kennethxu
asked on
brief me about IIS authentication
I think I have good understand of HTTP, HTML, JSP and I come from unix, java world :)
For a project, I need information about how IIS authenticate user, how can the user id and role info be accessed from asp page.
welcome good links too, google gives me too much links and I have no time to filter them.
Thanks.
For a project, I need information about how IIS authenticate user, how can the user id and role info be accessed from asp page.
welcome good links too, google gives me too much links and I have no time to filter them.
Thanks.
Mark Franz
ServerVariables; http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iisref60/htm/ref_vbom_reqocsv.asp
Web site authentication ?
http://support.microsoft.com/default.aspx?scid=kb;en-us;308160
This shoudl give you the whole idea. This is for IIS 5.0, but for version 4 it is more or less same
http://support.microsoft.com/default.aspx?scid=kb;en-us;308160
This shoudl give you the whole idea. This is for IIS 5.0, but for version 4 it is more or less same
ASKER
I have visited both page. Actually I'm have an existing IIS app, I want to understand how it works. I displays a pre-designed login page whenever I try to access the web page in the application. What is this type of authentication? authentication filter?
what is an authentication filter?
what is an authentication filter?
Try Disabling Basic Authentication if you want Anonymous access to the app.
ASKER
no, i need the authentication.
The problem is that it is not working properly. sometime it tries to re-authenticate user again and again. I'm sure nothing to do with session timeout (cannot be as short as few seconds, right?), browser is cookie enabled.
I'm trying to figure out if the application made its own authentication or it is making use of IIS's authentication.
The problem is that it is not working properly. sometime it tries to re-authenticate user again and again. I'm sure nothing to do with session timeout (cannot be as short as few seconds, right?), browser is cookie enabled.
I'm trying to figure out if the application made its own authentication or it is making use of IIS's authentication.
Session timeout is 20 minutes
Do you have any
session.abandon in between pages. Once the authentications done, it is going to work for rest of the pages till session is over. May be you are disconnecting ?
session.abandon in between pages. Once the authentications done, it is going to work for rest of the pages till session is over. May be you are disconnecting ?
ASKER
>> Session timeout is 20 minutes
OK, it prompts me for uid/password again with a minute. so this is nothing to do with timeout.
the login page is webpage based. what authentication type it is? I know the basic authentication pops up a dialog box for userid/password, so it doesn't seems a basic authentication.
OK, it prompts me for uid/password again with a minute. so this is nothing to do with timeout.
the login page is webpage based. what authentication type it is? I know the basic authentication pops up a dialog box for userid/password, so it doesn't seems a basic authentication.
ASKER
I seached whole app for "abandon", only Logout.asp contain that.
ok. When you say login page appears, do you see a NT authentication ? or your code taht has login and passowrd ?
ASKER
>> or your code taht has login and passowrd ?
I didn't code :) its an existing application I'm trying to understand and fix.
there is a Login.asp page, and it is displayed.
I didn't code :) its an existing application I'm trying to understand and fix.
there is a Login.asp page, and it is displayed.
ok. That means on top of every page you must be cheking something if session times out and if yes force user to go back to login page - right ?
May be thats triggering off.
1.Check Response.buffer statement. Make it false
2.Also on your IE go to tools-internet options-general tab-setting button- make every visit to the page
3. do you have any a href stuff like
<a href="" onclick="closeedoc()">
that closes your page with a javascript function ? Then make it href="#" ( I had this problem 2 days back)
May be thats triggering off.
1.Check Response.buffer statement. Make it false
2.Also on your IE go to tools-internet options-general tab-setting button- make every visit to the page
3. do you have any a href stuff like
<a href="" onclick="closeedoc()">
that closes your page with a javascript function ? Then make it href="#" ( I had this problem 2 days back)
IIS can authenticate a user in many ways.
1. Anonymous - No credentials required to access this resource.
2. Windows Integrated Authentication, domain user accounts are passed as credentials (sometimes called NTLM)
3. Basic Authentication - users enter a user name and password to access the resource - password is sent in clear text so a network sniffer could detect the passwords...
I had a situation that I encountered a couple of days ago, which might give you some insight, although maybe not a solution.
We run in Windows 2000 Native mode. I had to hide/show links based on group membership to domain Local Groups on Active Directory, and I found an interesting situation.
The application while in development phase ran on my machine and when I attempted to check user credentials using Server Variables and validating them against Active Directory, the pages would work fine when I was bringing up the pages on my machine, since the credentials were only making ONE HOP...
My Machine --> Domain Controller
When other users would bring up the app, and try to view the main page where credentials were checked...PROBLEM.
User Machine ---> My Machine --> Domain Controller
As you can see.. the users credentials will never make it to the domain controller...since using WINDOWS Authentication, the credentials cannot survive a double hop, so end users got the 500 Internal Server Error. Terrible.
Okay, so besides hosting my application on a Domain Controller what were my options? (Not a good idea btw, but I need Authentication!)
1. Kerberos - good idea..provided all clients are Win2K and above and trust the web server for delegation. Tried it, did not work.
2. Enabled Basic Authentication -- Request Server Variables and check group membership and hide and show links or redirect based on membership. = This works..and allows double hop.
Here is some code that you might find useful if you want to implement this sort of authentication, I am sure it will work with Windows NT as well...
Check Group Membership (VBScript function)
Function IsAMember(strGroup)
Dim strUserID ' The User ID in context
Dim strPath ' The namespace path (where to get information)
Dim objUserInfo ' Where the user information is kept
Dim objGroup ' A collection containing group users
Dim blnInGroup ' Is this person a member of the group?
strUserID = ucase(Request.ServerVariab
strUserID = Mid(strUserID,(instr(1,str
strPath = "WinNT://YOURDOMAIN/" & strUserID & ",user"
'Get the information.
Set objUserInfo = GetObject(strPath)
IsAMember = False
'Redefine the query to get all the members of the Need2Know group
strPath = "WinNT://YOURDOMAIN/" & strGroup & ",group"
'Ask NT to give us all the members of the group in question
Set objGroup = GetObject(strPath)
'Iterate through the group members
for each objUserInfo in objGroup.Members
' Determine if the page requestor is a member of the provider group
if ucase(objUserInfo.Name) = strUserID then
' Yes, this requestor is...
IsAMember = TRUE
' Exit this loop when found
Exit For
end if
next
End Function
Now when you come to the page you can do:
MemberGodGroup = IsAMember("GodGroup")
If (MemberGodGroup ) then
...your logic here <show/hide links..redirect..blah...>
End If
I don't know if this will help you any, but I just thought I'd share how to battle the double hop issue....
1. Anonymous - No credentials required to access this resource.
2. Windows Integrated Authentication, domain user accounts are passed as credentials (sometimes called NTLM)
3. Basic Authentication - users enter a user name and password to access the resource - password is sent in clear text so a network sniffer could detect the passwords...
I had a situation that I encountered a couple of days ago, which might give you some insight, although maybe not a solution.
We run in Windows 2000 Native mode. I had to hide/show links based on group membership to domain Local Groups on Active Directory, and I found an interesting situation.
The application while in development phase ran on my machine and when I attempted to check user credentials using Server Variables and validating them against Active Directory, the pages would work fine when I was bringing up the pages on my machine, since the credentials were only making ONE HOP...
My Machine --> Domain Controller
When other users would bring up the app, and try to view the main page where credentials were checked...PROBLEM.
User Machine ---> My Machine --> Domain Controller
As you can see.. the users credentials will never make it to the domain controller...since using WINDOWS Authentication, the credentials cannot survive a double hop, so end users got the 500 Internal Server Error. Terrible.
Okay, so besides hosting my application on a Domain Controller what were my options? (Not a good idea btw, but I need Authentication!)
1. Kerberos - good idea..provided all clients are Win2K and above and trust the web server for delegation. Tried it, did not work.
2. Enabled Basic Authentication -- Request Server Variables and check group membership and hide and show links or redirect based on membership. = This works..and allows double hop.
Here is some code that you might find useful if you want to implement this sort of authentication, I am sure it will work with Windows NT as well...
Check Group Membership (VBScript function)
Function IsAMember(strGroup)
Dim strUserID ' The User ID in context
Dim strPath ' The namespace path (where to get information)
Dim objUserInfo ' Where the user information is kept
Dim objGroup ' A collection containing group users
Dim blnInGroup ' Is this person a member of the group?
strUserID = ucase(Request.ServerVariab
strUserID = Mid(strUserID,(instr(1,str
strPath = "WinNT://YOURDOMAIN/" & strUserID & ",user"
'Get the information.
Set objUserInfo = GetObject(strPath)
IsAMember = False
'Redefine the query to get all the members of the Need2Know group
strPath = "WinNT://YOURDOMAIN/" & strGroup & ",group"
'Ask NT to give us all the members of the group in question
Set objGroup = GetObject(strPath)
'Iterate through the group members
for each objUserInfo in objGroup.Members
' Determine if the page requestor is a member of the provider group
if ucase(objUserInfo.Name) = strUserID then
' Yes, this requestor is...
IsAMember = TRUE
' Exit this loop when found
Exit For
end if
next
End Function
Now when you come to the page you can do:
MemberGodGroup = IsAMember("GodGroup")
If (MemberGodGroup ) then
...your logic here <show/hide links..redirect..blah...>
End If
I don't know if this will help you any, but I just thought I'd share how to battle the double hop issue....
ASKER
in Servlet/JSP world, there is a so called form-based authentication. basically, you can tell server that you want to use particular page as your login page and server handles the rest.
Is there such an analogue exist in IIS?
Is there such an analogue exist in IIS?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For that matter..even MS Passport Based ;) .. only ASP.NET tho...
ASKER
I think I learn quite some, and I found that the application is doing its own authentication. it is not using IIS's security.
I'll concentrate on how the application gets lost on this.
I'll concentrate on how the application gets lost on this.
ASKER
I'll give everybody 50 points for your helps:
for jitganguly: https://www.experts-exchange.com/questions/20430708/for-jitganguly.html
for mgfranz: https://www.experts-exchange.com/questions/20430707/for-mgfranz.html
and I'll accept peregrintook's answer.
for jitganguly: https://www.experts-exchange.com/questions/20430708/for-jitganguly.html
for mgfranz: https://www.experts-exchange.com/questions/20430707/for-mgfranz.html
and I'll accept peregrintook's answer.