Authentication with NT and IIS

I know this has been asked before but I can't seem to find any satisfactory answer.

I need the dialog-box prompt for user name and password as in this site. I've used htaccess on unix, I'm very satisfied, but just too bad it doesn't work on NT's IIS.

Anyone who knows of a htaccess-equivalent for IIS could you please tell me?

I do not want CGI scripts, unless they can really protect an entire directory. Most I know do not protect against direct reference to the file (eg. http://www.aaa.com/protected_dir/secretfile.html will still load up if the user knows the entire path).

Thanks in advance.

weikai
weikaiAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
alamoConnect With a Mentor Commented:
Just checked for the first time in a while and saw your invitation to answer. Hope you have been able to make it work. Good luck!
0
 
weikaiAuthor Commented:
Edited text of question
0
 
alamoCommented:
IIS has no equivalent to the .htaccess file, it is all handled through NT file rights.

When IIS accesses a file (any file) it checks that the user who IIS is running as (IUSR_machinename) has the necessary rights. If not, the server returns the popup login prompt to the browser, and the user must enter the username and password of a user who has the right to access the file.

Hope this helps!
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
weikaiAuthor Commented:
But what if I want to create a group of users different from those in the NT domain?

-
benn
0
 
sybeCommented:
You will have to add the users to NT. It is enough to add them to the machine, not to the whole domain. Then give them rights on the directory with the website (and remove the rights for IUSR_...).
Another option is using a database with usernames/passwords, but then you have to use CGI, and you said that is not what you want.
0
 
weikaiAuthor Commented:
Thanks alamo and sybe.
I do not have the authority to create users. So I was hoping for a simple file that keeps the  users' IDs and passwords.
For the case of CGI, can it really protect the everything under a directory?
0
 
sybeCommented:
Yes.

Basically what I have done (using ASP) is making a login page, which checks the database. If the user is authorized, then giving him a server-side (session) variable (which is connected with the ASP cookie).

In each page I have included a check on this server-side variable. If the variable absent or "False" then the user is redirected to the login page. If the variable is "True", then page is shown.

The problem is that you have to do this check in every page.
When using SSI it is however only one line that has to be included.

When you have IIS4, then it is a lot easier: IIS4 can put a line in each file of a directory automatically.
0
 
alamoCommented:
Hi weikai and sybe,

If you can't create users, your options drop a great deal on IIS. As Sybe has said, ASP is the likely substitute, but it has limitations itself: for example, if your intention is to create a "members only download area", then the html with the links to the files can be protected by password, but the files themselves can't. So a user could bookmark a file or pass the URL on to someone else, bypassing the security. (Maybe there's a way in ASP around this, I am not an ASP expert, whereas Sybe is - I hope he'll correct me if I misspeak).

A custom CGI .exe file which stands as the 'gatekeeper' between the user and a download file mighr work too, but it would be a lot of work. (And I am unsure how a CGI .exe has gets access to the ASP session variable, which it would need to assure that the user is authorized).
0
 
sybeCommented:
It is possible to download files through asp. What you do is include the security statements (which will redirect the user if he's not allowed), then send the mimetype of the file to be downloaded and then include the file to be downloaded. It's binary code, but it works.

schematically:

<!-- #include file="secure.inc"-->

<% Response.ContentType = "application/x-gzip" %>

<!-- #include file="another.zip"-->




0
 
alamoCommented:
That's good to know, Sybe, I had incorrectly assumed the server would try to parse another.zip like it parses secure.inc.

It would be wise to put the included files in another directory so that a user couldn't guess the real filename and get lucky, bypassing the .asp.
0
 
csiCommented:
weikai, I'm having the same problem an I'm trying to find a workaround.

Take a look at my posted question above ("Forcing HTTP Authentication") and see if this might be a workaround that could help both of us, should I find an answer to my question.

If my idea has any merit, we could use a script to force the browser to open a login box and request usernames from clients. Since it isn't technically a protected area, it wouldn't be under the constraints of NT and we could use our own cgi-created databases for verification.

What do you think?
0
 
weikaiAuthor Commented:
Hi, I'm actually waiting for csi's solution. But now I can't seem to find his question.
Back to my question, my provider's NT server does not have ssi support. So am I still able to use your solution?

I still do not have a solution to my problem. I guess maybe there won't be one, given the constraint of the services from my provider. Nevertheless, sybe and alamo, your solutions would definitely be useful for other readers, both of you deserve a grade, what do you think I should do, should I reopen the question?

Thank you,
weikai

0
 
csiCommented:
I'm still a way from solving my situation so you can do whatever you think is best
0
 
alamoCommented:
weikei, let's review the situation:

- You can't add users to NT, therefore using normal HTTP authentification is out.
- You can't use SSI and ASP, so server side scripting to validate the user's session is out.

Your best remaining option is to use a CGI and a cookie. Present an html login page, when the user logs in successfully you set a cookie. You make all your files inaccessible to the server directly, instead having to go through a CGI script which checks the cookie and only if it's Ok sending back the requested file.

This isn't an uncommon approach, because many people are in the same position you are in. Its main disadvantage is it's a lot of work to set up. But I think it's your best option.

Let me know if you want more information on this option. If not, then you should reopen the question.
0
 
weikaiAuthor Commented:
The question is now reopened. Please fill in your answer again. Thanks!
0
 
joemacdCommented:
Here's a real strange (but workable) workaround, which is effective if you aren't going to have exceptionally heavy traffic. Otherwise, it can bog down the server a bit.

On IIS 4, you can redirect all requests to a particular directory towards a cgi script.

This script will ask the client for a username and password. If accepted, the script "creates" the page by simply copying the text from the original location and outputting it from within the script. You can also include cookies in this script so that it won't continually be asking the client for their username on each page.

The only drawbacks?
1) The URL is ugly, because it will look something like:
http://www.yoursite.com/cgi-bin/logincheck.cgi?/protecteddirectory/page1.html
2)If you have a busy site, then your script will be running every time someone goes to a protected page.
0
 
weikaiAuthor Commented:
Hi joemacd, your answer is quite similar to alamo's. Sorry I can't accept it because I think alamo deserves more, hope you don't mind. But thanks.

I may have an alternative solution, that is, if I am able to make use of ODBC, I can create a table to store my users' IDs and passwords. Thereafter, I can use ASP as described by sybe and alamo to verify the user with the ID and password from the database.

Is that workable?
0
 
joemacdCommented:
weikei,

Don't worry about it. I did'nt realize how similar my answer was to alamo's until now. I was reading his answer from a different perspective, I guess.

I don't know much about ASP, so I can't comment on your alternative solution. I can verify that the method proposed by alamo and myself does indeed work, because I'm using it right now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.