|
Home > Archive > IIS Server Security > December 2007 > IIS6.0 use anonymous and integrated security a the same time
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS6.0 use anonymous and integrated security a the same time
|
|
| Christophe Niel 2007-12-13, 7:29 pm |
| Hi all
I set up a IIS 6.0 sever a while ago when we were young and innocent and
decided to implement a few simple security baseline for the intranet web
site :
Integrated security on all the web sites
"authenticated user" with read access only on the files
"dev_group user" with write acces on the files
and various subdir right depending on the need.
We were happy, it worked fine, and since it was a brand new IT dev team with
shiny new toys, the dev did a great job and lots of application were born
using .NET
it was so well made that all the applications use a web service to identify
each user and give him the correct right in each application. this WS is
based on the windows authentication.
now it works so well we need to have some site accessed from other country
branches our company is part of.
The problem is we don't share an active directory or any NT domain
relationship at all, so I need to activate the anonymous access on the web
site and if I do that, I cannot use the windows authentication anymore...
so what can I do to
allow anonymous user in my network to access my website
continue using the IIS/NTFS authentication for my domain users OR still get
the security information with the anonymous acces activated.
is it even possible?
(my only option right now is to setup up a new server with a copy of
everything but with anonymous acces... I don't like it at all.)
| |
| David Wang 2007-12-14, 7:36 am |
| On Dec 13, 3:36 pm, "Christophe Niel" <c.n...@freemail.fr> wrote:
> Hi all
>
> I set up a IIS 6.0 sever a while ago when we were young and innocent and
> decided to implement a few simple security baseline for the intranet web
> site :
> Integrated security on all the web sites
> "authenticated user" with read access only on the files
> "dev_group user" with write acces on the files
> and various subdir right depending on the need.
>
> We were happy, it worked fine, and since it was a brand new IT dev team with
> shiny new toys, the dev did a great job and lots of application were born
> using .NET
>
> it was so well made that all the applications use a web service to identify
> each user and give him the correct right in each application. this WS is
> based on the windows authentication.
>
> now it works so well we need to have some site accessed from other country
> branches our company is part of.
>
> The problem is we don't share an active directory or any NT domain
> relationship at all, so I need to activate the anonymous access on the web
> site and if I do that, I cannot use the windows authentication anymore...
>
> so what can I do to
> allow anonymous user in my network to access my website
> continue using the IIS/NTFS authentication for my domain users OR still get
> the security information with the anonymous acces activated.
>
> is it even possible?
>
> (my only option right now is to setup up a new server with a copy of
> everything but with anonymous acces... I don't like it at all.)
Setup a new website (not new server) with Anonymous access enabled,
and publish that for external users to use. Your local users continue
using the existing website with Integrated Authentication.
The problem is not that IIS cannot support multiple authentication
protocols like Anonymous and Integrated at the same time. The problem
is which authenticaten protocol the browser uses to authenticate. By
default, browsers favor anonymous over authenticated access, so as
soon as you enable anonymous every user will become anonymous,
including your local users. Thus, the problem is how to keep your
local users authenticated and the remote users anonymous. Now, to the
web server they are all "users" -- how do you define "local" vs
"remote" users? By IP? By network interface? By username?
So, you have to figure out a way to distinguish local users from
remote users, and I'm proposing that you use two websites pointed at
the same content on the same server. One website is Integrated only.
The other is anonymous only. And your existing users use the existing
website with Integrated only, and external users use the new one that
is anonymous only.
Clearly, if the internal user uses the new website, they are treated
as anonymous. There's no good way to deal with that unless you can
identify a better way to determine "local" vs "remote" users. This is
especially hard since there is no common identity system, so you
cannot rely on authenticated identity for authorization.
Personally, I think that one company should have one common identity
system. Otherwise, it will remain fragmented technologically, with
folks like yourself creating local, ad-hoc solutions that cannot scale
company-wide.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
| |
| Christophe Niel 2007-12-14, 7:36 am |
|
"David Wang" <w3.4you@gmail.com> wrote in message
news:c035b346-3dd7-4b30-bc90-88bbf859efec@s8g2000prg.googlegroups.com...
> On Dec 13, 3:36 pm, "Christophe Niel" <c.n...@freemail.fr> wrote:
>
>
> Setup a new website (not new server) with Anonymous access enabled,
> and publish that for external users to use. Your local users continue
> using the existing website with Integrated Authentication.
>
> The problem is not that IIS cannot support multiple authentication
> protocols like Anonymous and Integrated at the same time. The problem
> is which authenticaten protocol the browser uses to authenticate. By
> default, browsers favor anonymous over authenticated access, so as
> soon as you enable anonymous every user will become anonymous,
> including your local users. Thus, the problem is how to keep your
> local users authenticated and the remote users anonymous. Now, to the
> web server they are all "users" -- how do you define "local" vs
> "remote" users? By IP? By network interface? By username?
>
> So, you have to figure out a way to distinguish local users from
> remote users, and I'm proposing that you use two websites pointed at
> the same content on the same server. One website is Integrated only.
> The other is anonymous only. And your existing users use the existing
> website with Integrated only, and external users use the new one that
> is anonymous only.
>
> Clearly, if the internal user uses the new website, they are treated
> as anonymous. There's no good way to deal with that unless you can
> identify a better way to determine "local" vs "remote" users. This is
> especially hard since there is no common identity system, so you
> cannot rely on authenticated identity for authorization.
>
> Personally, I think that one company should have one common identity
> system. Otherwise, it will remain fragmented technologically, with
> folks like yourself creating local, ad-hoc solutions that cannot scale
> company-wide.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
I agree with you on the common identity, unfortunately that is not a
possibility opened to us right now...
I'm gonna try to add a "everyone" ntfs right and a new website with
anonymous activated.
I'll try to have a redirect to the internal adress in the anonmymoous
website based on the IP Adress, that is the only way I can know for sure if
the users are in my country or not...
thanks for your answer
best regards
Christophe
| |
| David Wang 2007-12-14, 7:22 pm |
| On Dec 14, 2:59 am, "Christophe Niel"
<Christophe.N...@nospam.fr.eu.abnamro.com.nospam> wrote:
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:c035b346-3dd7-4b30-bc90-88bbf859efec@s8g2000prg.googlegroups.com...
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> I agree with you on the common identity, unfortunately that is not a
> possibility opened to us right now...
>
> I'm gonna try to add a "everyone" ntfs right and a new website with
> anonymous activated.
> I'll try to have a redirect to the internal adress in the anonmymoous
> website based on the IP Adress, that is the only way I can know for sure if
> the users are in my country or not...
>
> thanks for your answer
>
> best regards
> Christophe- Hide quoted text -
>
> - Show quoted text -
I'm not certain why you need to add "Everyone" if all other users are
going to be anonymous authenticated. You should just create a specific
user for use as Anonymous user and add NTFS ACL for just that user.
Leave all your existing ACLs the way they are.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
| |
| Christophe Niel 2007-12-15, 7:30 am |
|
"David Wang" <w3.4you@gmail.com> wrote in message
news:56599084-c403-420f-936c-8e504ff909ca@t1g2000pra.googlegroups.com...
> On Dec 14, 2:59 am, "Christophe Niel"
> <Christophe.N...@nospam.fr.eu.abnamro.com.nospam> wrote:
>
>
> I'm not certain why you need to add "Everyone" if all other users are
> going to be anonymous authenticated. You should just create a specific
> user for use as Anonymous user and add NTFS ACL for just that user.
> Leave all your existing ACLs the way they are.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
I'll try that instead, I think I add a problem with this action las time I
tried to add the anonymous user.
thanks again
|
|
|
|
|