|
|
You're in the
iis security
group:Creating Basic Authentication in IIS 6.0
iis security:
Yes, Creating.
I have a working site, which requires Basic Autentication against the Active Directory of a Win 2003 Server/Domain. There are several "sub-webs", all also requireing the same authentication. Everything there is working just fine. Code is all VB using VS 2003. The problem is that I have a need to allow "public users" (not contained in the active directory) limited access to these sites. Limited I can handle with internal coding, testing user name. I can establish a user in the AD, such as "PubAcc", with a password, and permissions..... What I want to do is create another "web", (parallel to the main web in the tree) which will allow anonymous access, and then internal to the VB "page load" code, force a authentication request, from code, bypassing the username/password popup, and supplying a name such as "PubAcc" and a password. Then following the basic authentication, use a response.redirect to the regular pages, thus allowing access using the now established basic authentication. Can this be done? I cannot seem to find answer in the help files.... --
Thank you for your reply. In the original project, a user authenticated
(basic) on the first page. He can then navigate throughout the various webs (all subwebs of the main page, and all requiring basic authentication). The idea is to create new web entry point (for a public user - who does not know a user name or password), which will allow limited access to the main web pages. If in this web, I require basic authentication, then the credientals are passed and all is well. The problem is, the user does not know that information, and the challenge is before the page opens. I want to allow anonymous users in to the new page, and then, in code, pass a user name and password to the basic authentication engine, and following authentication, do a response.redirect to the main page. On Nov 4th, there was a post here by Kenneth Koh (Desperate - Bypass Basic Authentication), and answered by David Wang(MSFT). He referenced doing this using a modification of CustomAuth (Platform SDK). Unfortunately, I do not use C++, and was looking for a call within VB to the autentication engine. I have found the Microsoft article about using "Form Authentication" against the AD, and that works fine, but will not satisfy the Basic Authentication requirment for the main web pages. Is there a way to obtain "Basic Authentication" without using the pop-up window, such that the user can be re-directed to another page "authenticated"? -- dsquared [quoted text, click to view] ""Yuan Ren[MSFT]"" wrote:
> Hi, > > Welcome to MSDN newsgroup! > > Based on my understanding of your post, you wonder whether anonymous users > can use the special account (such as ¡°PubAcc¡±) in AD to access resources > in other sites. If I have misunderstood, please let me know. > > As far as I know, we can not pass credential information crossing page > under the ¡°Basic Authentication Mode¡±. For example, when I visit a site > which allows anonymous to access, I can not give another site current > credential information which I defined (such as > ¡°User:PubAcc\Password:xxx¡±) unless I input a username and password > explicitly in the pop-up window. > > Actually, this scenario is supported by earlier versions of IE. We can > attach credential info to URL like ¡°http:username:password\\...¡± format. > But now, due to security reasons, this function has been eliminated. > > So, for your issue, I suggest you supply the account and password in the > page so that the user can input the credential info in the pop-up window if > he wants to access some granted resources by himself. > > I hope the above information helps, if you have any questions or concerns, > please do not hesitate to let me know. I am standing by to help you. > > Regards, > > Yuan Ren [MSFT] > Microsoft Online Support >
Hi,
Welcome to MSDN newsgroup! Based on my understanding of your post, you wonder whether anonymous users can use the special account (such as ¡°PubAcc¡±) in AD to access resources in other sites. If I have misunderstood, please let me know. As far as I know, we can not pass credential information crossing page under the ¡°Basic Authentication Mode¡±. For example, when I visit a site which allows anonymous to access, I can not give another site current credential information which I defined (such as ¡°User:PubAcc\Password:xxx¡±) unless I input a username and password explicitly in the pop-up window. Actually, this scenario is supported by earlier versions of IE. We can attach credential info to URL like ¡°http:username:password\\...¡± format. But now, due to security reasons, this function has been eliminated. So, for your issue, I suggest you supply the account and password in the page so that the user can input the credential info in the pop-up window if he wants to access some granted resources by himself. I hope the above information helps, if you have any questions or concerns, please do not hesitate to let me know. I am standing by to help you. Regards, Yuan Ren [MSFT] Microsoft Online Support
Hi,
Thanks for your reply! From your description, I think I need explain my understanding first as below: You have a main site which uses ¡°Basic authentication mode¡± and there are some resources and subdirectories in it. You want to allow some anonymous users access to specific resources in the site. If I have misunderstood anything, please let me know. For this scenario, I think there is no need to create another site to implement. Actually, the ¡°CustomAuth¡± you mentioned is not the ideal method. I suggest you create a sub directory that contains the resource which anonymous users are allowed to access (such as ¡°public resources¡± folder). Then, you can enable both ¡°Allow anonymous¡± and ¡°Basic authentication¡± in configuration of the main site. Creating a default page in the folder and add a hidden iframe element in it. Inside the iframe element, please add the resource file which the anonymous user is prohibited to access. Finally, when an anonymous user accesses the page, he/she can click the ¡°cancel¡± button after the prompt is showed. But the user who has credential to access, he/she can input username and password so that he/she can access more pages. I appreciate your understanding and hope the above information helps, if you have any issues or concerns please let me know. I will be happy to be of further assistance. Regards, Yuan Ren [MSFT] Microsoft Online Support
I suggest:
1. creating a new website accessible for the public user. Point it at the same content as your original project 2. Enable ONLY anonymous authentication for this website 3. Configure the anonymous user of this website to be your special PubAcc user Thereafter, from IIS perspective, users that anonymously access this website are all using PubAcc NT user to do its tasks, so you should do your anonymous-user lockdown against the PubAcc NT user account. The only issue that should remain is that your web application should use "" (empty string) in AUTH_USER as indication of anonymous login. All other authenticated user login should have non-empty string as AUTH_USER. FYI: Creating a Win32 DLL that exports the ISAPI function signatures is the only way to extend IIS functionality. VB cannot create these signatures so cannot be used to extend IIS. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] <dsquared@newsgroups.nospam> wrote in message news:62BEE160-3C46-4178-A92D-F340435EB473@microsoft.com... > Thank you for your reply. In the original project, a user authenticated > (basic) on the first page. He can then navigate throughout the various > webs > (all subwebs of the main page, and all requiring basic authentication). > > The idea is to create new web entry point (for a public user - who does > not > know a user name or password), which will allow limited access to the main > web pages. > > If in this web, I require basic authentication, then the credientals are > passed and all is well. The problem is, the user does not know that > information, and the challenge is before the page opens. I want to allow > anonymous users in to the new page, and then, in code, pass a user name > and > password to the basic authentication engine, and following authentication, > do > a response.redirect to the main page. > > On Nov 4th, there was a post here by Kenneth Koh (Desperate - Bypass Basic > Authentication), and answered by David Wang(MSFT). He referenced doing > this > using a modification of CustomAuth (Platform SDK). Unfortunately, I do not > use C++, and was looking for a call within VB to the autentication engine. > > I have found the Microsoft article about using "Form Authentication" > against > the AD, and that works fine, but will not satisfy the Basic Authentication > requirment for the main web pages. > > Is there a way to obtain "Basic Authentication" without using the pop-up > window, such that the user can be re-directed to another page > "authenticated"? > > -- > dsquared > > > ""Yuan Ren[MSFT]"" wrote: > >> Hi, >> >> Welcome to MSDN newsgroup! >> >> Based on my understanding of your post, you wonder whether anonymous >> users >> can use the special account (such as ¡°PubAcc¡±) in AD to access >> resources >> in other sites. If I have misunderstood, please let me know. >> >> As far as I know, we can not pass credential information crossing page >> under the ¡°Basic Authentication Mode¡±. For example, when I visit a >> site >> which allows anonymous to access, I can not give another site current >> credential information which I defined (such as >> ¡°User:PubAcc\Password:xxx¡±) unless I input a username and password >> explicitly in the pop-up window. >> >> Actually, this scenario is supported by earlier versions of IE. We can >> attach credential info to URL like ¡°http:username:password\\...¡± >> format. >> But now, due to security reasons, this function has been eliminated. >> >> So, for your issue, I suggest you supply the account and password in the >> page so that the user can input the credential info in the pop-up window >> if >> he wants to access some granted resources by himself. >> >> I hope the above information helps, if you have any questions or >> concerns, >> please do not hesitate to let me know. I am standing by to help you. >> >> Regards, >> >> Yuan Ren [MSFT] >> Microsoft Online Support >> >>
Thank you for your replies... David, I will study your ideas for awhile.
Looks interesting. I will also study the ISAPI functions. Seems there is something to learn there. [quoted text, click to view] "David Wang [Msft]" wrote:
> I suggest: > 1. creating a new website accessible for the public user. Point it at the > same content as your original project > 2. Enable ONLY anonymous authentication for this website > 3. Configure the anonymous user of this website to be your special PubAcc > user > > Thereafter, from IIS perspective, users that anonymously access this website > are all using PubAcc NT user to do its tasks, so you should do your > anonymous-user lockdown against the PubAcc NT user account. > > The only issue that should remain is that your web application should use "" > (empty string) in AUTH_USER as indication of anonymous login. All other > authenticated user login should have non-empty string as AUTH_USER. > > > FYI: > Creating a Win32 DLL that exports the ISAPI function signatures is the only > way to extend IIS functionality. VB cannot create these signatures so cannot > be used to extend IIS. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > > <dsquared@newsgroups.nospam> wrote in message > news:62BEE160-3C46-4178-A92D-F340435EB473@microsoft.com... > > Thank you for your reply. In the original project, a user authenticated > > (basic) on the first page. He can then navigate throughout the various > > webs > > (all subwebs of the main page, and all requiring basic authentication). > > > > The idea is to create new web entry point (for a public user - who does > > not > > know a user name or password), which will allow limited access to the main > > web pages. > > > > If in this web, I require basic authentication, then the credientals are > > passed and all is well. The problem is, the user does not know that > > information, and the challenge is before the page opens. I want to allow > > anonymous users in to the new page, and then, in code, pass a user name > > and > > password to the basic authentication engine, and following authentication, > > do > > a response.redirect to the main page. > > > > On Nov 4th, there was a post here by Kenneth Koh (Desperate - Bypass Basic > > Authentication), and answered by David Wang(MSFT). He referenced doing > > this > > using a modification of CustomAuth (Platform SDK). Unfortunately, I do not > > use C++, and was looking for a call within VB to the autentication engine. > > > > I have found the Microsoft article about using "Form Authentication" > > against > > the AD, and that works fine, but will not satisfy the Basic Authentication > > requirment for the main web pages. > > > > Is there a way to obtain "Basic Authentication" without using the pop-up > > window, such that the user can be re-directed to another page > > "authenticated"? > > > > -- > > dsquared > > > > > > ""Yuan Ren[MSFT]"" wrote: > > > >> Hi, > >> > >> Welcome to MSDN newsgroup! > >> > >> Based on my understanding of your post, you wonder whether anonymous > >> users > >> can use the special account (such as ¡°PubAcc¡±) in AD to access > >> resources > >> in other sites. If I have misunderstood, please let me know. > >> > >> As far as I know, we can not pass credential information crossing page > >> under the ¡°Basic Authentication Mode¡±. For example, when I visit a > >> site > >> which allows anonymous to access, I can not give another site current > >> credential information which I defined (such as > >> ¡°User:PubAcc\Password:xxx¡±) unless I input a username and password > >> explicitly in the pop-up window. > >> > >> Actually, this scenario is supported by earlier versions of IE. We can > >> attach credential info to URL like ¡°http:username:password\\...¡± > >> format. > >> But now, due to security reasons, this function has been eliminated. > >> > >> So, for your issue, I suggest you supply the account and password in the > >> page so that the user can input the credential info in the pop-up window > >> if > >> he wants to access some granted resources by himself. > >> > >> I hope the above information helps, if you have any questions or > >> concerns, > >> please do not hesitate to let me know. I am standing by to help you. > >> > >> Regards, > >> > >> Yuan Ren [MSFT] > >> Microsoft Online Support > >> > >> > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |