|
Home > Archive > IIS Server Security > June 2005 > secure site - multiple users w/ 1 user account?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
secure site - multiple users w/ 1 user account?
|
|
| b_russ@yahoo.com 2005-06-04, 5:50 pm |
|
Background: I have an https secure site on IIS. It uses digest
authentication and a unique username/PW is assigned for each user.
New Project: I'm going to create a new page with less secure content
such as procedures, instruction, etc. I'll create a new folder and
security group for seperate access to this page. The new page will have
about 100 new users. I want to utilize the secure site for this new
page but I DON'T want to create 100 new accounts - I'd like to instead
create a single user account so that all 100 new users of this page can
use the same account Username/PW
QUESTION: From a functionality and performance viewpoint (not from a
security standpoint) Is it possible (and is good practice) to have
multiple users logon to the site using the same account simultaneously?
Thanks,
Bryan
| |
| David Wang [Msft] 2005-06-05, 5:51 pm |
| Sure, this is exactly what happens when you choose "Anonymous
Authentication" in IIS.
When you enable anonymous authentication, IIS simply logs in a user-defined
anonymous user (IUSR_machinename by default), and all users use that account
to access resources.
Now, IIS does not have any authentication protocols that work as
"authenticate remote username against some password, the log on as another
identity to access resources".
- Anonymous does not authenticate remote users and logs on as user-defined
identity
- Basic, Integrated, Digest, etc all authenticate remote users against
either local SAM or Active Directory and log on as that user
- Cert Mapping uses the identity stored in client-certificate and map to
some NT user
I'm not certain whether you want:
1. those other 100 users to have access to the rest of the secure site as
either themselves or as the single user account
2. the less secured page is only accessible to the 100 users as well as
anyone that digest authenticates
In other words, do you want those 100 new users to be treated like a single
NT user for access to the secured site, and do you care who accesses the
less secured page?
If you do not care who accesses the less secured page, then I suggest
enabling Anonymous Authentication on just the page itself and set its
anonymous username/password as the "single user account". This way, anyone
can access this less secured page, and the 100 new users still do not have
access to the secured site.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<b_russ@yahoo.com> wrote in message
news:1117914965.425746.186300@g47g2000cwa.googlegroups.com...
Background: I have an https secure site on IIS. It uses digest
authentication and a unique username/PW is assigned for each user.
New Project: I'm going to create a new page with less secure content
such as procedures, instruction, etc. I'll create a new folder and
security group for seperate access to this page. The new page will have
about 100 new users. I want to utilize the secure site for this new
page but I DON'T want to create 100 new accounts - I'd like to instead
create a single user account so that all 100 new users of this page can
use the same account Username/PW
QUESTION: From a functionality and performance viewpoint (not from a
security standpoint) Is it possible (and is good practice) to have
multiple users logon to the site using the same account simultaneously?
Thanks,
Bryan
| |
| b_russ@yahoo.com 2005-06-05, 8:47 pm |
|
Hi David, Actually I'm not sure if it is digest authentication. It
uses a SSL certification. The server is outside the company firewall.
People from other companies can access it. Up to this point, a new user
account / PW is created for each user (it does Not use the company AD
list)
I'd like for the 100 new users to access ONLY the less secure content
in the New folder.
Regarding anonymous access: If I added the existing security groups
(users) to the New folder, would the current users then be able to
access the new Page with their existing credentials (if we enabled
anonymous access) - or do they need to use the anonymous UN/PW for the
New page?
I need to write instructions for the network admin who will actually do
the changes, does this sound correct:
1) In IIS, go to "New Folder" -> directory security -> edit ->
2) Enable Anonymous Access
3) Create the Username/PW as: (can I make the username anything?)
4) (Should I have 'allow IIS to control PW' checked?)
5) Add existing security groups 'Group A, B' to New Folder
6) Assign read & execute to user groups
Bryan
| |
| David Wang [Msft] 2005-06-10, 5:56 pm |
| Yes, what I described should work.
Enable authentication everywhere (so the secured content requires
authentication).
Enable anonymous authentication on the less secure content itself (either on
a per-file or per-vdir basis, depending on what suites your needs). This
allows ANYONE to access this content, unauthenticated. Thus, the "100 new
users" will just access it by default, as will your existing users --
everyone can access this content as your defined anonymous user account in
IIS (default is IUSR_MachineName).
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<b_russ@yahoo.com> wrote in message
news:1118018372.565438.124930@g44g2000cwa.googlegroups.com...
Hi David, Actually I'm not sure if it is digest authentication. It
uses a SSL certification. The server is outside the company firewall.
People from other companies can access it. Up to this point, a new user
account / PW is created for each user (it does Not use the company AD
list)
I'd like for the 100 new users to access ONLY the less secure content
in the New folder.
Regarding anonymous access: If I added the existing security groups
(users) to the New folder, would the current users then be able to
access the new Page with their existing credentials (if we enabled
anonymous access) - or do they need to use the anonymous UN/PW for the
New page?
I need to write instructions for the network admin who will actually do
the changes, does this sound correct:
1) In IIS, go to "New Folder" -> directory security -> edit ->
2) Enable Anonymous Access
3) Create the Username/PW as: (can I make the username anything?)
4) (Should I have 'allow IIS to control PW' checked?)
5) Add existing security groups 'Group A, B' to New Folder
6) Assign read & execute to user groups
Bryan
|
|
|
|
|