Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


What authentication method to use?

Posted on 2000-04-19
Medium Priority
Last Modified: 2012-05-05
I am a newbie web developer.  I am embarking on my 1st major web site development.  This site needs user authentication to access SQL Server data (raw data to html and also Crystal Reports web interface info).  I will be using Frontpage/Visual Interdev, IIS, Windows NT, ASP, etc.  I am trying to determine which authentication method I should use, why, and what are the advantages/disadvantage to whatever method you would recommend.  This site will be used to update vendor information and to provide data to our customers.  This will be hosted at an ISP and we will update SQL nightly.  I have heard of NT authentication and authentication based on usernames/passwords stored in a database.  Security is important but this isn't ultra-critical info.  I am really clueless when it comes to the whole realm of authentication.  Some suggestions as to the best method, pointers, authentication samples, links, whatever...would be helpful.  I appreciate whatever help anyone could offer.
Question by:vfafel
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 2732201

It all depends on how sensitive the data is that your Web site visitors are receiving and sending to your SQL server.  Purchasing a certificate provider like Verisign is the type of action that most sites employ.  The user will require a 128-bit browser and a userid/password.  This will work if you are setting up a secure server (https).

You could also create your own certificates, an option that the Microsoft IIS server has.  We have a developer on site here that used that method as opposed to purchasing certificate authority products like Verisign or Thawte.

But is the purpose is just to have a record of who accesses your server, but the data is not sensitive or confidential, then the userid/password would be fine.

Hope this helps, good luck!


Expert Comment

ID: 2732305
I apologize but my abilities are not to the point where i even understand your response.  Could you back up a little and help me with the basics.  I am looking to allow web site functionality based on a successful authentication (update customer information, pull data from the sql server, etc.)  Can you help me with the basics?

Expert Comment

ID: 2734446
Greetings vfafel,

This is question begs another "Just what, exactly, are you trying to achieve and what are the risks if your security model fails and the wrong person gets access to your data?"

Just a little basic background for you to consider.

NT security requires every user to have a username/password on the system. When an internet visitor accesses your website through IIS your web server acts for that visitor using a username/password created by IIS for that purpose. In fact (in this case) every internet visitor gets the same username/password identity.

That IIS identity has certain permissions granted to it so that the web server can do its job. These permissions are usually restricted to files and folders within the web site.

If you don't want to "muck around" with creating users and modifying NT file & folder permissions then IMHO your best bet is to use an authentication system based upon a log-on .asp connected to some database of users. (There are plenty of examples of this type of system available around the asp resource sites on the 'net)

Remember that access to your database by visitors from the internet is also granted through a similar username/password identity scheme for SQL Server. Normally these identities are created at install-time and it all functions pretty-much invisibly :^

If you need to make use of NT file and folder level security then you will need to consider creating NT users and modifying the permissions in both IIS Manager and your NT file system. As you said that the site will be hosted by an ISP then you may not get access to this level of security as it has been my experience that Hosting ISP's are a littl bit sensitive to letting someone modify their servers at that level.

Hope this helps.
Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control


Accepted Solution

tcurtin earned 300 total points
ID: 2734519
If you are using NT4 with IIS4 and if this is an Intranet: 1)you can set security permissions at the web site folder through NT Permissions. 2)You should also goto Start/Programs/Window NT4 Option Pack/Internet Information Server and select your site. Right-click and goto properties. Select 'Directory Security' and add remove 'Allow Anonymous Access'. That is the IUSR_<Machine>' account. The calling user will get denied and IE or Netscape will generate a logon back to the user and attempt to login again. Users will also need to be set up in SQL Server.

Expert Comment

ID: 2734554
Thank you noonie...very helpful...a few follow-ups...
1.  what does IMHO stand for?

2.  IMHO seems to be the better alternative for me...are there any obvious problems with the following scenario:
    a.  an ASP login screen to initialize authentication

    b.  all pages designed to enter orders and retrieve data can utilize the authentication information to append and update info on my "DSN" referenced database (and access to certain data retrieval pages which query SQL data based on the login username and ID).

    c.  Am i correct in assuming that by using IMHO, the security is handled by the ASP authentication and a "guest" account is used by the IIS to access the SQL server database?

A technical question - does each protected page have to have a reference indicating whether a successful login was acheived...i have seen some references but am not real clear....

Thank you for your help...

Expert Comment

ID: 2736768
1. IMHO (in my humble opinion)

2. a. This method is used widely. If the username/password is sensitive you can add an extra level of security using SSL, if your Hosting ISP provides that service and the cost of a certificate is within your project budget.

   b. You can place information relating to a successful log-in (or not) within the session object or you can use cookies.

   c. You assume correctly.

To do it correctly you should have a test on each page as to the log-in status (b) and redirect to the log-in page if the test fails. I also implement a system of recording all log-in attempts to an audit table.

In practice it all depends upon the level of security you need, the time you have to do it in and the risks involved if your security is breached.


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here . Today it’s fairly well known that high-performing websites and applications bring in more visitors, higher SEO, and ultimately more sales. By the same token, downtime…
Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question