|
Home > Archive > IIS Server Security > September 2005 > IIS integrated window authentication allows anybody
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS integrated window authentication allows anybody
|
|
|
| I want to restrict access to a subdirectory of an otherwise public website.
Disallowing anonymous access and checking the Integrated Windows
Authentication box appears to work from the client side (IE asks for username
and password) until you realize that ANY usename and password will work. This
is like painting a padlock on a door.
Running IIS 5.1 on XPpro
| |
|
| do you maybe have 'everyone' in the access list for that folder?
"Miles" <Miles@discussions.microsoft.com> wrote in message
news:7FCCAC43-1B31-48B1-8DAB-76F1414AE3C7@microsoft.com...
>I want to restrict access to a subdirectory of an otherwise public website.
> Disallowing anonymous access and checking the Integrated Windows
> Authentication box appears to work from the client side (IE asks for
> username
> and password) until you realize that ANY usename and password will work.
> This
> is like painting a padlock on a door.
> Running IIS 5.1 on XPpro
| |
|
| Yes, I deleted 'Everyone' and gave permission to a user. Now er 403 access
denied when I use that username and password.
"Dave" wrote:
> do you maybe have 'everyone' in the access list for that folder?
>
> "Miles" <Miles@discussions.microsoft.com> wrote in message
> news:7FCCAC43-1B31-48B1-8DAB-76F1414AE3C7@microsoft.com...
>
>
>
| |
| David Wang [Msft] 2005-09-03, 2:49 am |
| I presume that your web-accessible resources are located on NTFS filesystem
to enforce ACLs; requiring authentication for resources located on FAT32 is
no security.
Disabling Anonymous and enabling Integrated authentication should work to
force the remote party to authenticate as some user identity. Now, if you
are using Integrated authentication it should not show a login prompt unless
a 401 response is repeatedly returned for the authentication attempt. Ways
to get into this state include:
- you have configured the browser to not auto-login for the given "Internet
Zone" that the website is a part of
- the authenticated user identity does not have ACLs to access resource, so
401.3 is returned and browser pops up the login prompt
If after successful authentication, you still see that anyone can access the
resources, then it means that the ACLs on the resource is misconfigured to
not restrict sufficiently.
403 is not an access denied but forbidden for some reason. Please report the
entire error response to determine the specific 403 error you are seeing.
I suggest browsing my blog for several entries related to:
- diagnosing 401.x errors
- failure to auto-logon
- general authentication concepts
- etc
Making Windows Authentication work is pretty easy by default, so something
is screwed up on your machine and we'll have to figure out what it is.
By default, Anonymous and Integrated Authentication is enabled, so
everything should be accessible to the anonymous user, and as soon as you
turn off Anonymous authentication and set some user ACLs on resources,
everything should just work.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Miles" <Miles@discussions.microsoft.com> wrote in message
news:49A530B6-3DE2-4DFE-BC06-DD7BC97CEDEE@microsoft.com...
Yes, I deleted 'Everyone' and gave permission to a user. Now er 403 access
denied when I use that username and password.
"Dave" wrote:
> do you maybe have 'everyone' in the access list for that folder?
>
> "Miles" <Miles@discussions.microsoft.com> wrote in message
> news:7FCCAC43-1B31-48B1-8DAB-76F1414AE3C7@microsoft.com...
website.[vbcol=seagreen]
>
>
>
|
|
|
|
|