| Groups | Blog | Home |
iis security : Upload Files onto a Remote Server
intranet, it errors as "permission denied". (We are using a component called, ABCUpload.) It only works when "Allow IIS to control password" is not checked. That means I can't use IUSR. But I need to know who logged in. I could use "Basic Authentication", but that means all users have to log-in every single time. Is there a way to use "Basic Authentication" and yet enabling single sign-on for the users? Any suggestion, direction, support helps. :)
[quoted text, click to view]
>Is there a way to use "Basic Authentication" and yet >enabling single sign-on for the users? Sure. Just enable Basic authentication on IIS and most browsers should automagically do it. Single-Sign-On is largely a client-side phenomenon with server-side cooperation. With properly configured web browsers, any of the authentications supported by IIS and the browser require at MOST one user sign-on. By default, IE and Netscape will allow single-sign-on using Basic authentication. The way a browser enables Single-Sign-On with Basic authentication is to send the base64 encoding of username:password on every request to the server. This essentially "pre-authenticates" every one of those requests (recall that the HTTP protocol used by web browsers is STATELESS while Single-Sign-On is all about maintain some type of user session in the form of STATE... and over a stateless protocol like HTTP). Now, since Basic authentication is essential clear-text, browsers do not like to freely "pre-authenticate" when crossing websites so security reasons. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Lara" <anonymous@discussions.microsoft.com> wrote in message When uploading a file onto a remote server on ournews:b30901c3ec49$f43026f0$a001280a@phx.gbl... intranet, it errors as "permission denied". (We are using a component called, ABCUpload.) It only works when "Allow IIS to control password" is not checked. That means I can't use IUSR. But I need to know who logged in. I could use "Basic Authentication", but that means all users have to log-in every single time. Is there a way to use "Basic Authentication" and yet enabling single sign-on for the users? Any suggestion, direction, support helps. :) Thanks!!
By default, when in IIS you clear the Enable Automatic Password
Synchronization or Allow IIS to control password check boxes, you are required to enter the password manually and anonymous authentication will fail until you do. If I am not wrong, even when you did not enable "Allow IIS to control password" checkbox, you can still use IUSR account. You need to manually enter a new password for the IUSR account and it should work for anonymous access. You may refer to the following KB articles for more information on anonymous acccess: Password Synchronization/Allow IIS to Control Password May Cause Problems http://support.microsoft.com/?id=216828 Must Enter Password Manually After You Set Password Synchronization http://support.microsoft.com/?id=259353 Hope it helps, Desmond [quoted text, click to view] "Lara" <anonymous@discussions.microsoft.com> wrote in message news:b30901c3ec49$f43026f0$a001280a@phx.gbl... > When uploading a file onto a remote server on our > intranet, it errors as "permission denied". (We are > using a component called, ABCUpload.) It only works > when "Allow IIS to control password" is not checked. > That means I can't use IUSR. But I need to know who > logged in. I could use "Basic Authentication", but that > means all users have to log-in every single time. > > Is there a way to use "Basic Authentication" and yet > enabling single sign-on for the users? > > Any suggestion, direction, support helps. :) > Thanks!!
Thank you, David and Desmond.
Actually, I am using OpenWiki (web bulletin board kind of tool) with an uploading component, called ABCUpload. So, under "OpenWiki" virtual directory, I have another one called "Attachment". I have no problem going into OpenWiki, but when I try uploading, it fails with a permission error. The only time it works is when I set the security at "OpenWiki" virtual directory level with any user with no password, not allowing IIS to control password, and enable Basic Authentication. BUT, not without asking to login to OpenWiki page everytime. Do you have any advice or suggestion?? Lara P.S. Thanks for your help! [quoted text, click to view] >-----Original Message-----
>>Is there a way to use "Basic Authentication" and yet >>enabling single sign-on for the users? > >Sure. Just enable Basic authentication on IIS and most browsers should >automagically do it. > >Single-Sign-On is largely a client-side phenomenon with server-side >cooperation. With properly configured web browsers, any of the >authentications supported by IIS and the browser require at MOST one user >sign-on. By default, IE and Netscape will allow single- sign-on using Basic >authentication. > >The way a browser enables Single-Sign-On with Basic authentication is to >send the base64 encoding of username:password on every request to the >server. This essentially "pre-authenticates" every one of those requests >(recall that the HTTP protocol used by web browsers is STATELESS while >Single-Sign-On is all about maintain some type of user session in the form >of STATE... and over a stateless protocol like HTTP). > >Now, since Basic authentication is essential clear-text, browsers do not >like to freely "pre-authenticate" when crossing websites so security >reasons. > >-- >//David >IIS >This posting is provided "AS IS" with no warranties, and confers no rights. >// >"Lara" <anonymous@discussions.microsoft.com> wrote in message >news:b30901c3ec49$f43026f0$a001280a@phx.gbl... >When uploading a file onto a remote server on our >intranet, it errors as "permission denied". (We are >using a component called, ABCUpload.) It only works >when "Allow IIS to control password" is not checked. >That means I can't use IUSR. But I need to know who >logged in. I could use "Basic Authentication", but that >means all users have to log-in every single time. > >Is there a way to use "Basic Authentication" and yet >enabling single sign-on for the users? > >Any suggestion, direction, support helps. :) >Thanks!! > > >.
I do not have any advice specific to "OpenWiki" nor "ABCUpload", but it is
quite irrelevant since they are merely code that must obey the same rules/reasonings in the following URL: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/confeat/RemStorg.asp This is what you must decide: Are all users going to write to the remote server as one single user or individual user. That is, do you want "Pass-Thru" authentication where the remote user, authenticated, writes as him/her self to the remote server using the same identity, or does everyone get mapped to one UNCUser identity which alone has the ability to write to the remote server. How to configure is described in the aforementioned URL. Based on what you are saying, you seem to want anyone to be able to use ABCUpload to upload to a remote server, but without authenticating. This suggests that you do NOT want "Pass-Thru" authentication. You should be able to accomplish this by turning off all authentication, enabling only Anonymous authentication, make sure the anonymous username/password is synchronized in the IIS Manager UI, the local SAM database, and the remote server's SAM database. Finally, give this user write permissions on the Remote Server's NTFS filesystem as well as full permissions on the UNC Share. This maps all anonymous requests to be executed by this synchronized identity, which can write to the remote server's NTFS filesystem via the UNC share, completely authenticated without any external dialog boxes. How you latch onto this with a 3rd party component -- that's for you to figure out, using their documentation... -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Lara" <anonymous@discussions.microsoft.com> wrote in message Thank you, David and Desmond.news:c05701c3ed0f$58b89510$a401280a@phx.gbl... Actually, I am using OpenWiki (web bulletin board kind of tool) with an uploading component, called ABCUpload. So, under "OpenWiki" virtual directory, I have another one called "Attachment". I have no problem going into OpenWiki, but when I try uploading, it fails with a permission error. The only time it works is when I set the security at "OpenWiki" virtual directory level with any user with no password, not allowing IIS to control password, and enable Basic Authentication. BUT, not without asking to login to OpenWiki page everytime. Do you have any advice or suggestion?? Lara P.S. Thanks for your help! [quoted text, click to view] >-----Original Message----- >>Is there a way to use "Basic Authentication" and yet >>enabling single sign-on for the users? > >Sure. Just enable Basic authentication on IIS and most browsers should >automagically do it. > >Single-Sign-On is largely a client-side phenomenon with server-side >cooperation. With properly configured web browsers, any of the >authentications supported by IIS and the browser require at MOST one user >sign-on. By default, IE and Netscape will allow single- sign-on using Basic >authentication. > >The way a browser enables Single-Sign-On with Basic authentication is to >send the base64 encoding of username:password on every request to the >server. This essentially "pre-authenticates" every one of those requests >(recall that the HTTP protocol used by web browsers is STATELESS while >Single-Sign-On is all about maintain some type of user session in the form >of STATE... and over a stateless protocol like HTTP). > >Now, since Basic authentication is essential clear-text, browsers do not >like to freely "pre-authenticate" when crossing websites so security >reasons. > >-- >//David >IIS >This posting is provided "AS IS" with no warranties, and confers no rights. >// >"Lara" <anonymous@discussions.microsoft.com> wrote in message >news:b30901c3ec49$f43026f0$a001280a@phx.gbl... >When uploading a file onto a remote server on our >intranet, it errors as "permission denied". (We are >using a component called, ABCUpload.) It only works >when "Allow IIS to control password" is not checked. >That means I can't use IUSR. But I need to know who >logged in. I could use "Basic Authentication", but that >means all users have to log-in every single time. > >Is there a way to use "Basic Authentication" and yet >enabling single sign-on for the users? > >Any suggestion, direction, support helps. :) >Thanks!! > > >. >
Thank you so much, David!!! I will struggle a bit
longer. :) [quoted text, click to view] >-----Original Message-----
>I do not have any advice specific to "OpenWiki" nor "ABCUpload", but it is >quite irrelevant since they are merely code that must obey the same >rules/reasonings in the following URL: >http://www.microsoft.com/technet/prodtechnol/windowsserve r2003/deploy/confeat/RemStorg.asp > >This is what you must decide: >Are all users going to write to the remote server as one single user or >individual user. That is, do you want "Pass-Thru" authentication where the >remote user, authenticated, writes as him/her self to the remote server >using the same identity, or does everyone get mapped to one UNCUser identity >which alone has the ability to write to the remote server. > >How to configure is described in the aforementioned URL. > >Based on what you are saying, you seem to want anyone to be able to use >ABCUpload to upload to a remote server, but without authenticating. This >suggests that you do NOT want "Pass-Thru" authentication. You should be >able to accomplish this by turning off all authentication, enabling only >Anonymous authentication, make sure the anonymous username/password is >synchronized in the IIS Manager UI, the local SAM database, and the remote >server's SAM database. Finally, give this user write permissions on the >Remote Server's NTFS filesystem as well as full permissions on the UNC >Share. > >This maps all anonymous requests to be executed by this synchronized >identity, which can write to the remote server's NTFS filesystem via the UNC >share, completely authenticated without any external dialog boxes. How you >latch onto this with a 3rd party component -- that's for you to figure out, >using their documentation... > >-- >//David >IIS >This posting is provided "AS IS" with no warranties, and confers no rights. >// >"Lara" <anonymous@discussions.microsoft.com> wrote in message >news:c05701c3ed0f$58b89510$a401280a@phx.gbl... >Thank you, David and Desmond. > >Actually, I am using OpenWiki (web bulletin board kind of >tool) with an uploading component, called ABCUpload. So, >under "OpenWiki" virtual directory, I have another one >called "Attachment". > >I have no problem going into OpenWiki, but when I try >uploading, it fails with a permission error. > >The only time it works is when I set the security >at "OpenWiki" virtual directory level with any user with >no password, not allowing IIS to control password, and >enable Basic Authentication. BUT, not without asking to >login to OpenWiki page everytime. > >Do you have any advice or suggestion?? > >Lara >P.S. Thanks for your help! > > >>-----Original Message----- >>>Is there a way to use "Basic Authentication" and yet >>>enabling single sign-on for the users? >> >>Sure. Just enable Basic authentication on IIS and most >browsers should >>automagically do it. >> >>Single-Sign-On is largely a client-side phenomenon with >server-side >>cooperation. With properly configured web browsers, any >of the >>authentications supported by IIS and the browser require >at MOST one user >>sign-on. By default, IE and Netscape will allow single- >sign-on using Basic >>authentication. >> >>The way a browser enables Single-Sign-On with Basic >authentication is to >>send the base64 encoding of username:password on every >request to the >>server. This essentially "pre-authenticates" every one >of those requests >>(recall that the HTTP protocol used by web browsers is >STATELESS while >>Single-Sign-On is all about maintain some type of user >session in the form >>of STATE... and over a stateless protocol like HTTP). >> >>Now, since Basic authentication is essential clear-text, >browsers do not >>like to freely "pre-authenticate" when crossing websites >so security >>reasons. >> >>-- >>//David >>IIS >>This posting is provided "AS IS" with no warranties, and >confers no rights. >>// >>"Lara" <anonymous@discussions.microsoft.com> wrote in >message >>news:b30901c3ec49$f43026f0$a001280a@phx.gbl... >>When uploading a file onto a remote server on our >>intranet, it errors as "permission denied". (We are >>using a component called, ABCUpload.) It only works >>when "Allow IIS to control password" is not checked. >>That means I can't use IUSR. But I need to know who >>logged in. I could use "Basic Authentication", but that >>means all users have to log-in every single time. >> >>Is there a way to use "Basic Authentication" and yet >>enabling single sign-on for the users? >> >>Any suggestion, direction, support helps. :) >>Thanks!! >> >> >>. >> > > >.
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |