Solved

Authentication with NT and IIS

Posted on 1998-07-21
18
207 Views
Last Modified: 2013-12-25
I know this has been asked before but I can't seem to find any satisfactory answer.

I need the dialog-box prompt for user name and password as in this site. I've used htaccess on unix, I'm very satisfied, but just too bad it doesn't work on NT's IIS.

Anyone who knows of a htaccess-equivalent for IIS could you please tell me?

I do not want CGI scripts, unless they can really protect an entire directory. Most I know do not protect against direct reference to the file (eg. http://www.aaa.com/protected_dir/secretfile.html will still load up if the user knows the entire path).

Thanks in advance.

weikai
0
Comment
Question by:weikai
  • 6
  • 5
  • 3
  • +2
18 Comments
 

Author Comment

by:weikai
Comment Utility
Edited text of question
0
 
LVL 6

Expert Comment

by:alamo
Comment Utility
IIS has no equivalent to the .htaccess file, it is all handled through NT file rights.

When IIS accesses a file (any file) it checks that the user who IIS is running as (IUSR_machinename) has the necessary rights. If not, the server returns the popup login prompt to the browser, and the user must enter the username and password of a user who has the right to access the file.

Hope this helps!
0
 

Author Comment

by:weikai
Comment Utility
But what if I want to create a group of users different from those in the NT domain?

-
benn
0
 
LVL 28

Expert Comment

by:sybe
Comment Utility
You will have to add the users to NT. It is enough to add them to the machine, not to the whole domain. Then give them rights on the directory with the website (and remove the rights for IUSR_...).
Another option is using a database with usernames/passwords, but then you have to use CGI, and you said that is not what you want.
0
 

Author Comment

by:weikai
Comment Utility
Thanks alamo and sybe.
I do not have the authority to create users. So I was hoping for a simple file that keeps the  users' IDs and passwords.
For the case of CGI, can it really protect the everything under a directory?
0
 
LVL 28

Expert Comment

by:sybe
Comment Utility
Yes.

Basically what I have done (using ASP) is making a login page, which checks the database. If the user is authorized, then giving him a server-side (session) variable (which is connected with the ASP cookie).

In each page I have included a check on this server-side variable. If the variable absent or "False" then the user is redirected to the login page. If the variable is "True", then page is shown.

The problem is that you have to do this check in every page.
When using SSI it is however only one line that has to be included.

When you have IIS4, then it is a lot easier: IIS4 can put a line in each file of a directory automatically.
0
 
LVL 6

Expert Comment

by:alamo
Comment Utility
Hi weikai and sybe,

If you can't create users, your options drop a great deal on IIS. As Sybe has said, ASP is the likely substitute, but it has limitations itself: for example, if your intention is to create a "members only download area", then the html with the links to the files can be protected by password, but the files themselves can't. So a user could bookmark a file or pass the URL on to someone else, bypassing the security. (Maybe there's a way in ASP around this, I am not an ASP expert, whereas Sybe is - I hope he'll correct me if I misspeak).

A custom CGI .exe file which stands as the 'gatekeeper' between the user and a download file mighr work too, but it would be a lot of work. (And I am unsure how a CGI .exe has gets access to the ASP session variable, which it would need to assure that the user is authorized).
0
 
LVL 28

Expert Comment

by:sybe
Comment Utility
It is possible to download files through asp. What you do is include the security statements (which will redirect the user if he's not allowed), then send the mimetype of the file to be downloaded and then include the file to be downloaded. It's binary code, but it works.

schematically:

<!-- #include file="secure.inc"-->

<% Response.ContentType = "application/x-gzip" %>

<!-- #include file="another.zip"-->




0
 
LVL 6

Expert Comment

by:alamo
Comment Utility
That's good to know, Sybe, I had incorrectly assumed the server would try to parse another.zip like it parses secure.inc.

It would be wise to put the included files in another directory so that a user couldn't guess the real filename and get lucky, bypassing the .asp.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Expert Comment

by:csi
Comment Utility
weikai, I'm having the same problem an I'm trying to find a workaround.

Take a look at my posted question above ("Forcing HTTP Authentication") and see if this might be a workaround that could help both of us, should I find an answer to my question.

If my idea has any merit, we could use a script to force the browser to open a login box and request usernames from clients. Since it isn't technically a protected area, it wouldn't be under the constraints of NT and we could use our own cgi-created databases for verification.

What do you think?
0
 

Author Comment

by:weikai
Comment Utility
Hi, I'm actually waiting for csi's solution. But now I can't seem to find his question.
Back to my question, my provider's NT server does not have ssi support. So am I still able to use your solution?

I still do not have a solution to my problem. I guess maybe there won't be one, given the constraint of the services from my provider. Nevertheless, sybe and alamo, your solutions would definitely be useful for other readers, both of you deserve a grade, what do you think I should do, should I reopen the question?

Thank you,
weikai

0
 

Expert Comment

by:csi
Comment Utility
I'm still a way from solving my situation so you can do whatever you think is best
0
 
LVL 6

Expert Comment

by:alamo
Comment Utility
weikei, let's review the situation:

- You can't add users to NT, therefore using normal HTTP authentification is out.
- You can't use SSI and ASP, so server side scripting to validate the user's session is out.

Your best remaining option is to use a CGI and a cookie. Present an html login page, when the user logs in successfully you set a cookie. You make all your files inaccessible to the server directly, instead having to go through a CGI script which checks the cookie and only if it's Ok sending back the requested file.

This isn't an uncommon approach, because many people are in the same position you are in. Its main disadvantage is it's a lot of work to set up. But I think it's your best option.

Let me know if you want more information on this option. If not, then you should reopen the question.
0
 

Author Comment

by:weikai
Comment Utility
The question is now reopened. Please fill in your answer again. Thanks!
0
 

Expert Comment

by:joemacd
Comment Utility
Here's a real strange (but workable) workaround, which is effective if you aren't going to have exceptionally heavy traffic. Otherwise, it can bog down the server a bit.

On IIS 4, you can redirect all requests to a particular directory towards a cgi script.

This script will ask the client for a username and password. If accepted, the script "creates" the page by simply copying the text from the original location and outputting it from within the script. You can also include cookies in this script so that it won't continually be asking the client for their username on each page.

The only drawbacks?
1) The URL is ugly, because it will look something like:
http://www.yoursite.com/cgi-bin/logincheck.cgi?/protecteddirectory/page1.html
2)If you have a busy site, then your script will be running every time someone goes to a protected page.
0
 

Author Comment

by:weikai
Comment Utility
Hi joemacd, your answer is quite similar to alamo's. Sorry I can't accept it because I think alamo deserves more, hope you don't mind. But thanks.

I may have an alternative solution, that is, if I am able to make use of ODBC, I can create a table to store my users' IDs and passwords. Thereafter, I can use ASP as described by sybe and alamo to verify the user with the ID and password from the database.

Is that workable?
0
 

Expert Comment

by:joemacd
Comment Utility
weikei,

Don't worry about it. I did'nt realize how similar my answer was to alamo's until now. I was reading his answer from a different perspective, I guess.

I don't know much about ASP, so I can't comment on your alternative solution. I can verify that the method proposed by alamo and myself does indeed work, because I'm using it right now.
0
 
LVL 6

Accepted Solution

by:
alamo earned 100 total points
Comment Utility
Just checked for the first time in a while and saw your invitation to answer. Hope you have been able to make it work. Good luck!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

In this tutorial I will focus on how to use WhizBase as a tool for sending ICQ messages to ICQ. Here I will use a new technology in WhizBase, published in WhizBase 5.1 version. In this tutorial I will use 3 files, pager.wbsp for the processing, e…
It is becoming increasingly popular to have a front-page slider on a web site. Nearly every TV website,  magazine or online news has one on their site, and even some e-commerce sites have one. Today you can use sliders with Joomla, WordPress or …
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now