>
| |
| dsquared 2005-12-30, 5:55 pm |
| Thank you for your replies... David, I will study your ideas for awhile.
Looks interesting. I will also study the ISAPI functions. Seems there is
something to learn there.
"David Wang [Msft]" wrote:
> I suggest:
> 1. creating a new website accessible for the public user. Point it at the
> same content as your original project
> 2. Enable ONLY anonymous authentication for this website
> 3. Configure the anonymous user of this website to be your special PubAcc
> user
>
> Thereafter, from IIS perspective, users that anonymously access this website
> are all using PubAcc NT user to do its tasks, so you should do your
> anonymous-user lockdown against the PubAcc NT user account.
>
> The only issue that should remain is that your web application should use ""
> (empty string) in AUTH_USER as indication of anonymous login. All other
> authenticated user login should have non-empty string as AUTH_USER.
>
>
> FYI:
> Creating a Win32 DLL that exports the ISAPI function signatures is the only
> way to extend IIS functionality. VB cannot create these signatures so cannot
> be used to extend IIS.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> <dsquared@newsgroups.nospam> wrote in message
> news:62BEE160-3C46-4178-A92D-F340435EB473@microsoft.com...
>
>
>
|
|
|
|
|