On Dec 13, 3:36 pm, "Christophe Niel" <c.n...@freemail.fr> wrote:
> Hi all
>
> I set up a IIS 6.0 sever a while ago when we were young and innocent and
> decided to implement a few simple security baseline for the intranet web
> site :
> Integrated security on all the web sites
> "authenticated user" with read access only on the files
> "dev_group user" with write acces on the files
> and various subdir right depending on the need.
>
> We were happy, it worked fine, and since it was a brand new IT dev team with
> shiny new toys, the dev did a great job and lots of application were born
> using .NET
>
> it was so well made that all the applications use a web service to identify
> each user and give him the correct right in each application. this WS is
> based on the windows authentication.
>
> now it works so well we need to have some site accessed from other country
> branches our company is part of.
>
> The problem is we don't share an active directory or any NT domain
> relationship at all, so I need to activate the anonymous access on the web
> site and if I do that, I cannot use the windows authentication anymore...
>
> so what can I do to
> allow anonymous user in my network to access my website
> continue using the IIS/NTFS authentication for my domain users OR still get
> the security information with the anonymous acces activated.
>
> is it even possible?
>
> (my only option right now is to setup up a new server with a copy of
> everything but with anonymous acces... I don't like it at all.)

"David Wang" <w3.4you@gmail.com> wrote in message
news:c035b346-3dd7-4b30-bc90-88bbf859efec@s8g2000prg.googlegroups.com...
> On Dec 13, 3:36 pm, "Christophe Niel" <c.n...@freemail.fr> wrote:
>> Hi all
>>
>> I set up a IIS 6.0 sever a while ago when we were young and innocent and
>> decided to implement a few simple security baseline for the intranet web
>> site :
>> Integrated security on all the web sites
>> "authenticated user" with read access only on the files
>> "dev_group user" with write acces on the files
>> and various subdir right depending on the need.
>>
>> We were happy, it worked fine, and since it was a brand new IT dev team
>> with
>> shiny new toys, the dev did a great job and lots of application were born
>> using .NET
>>
>> it was so well made that all the applications use a web service to
>> identify
>> each user and give him the correct right in each application. this WS is
>> based on the windows authentication.
>>
>> now it works so well we need to have some site accessed from other
>> country
>> branches our company is part of.
>>
>> The problem is we don't share an active directory or any NT domain
>> relationship at all, so I need to activate the anonymous access on the
>> web
>> site and if I do that, I cannot use the windows authentication anymore...
>>
>> so what can I do to
>> allow anonymous user in my network to access my website
>> continue using the IIS/NTFS authentication for my domain users OR still
>> get
>> the security information with the anonymous acces activated.
>>
>> is it even possible?
>>
>> (my only option right now is to setup up a new server with a copy of
>> everything but with anonymous acces... I don't like it at all.)
>
>
> Setup a new website (not new server) with Anonymous access enabled,
> and publish that for external users to use. Your local users continue
> using the existing website with Integrated Authentication.
>
> The problem is not that IIS cannot support multiple authentication
> protocols like Anonymous and Integrated at the same time. The problem
> is which authenticaten protocol the browser uses to authenticate. By
> default, browsers favor anonymous over authenticated access, so as
> soon as you enable anonymous every user will become anonymous,
> including your local users. Thus, the problem is how to keep your
> local users authenticated and the remote users anonymous. Now, to the
> web server they are all "users" -- how do you define "local" vs
> "remote" users? By IP? By network interface? By username?
>
> So, you have to figure out a way to distinguish local users from
> remote users, and I'm proposing that you use two websites pointed at
> the same content on the same server. One website is Integrated only.
> The other is anonymous only. And your existing users use the existing
> website with Integrated only, and external users use the new one that
> is anonymous only.
>
> Clearly, if the internal user uses the new website, they are treated
> as anonymous. There's no good way to deal with that unless you can
> identify a better way to determine "local" vs "remote" users. This is
> especially hard since there is no common identity system, so you
> cannot rely on authenticated identity for authorization.
>
> Personally, I think that one company should have one common identity
> system. Otherwise, it will remain fragmented technologically, with
> folks like yourself creating local, ad-hoc solutions that cannot scale
> company-wide.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //

<Christophe.N...@nospam.fr.eu.abnamro.com.nospam> wrote:
> "David Wang" <w3.4...@gmail.com> wrote in message
>
> news:c035b346-3dd7-4b30-bc90-88bbf859efec@s8g2000prg.googlegroups.com...
>
>
>
>
>
> > On Dec 13, 3:36 pm, "Christophe Niel" <c.n...@freemail.fr> wrote:
> >> Hi all
>
> >> I set up a IIS 6.0 sever a while ago when we were young and innocent and
> >> decided to implement a few simple security baseline for the intranet web
> >> site :
> >> Integrated security on all the web sites
> >> "authenticated user" with read access only on the files
> >> "dev_group user" with write acces on the files
> >> and various subdir right depending on the need.
>
> >> We were happy, it worked fine, and since it was a brand new IT dev team
> >> with
> >> shiny new toys, the dev did a great job and lots of application were born
> >> using .NET
>
> >> it was so well made that all the applications use a web service to
> >> identify
> >> each user and give him the correct right in each application. this WS is
> >> based on the windows authentication.
>
> >> now it works so well we need to have some site accessed from other
> >> country
> >> branches our company is part of.
>
> >> The problem is we don't share an active directory or any NT domain
> >> relationship at all, so I need to activate the anonymous access on the
> >> web
> >> site and if I do that, I cannot use the windows authentication anymore...
>
> >> so what can I do to
> >> allow anonymous user in my network to access my website
> >> continue using the IIS/NTFS authentication for my domain users OR still
> >> get
> >> the security information with the anonymous acces activated.
>
> >> is it even possible?
>
> >> (my only option right now is to setup up a new server with a copy of
> >> everything but with anonymous acces... I don't like it at all.)
>
> > Setup a new website (not new server) with Anonymous access enabled,
> > and publish that for external users to use. Your local users continue
> > using the existing website with Integrated Authentication.
>
> > The problem is not that IIS cannot support multiple authentication
> > protocols like Anonymous and Integrated at the same time. The problem
> > is which authenticaten protocol the browser uses to authenticate. By
> > default, browsers favor anonymous over authenticated access, so as
> > soon as you enable anonymous every user will become anonymous,
> > including your local users. Thus, the problem is how to keep your
> > local users authenticated and the remote users anonymous. Now, to the
> > web server they are all "users" -- how do you define "local" vs
> > "remote" users? By IP? By network interface? By username?
>
> > So, you have to figure out a way to distinguish local users from
> > remote users, and I'm proposing that you use two websites pointed at
> > the same content on the same server. One website is Integrated only.
> > The other is anonymous only. And your existing users use the existing
> > website with Integrated only, and external users use the new one that
> > is anonymous only.
>
> > Clearly, if the internal user uses the new website, they are treated
> > as anonymous. There's no good way to deal with that unless you can
> > identify a better way to determine "local" vs "remote" users. This is
> > especially hard since there is no common identity system, so you
> > cannot rely on authenticated identity for authorization.
>
> > Personally, I think that one company should have one common identity
> > system. Otherwise, it will remain fragmented technologically, with
> > folks like yourself creating local, ad-hoc solutions that cannot scale
> > company-wide.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //
>
> I agree with you on the common identity, unfortunately that is not a
> possibility opened to us right now...
>
> I'm gonna try to add a "everyone" ntfs right and a new website with
> anonymous activated.
> I'll try to have a redirect to the internal adress in the anonmymoous
> website based on the IP Adress, that is the only way I can know for sure if
> the users are in my country or not...
>
> thanks for your answer
>
> best regards
> Christophe- Hide quoted text -
>
> - Show quoted text -

"David Wang" <w3.4you@gmail.com> wrote in message
news:56599084-c403-420f-936c-8e504ff909ca@t1g2000pra.googlegroups.com...
> On Dec 14, 2:59 am, "Christophe Niel"
> <Christophe.N...@nospam.fr.eu.abnamro.com.nospam> wrote:
>> "David Wang" <w3.4...@gmail.com> wrote in message
>>
>> news:c035b346-3dd7-4b30-bc90-88bbf859efec@s8g2000prg.googlegroups.com...
>>
>>
>>
>>
>>
>> > On Dec 13, 3:36 pm, "Christophe Niel" <c.n...@freemail.fr> wrote:
>> >> Hi all
>>
>> >> I set up a IIS 6.0 sever a while ago when we were young and innocent
>> >> and
>> >> decided to implement a few simple security baseline for the intranet
>> >> web
>> >> site :
>> >> Integrated security on all the web sites
>> >> "authenticated user" with read access only on the files
>> >> "dev_group user" with write acces on the files
>> >> and various subdir right depending on the need.
>>
>> >> We were happy, it worked fine, and since it was a brand new IT dev
>> >> team
>> >> with
>> >> shiny new toys, the dev did a great job and lots of application were
>> >> born
>> >> using .NET
>>
>> >> it was so well made that all the applications use a web service to
>> >> identify
>> >> each user and give him the correct right in each application. this WS
>> >> is
>> >> based on the windows authentication.
>>
>> >> now it works so well we need to have some site accessed from other
>> >> country
>> >> branches our company is part of.
>>
>> >> The problem is we don't share an active directory or any NT domain
>> >> relationship at all, so I need to activate the anonymous access on the
>> >> web
>> >> site and if I do that, I cannot use the windows authentication
>> >> anymore...
>>
>> >> so what can I do to
>> >> allow anonymous user in my network to access my website
>> >> continue using the IIS/NTFS authentication for my domain users OR
>> >> still
>> >> get
>> >> the security information with the anonymous acces activated.
>>
>> >> is it even possible?
>>
>> >> (my only option right now is to setup up a new server with a copy of
>> >> everything but with anonymous acces... I don't like it at all.)
>>
>> > Setup a new website (not new server) with Anonymous access enabled,
>> > and publish that for external users to use. Your local users continue
>> > using the existing website with Integrated Authentication.
>>
>> > The problem is not that IIS cannot support multiple authentication
>> > protocols like Anonymous and Integrated at the same time. The problem
>> > is which authenticaten protocol the browser uses to authenticate. By
>> > default, browsers favor anonymous over authenticated access, so as
>> > soon as you enable anonymous every user will become anonymous,
>> > including your local users. Thus, the problem is how to keep your
>> > local users authenticated and the remote users anonymous. Now, to the
>> > web server they are all "users" -- how do you define "local" vs
>> > "remote" users? By IP? By network interface? By username?
>>
>> > So, you have to figure out a way to distinguish local users from
>> > remote users, and I'm proposing that you use two websites pointed at
>> > the same content on the same server. One website is Integrated only.
>> > The other is anonymous only. And your existing users use the existing
>> > website with Integrated only, and external users use the new one that
>> > is anonymous only.
>>
>> > Clearly, if the internal user uses the new website, they are treated
>> > as anonymous. There's no good way to deal with that unless you can
>> > identify a better way to determine "local" vs "remote" users. This is
>> > especially hard since there is no common identity system, so you
>> > cannot rely on authenticated identity for authorization.
>>
>> > Personally, I think that one company should have one common identity
>> > system. Otherwise, it will remain fragmented technologically, with
>> > folks like yourself creating local, ad-hoc solutions that cannot scale
>> > company-wide.
>>
>> > //David
>> >http://w3-4u.blogspot.com
>> >http://blogs.msdn.com/David.Wang
>> > //
>>
>> I agree with you on the common identity, unfortunately that is not a
>> possibility opened to us right now...
>>
>> I'm gonna try to add a "everyone" ntfs right and a new website with
>> anonymous activated.
>> I'll try to have a redirect to the internal adress in the anonmymoous
>> website based on the IP Adress, that is the only way I can know for sure
>> if
>> the users are in my country or not...
>>
>> thanks for your answer
>>
>> best regards
>> Christophe- Hide quoted text -
>>
>> - Show quoted text -
>
>
> I'm not certain why you need to add "Everyone" if all other users are
> going to be anonymous authenticated. You should just create a specific
> user for use as Anonymous user and add NTFS ACL for just that user.
> Leave all your existing ACLs the way they are.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //