Hi,

Please, kindly let me know that there has been no answer
for my posting for a long time. I have another site
created in the webserver [Win2k and IIS 5.0]. A folder
within this site needs to be password protected and it
should use Windows Authentication. I have disabled Basic
Authentication and have only enabled Integrated Windows
Authentication. But, it does not authenticate and it goes
in straight to the website. Is this a security flaw in IIS
4.0 and IIS 5.0?

Please is there anyone with IIS expertise. Let me know
What could be wrong?

[ Post a follow-up to this message ]

a) Is anonymous authentication enabled? If so, disable it.

b) Are you using Internet Explorer? If so, it may be automatically logging
you in, if the site is in the local Intranet security zone. see:
http://support.microsoft.com/?id=258063

Cheers
Ken

"John" <anonymous@discussions.microsoft.com> wrote in message
news:226301c427a8$a8b6fc90$a101280a@phx.gbl...
: Hi,
:
: Please, kindly let me know that there has been no answer
: for my posting for a long time. I have another site
: created in the webserver [Win2k and IIS 5.0]. A folder
: within this site needs to be password protected and it
: should use Windows Authentication. I have disabled Basic
: Authentication and have only enabled Integrated Windows
: Authentication. But, it does not authenticate and it goes
: in straight to the website. Is this a security flaw in IIS
: 4.0 and IIS 5.0?
:
: Please is there anyone with IIS expertise. Let me know
: What could be wrong?

[ Post a follow-up to this message ]

Ken,

Thanks for your response. The answers are as below.

1.Anonymous Authentication is not Enabled.
2.I am trying to test this site from the Intranet. But,
even trying it externally it does not work either in
Windows NT 4.0 IIS 4.0 or Win2K and IIS 5.0.

This site is not in the default website, but another site
has been created which is a virtual site in IIS.

This has not been working in IIS 4.0 nor in IIS 5.0.

>-----Original Message-----
>a) Is anonymous authentication enabled? If so, disable it.
>
>b) Are you using Internet Explorer? If so, it may be
automatically logging
>you in, if the site is in the local Intranet security
zone. see:
> http://support.microsoft.com/?id=258063
>
>Cheers
>Ken
>
>"John" <anonymous@discussions.microsoft.com> wrote in
message
>news:226301c427a8$a8b6fc90$a101280a@phx.gbl...
>: Hi,
>:
>: Please, kindly let me know that there has been no answer
>: for my posting for a long time. I have another site
>: created in the webserver [Win2k and IIS 5.0]. A folder
>: within this site needs to be password protected and it
>: should use Windows Authentication. I have disabled Basic
>: Authentication and have only enabled Integrated Windows
>: Authentication. But, it does not authenticate and it
goes
>: in straight to the website. Is this a security flaw in
IIS
>: 4.0 and IIS 5.0?
>:
>: Please is there anyone with IIS expertise. Let me know
>: What could be wrong?
>
>
>.
>

[ Post a follow-up to this message ]

This is very doubtful.
Also remove rights of guests/IUser_Mashinename from this directory through
NTFS permisions.

[ Post a follow-up to this message ]

I've been testing IIS integrated securities to discover the best way to set 
up departmental web folders on our Intranet.   My development/testing comput
er is Windows 2000 with IIS5.   We have a Windows 2000 domain with Active Di
rectory.  My application se
rver is ColdFusion 5, but I will just address my IIS findings.   When  I set
 up  Integrated Windows Authentication on a folder in IIS (both anonymous an
d basic turned off), IIS does pick up the user's domain id (this is authenti
cation).   When I create a
virtual directory to a folder that is physically on the web server, the doma
in authorization to this folder works (logged in users without permission to
 the folder are rejected).   However, when I defined a virtual directory to 
a folder that is NOT on the
web server, IIS asks for a name and password to use when getting the folder.
    It appears to me that this named user (not the logged on user) is the on
e that determines whether authorization to the folder is accepted or rejecte
d.    In my testing, if th
e folder's physical location is NOT on the web server and the user named whe
n setting up the virtual directory is authorized for the physical folder, th
en the logged on user is passed on into the web pages, even if he/she is not
 authorized for the folder.
In other words, NTLM authorization of the logged on user for folders only wo
rked for me when the folder physically resided on the web server.    I hopes
 this helps.

[ Post a follow-up to this message ]

The folder resides in the same webserver.

OK let  me make it more clear

There is a Default Website created by IIS where most of
our contents are there.

I have another website say the name is LOCATION in the
same webserver. And under this there is a folder that
needs to be password protected. So, this is the one which
is not working.


>-----Original Message-----
>I've been testing IIS integrated securities to discover
the best way to set up departmental web folders on our
Intranet.   My development/testing computer is Windows
2000 with IIS5.   We have a Windows 2000 domain with
Active Directory.  My application server is ColdFusion 5,
but I will just address my IIS findings.   When  I set up
Integrated Windows Authentication on a folder in IIS (both
anonymous and basic turned off), IIS does pick up the
user's domain id (this is authentication).   When I create
a virtual directory to a folder that is physically on the
web server, the domain authorization to this folder works
(logged in users without permission to the folder are
rejected).   However, when I defined a virtual directory
to a folder that is NOT on the web server, IIS asks for a
name and password to use when getting the folder.    It
appears to me that this named user (not the logged on
user) is the one that determines whether authorization to
the folder is accepted or rejected.    In my testing, if
the folder's physical location is NOT on the web server
and the user named when setting up the virtual directory
is authorized for the physical folder, then the logged on
user is passed on into the web pages, even if he/she is
not authorized for the folder.   In other words, NTLM
authorization of the logged on user for folders only
worked for me when the folder physically resided on the
web server.    I hopes this helps.
>.
>

[ Post a follow-up to this message ]

Hi thanks for your answer........well, there is no
IUSER_Machinename in this directory which has been given
permission.

I do not even given EVERYONE permission on this folder. I
have only one user who has permission for this folder
which when they access this site, it should pop up and
they should enter this userid and password to access it.
>-----Original Message-----
>This is very doubtful.
>Also remove rights of guests/IUser_Mashinename from this
directory through
>NTFS permisions.
>
>
>
>.
>

[ Post a follow-up to this message ]

John, I don't quite understand.   Did you set up a separate website in IIS t
hat shows in the manager in addition to your Default Web Site, or did you ju
st create a new virtual directory in your Default Web Site?   This 2nd metho
d is the only one I'm famil
iar with.   In this case the authorized user (set in the folder Securities p
roperty) should be passed on in without IIS requesting a name and password, 
and unauthorized users should be rejected.    I do all my programming in Col
dFusion and I can grab the
user's domain id function named CGI.AUTH_USER.    Do you have a way to grab 
and display the user's domain id that is detected by IIS?    I'm not at all 
an expert, I've just been testing these things for the last week.

[ Post a follow-up to this message ]

Hi John,

In IIS 4.0 and IIS 5.0, can you ensure that logging for the website in
question is W3C Extended, then choose to log all the properties for each
request (in particular the cs-user etc).

Then perform some requests for files in that directory, and post the
relevant lines from the logfile to the group? I'd like to see if IIS think
that the browser is sending some credentials.

If worst comes to worst, we can install Ethereal (www.ethereal.com) on your
client machines, and do a network capture of the traffic passing back and
forward between IIS and your browser, and then I can tell you what auth
mechanisms IIS is using, and what the browser is doing in response.

Cheers
Ken



"John" <anonymous@discussions.microsoft.com> wrote in message
news:239d01c427ac$84a0b7c0$a001280a@phx.gbl...
: Ken,
:
: Thanks for your response. The answers are as below.
:
: 1.Anonymous Authentication is not Enabled.
: 2.I am trying to test this site from the Intranet. But,
: even trying it externally it does not work either in
: Windows NT 4.0 IIS 4.0 or Win2K and IIS 5.0.
:
: This site is not in the default website, but another site
: has been created which is a virtual site in IIS.
:
: This has not been working in IIS 4.0 nor in IIS 5.0.
:
: >-----Original Message-----
: >a) Is anonymous authentication enabled? If so, disable it.
: >
: >b) Are you using Internet Explorer? If so, it may be
: automatically logging
: >you in, if the site is in the local Intranet security
: zone. see:
: > http://support.microsoft.com/?id=258063
: >
: >Cheers
: >Ken
: >
: >"John" <anonymous@discussions.microsoft.com> wrote in
: message
: >news:226301c427a8$a8b6fc90$a101280a@phx.gbl...
: >: Hi,
: >:
: >: Please, kindly let me know that there has been no answer
: >: for my posting for a long time. I have another site
: >: created in the webserver [Win2k and IIS 5.0]. A folder
: >: within this site needs to be password protected and it
: >: should use Windows Authentication. I have disabled Basic
: >: Authentication and have only enabled Integrated Windows
: >: Authentication. But, it does not authenticate and it
: goes
: >: in straight to the website. Is this a security flaw in
: IIS
: >: 4.0 and IIS 5.0?
: >:
: >: Please is there anyone with IIS expertise. Let me know
: >: What could be wrong?
: >
: >
: >.
: >

[ Post a follow-up to this message ]