h9925631
asked on
Help on IIS Authentication using ASP
I am currently developing a software that are using microsoft 2000 exchange server. I would like to ask how to use http form to do the basic authentication using ASP and VBScript instead of the dialog pop-up prompt of NT Authentication.
It is not a good suggestion to set the security of the NT authentication to anonymous login and handle the security ourselves due to the software requirements. Also NT Challenge Response is not possible too.
Is it possible to do it with ADSI and LDAP? But how to do it? It is a great appreciation if can offer some examples.
It is not a good suggestion to set the security of the NT authentication to anonymous login and handle the security ourselves due to the software requirements. Also NT Challenge Response is not possible too.
Is it possible to do it with ADSI and LDAP? But how to do it? It is a great appreciation if can offer some examples.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can use integrated windows authentication setting in IIS ... the users logged on the domain wont have to give password or username ot get through.
Want details if interedted ?
Want details if interedted ?
ASKER
Thanks for your comment. Would you mind to tell me more about it? Is there any restriction about this, for example, browser limitation? Moreover, could it support multiply domain?
>Moreover, could it support multiply domain?
yes fi trust relation is enabled between them
>browser limitation?
only Internet explorer will work
in IIS site propreties, directory security.. in anonymous access click edit.. disable anonymous login and tick on integrated authentication at the bottom...
ussu36 , don't lock the question by posting as answer.. post as comments instead..
ASKER
But does the integrated windows authentication work in internet?
no.. only on intranet.. over the internet you only can use a database driven authentication or nt challenge response :
How do I get the login name / username from the person visiting my page?
If you have disabled Anonymous access, then you should be able to retrieve the value from:
<%
Response.Write Request.ServerVariables("l ogon_user" )
%>
Note that IE is required to support Challenge/Response (IIS 4.0) or Integrated Windows Security (IIS 5.0).
If you can't disable Anonymous access, and/or need to support Netscape, then there is a possible alternative, provided you're not using DHCP. If your users have static IP addresses, you could store their usernames in a table and do a lookup against their IP:
<%
Response.Write Request.ServerVariables("r emote_addr ")
%>
If you can't enforce either of those things, then you may have to resort to forcing your users to log in (even only once, then storing a cookie). I suppose this depends on balancing the importance of knowing who is on the site versus every user having to log in.
or:
How do I control access to an area?
Creating a login for a section of your web site is fairly easy. First, create a login form (loginForm.asp):
<form action=loginHandler.asp method=post>
Username: <input type=text name='username'><BR>
Password: <input type=password name='password'><BR>
<input type=submit Value='Log In'><BR>
</form>
Next, create a login handler (loginHandler.asp):
<%
'------------------------- ---------- ---------- ---------- --
'-- check to see that the form was completely filled out--
'------------------------- ---------- ---------- ---------- --
if request.form("username")=" " or request.form("password")=" " then
response.redirect("loginFo rm.asp")
end if
'------------------------- ---------- ---------- ---------- --
'-- open your database connection and check for a record--
'------------------------- ---------- ---------- ---------- --
set conn = server.createObject("ADODB .Connectio n")
conn.open "<insert connection string here>"
u = lcase(request.form("userna me"))
p = lcase(request.form("passwo rd"))
sql = "select lin = count(username) from logintable where lower("
sql = sql & "username)='" & u & "' and lower(password)='" & p & "'"
set rs = conn.execute(sql)
'------------------------- ---------- ---------- ---------- -
'-- Decide whether to let them in --
'------------------------- ---------- ---------- ---------- -
if rs("lin")<>1 then
'access Denied
response.redirect ("loginForm.asp")
end if
session("login")=true
response.redirect ("hiThere.asp")
%>
Finally, at the top of each page, you test the session variable that you assigned in the script above:
<%
if not session("login") then
response.redirect("loginFo rm.asp")
end if
%>
How do I get the login name / username from the person visiting my page?
If you have disabled Anonymous access, then you should be able to retrieve the value from:
<%
Response.Write Request.ServerVariables("l
%>
Note that IE is required to support Challenge/Response (IIS 4.0) or Integrated Windows Security (IIS 5.0).
If you can't disable Anonymous access, and/or need to support Netscape, then there is a possible alternative, provided you're not using DHCP. If your users have static IP addresses, you could store their usernames in a table and do a lookup against their IP:
<%
Response.Write Request.ServerVariables("r
%>
If you can't enforce either of those things, then you may have to resort to forcing your users to log in (even only once, then storing a cookie). I suppose this depends on balancing the importance of knowing who is on the site versus every user having to log in.
or:
How do I control access to an area?
Creating a login for a section of your web site is fairly easy. First, create a login form (loginForm.asp):
<form action=loginHandler.asp method=post>
Username: <input type=text name='username'><BR>
Password: <input type=password name='password'><BR>
<input type=submit Value='Log In'><BR>
</form>
Next, create a login handler (loginHandler.asp):
<%
'-------------------------
'-- check to see that the form was completely filled out--
'-------------------------
if request.form("username")="
response.redirect("loginFo
end if
'-------------------------
'-- open your database connection and check for a record--
'-------------------------
set conn = server.createObject("ADODB
conn.open "<insert connection string here>"
u = lcase(request.form("userna
p = lcase(request.form("passwo
sql = "select lin = count(username) from logintable where lower("
sql = sql & "username)='" & u & "' and lower(password)='" & p & "'"
set rs = conn.execute(sql)
'-------------------------
'-- Decide whether to let them in --
'-------------------------
if rs("lin")<>1 then
'access Denied
response.redirect ("loginForm.asp")
end if
session("login")=true
response.redirect ("hiThere.asp")
%>
Finally, at the top of each page, you test the session variable that you assigned in the script above:
<%
if not session("login") then
response.redirect("loginFo
end if
%>
Try having a look at my post here, I think this will solve your problem:
https://www.experts-exchange.com/questions/20121949/Authentication-through-ASP.html
https://www.experts-exchange.com/questions/20121949/Authentication-through-ASP.html
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
[points to Silvers5]
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
hongjun
EE Cleanup Volunteer
I will leave a recommendation in the Cleanup topic area that this question is:
[points to Silvers5]
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
hongjun
EE Cleanup Volunteer
ASKER