Solved

Capturing username in IIS 7 log file

Posted on 2011-02-24
14
923 Views
Last Modified: 2012-08-13
We are currently using 'basic authentication' in IIS 7.5 and are able to capture the UserName into the log file.  We want to get away from the pop-it it uses and move to a web form.
Ive already created this web form login page that uses the same LDAP to connect to the AD and switched to Anonymous authentication.

Is there a way to use form based login and still capture the username like we were doing before?

We are using ColdFusion BTW not that I think it will matter.

TIA
0
Comment
Question by:WebStalkers
  • 6
  • 5
  • 3
14 Comments
 
LVL 7

Expert Comment

by:jrwarren
ID: 34972299
You can make it more simple, if interested.
   You can turn off Anonymous Authentication.
   Check #CGI.Auth_User# (If they logged onto the machine via the domain it will be populated).
   Use that to authenticate them and record the #CGI.Auth_User# per page, as it is called.
0
 
LVL 2

Author Comment

by:WebStalkers
ID: 34972361
So there will be no authentication setting in IIS?
Does  #CGI.Auth_User# write directly into the IIS log?
And I dont understand how you get #CGI.Auth_User# since you will be using a #form.varName# variable.
0
 
LVL 2

Author Comment

by:WebStalkers
ID: 34972692
my bad of course #cgi.auth_user# writes to the IIS log.  But that comes from the login pop-up using 'basic authentication'.  Or is there another way your thinking of?
0
 
LVL 7

Expert Comment

by:jrwarren
ID: 34972780
I think Isee what you are asking...
   If you are using a form for authentication you would go the route of using cfldap, correct?  Using this method you bypass IIS security and venture into coldfusion managing the authentication and security.  you would then need Coldfusion to write its own logs with the information desired in it or send the information to a new database that can be directly imported into your metrics program.

I snipped this bit of code from the adobe Forums - This is similar to what you are using?

<cfparam 
    type="string"
    name="LoginMessage"
    default="">
  <cfldap
      action="QUERY"
      name="GetUserInfo"
      attributes="dn"
      start="ou=users,o=myCompanyName"
      Scope="subtree"
      filter="cn=#form.varName#"
      server="ldapServerName"
      Port="389"
      username="cn=adminName,ou=users,o=myCompanyName"
      password="adminPassword"
   >
       <cfif #GetUserInfo.recordcount# gt 0>
            <cftry>
                <cfldap
                    action="QUERY"
                    name="AuthenticateUser"
                    attributes="dn"
                    start="ou=users,o=myCompanyName"
                    maxrows="1"
                    Scope="subtree"
                    filter="(&(objectclass=user)(sAMAccountName=#GetUserInfo.dn#))"
                    server="ldapServerName"
                    Port="389"
                    username="#GetUserInfo.dn#"
                    password="#form.varPassword#">
                <cfset LoginMessage = "User Authentication Passed">
                    <cfcatch type="any">
                        <cfset LoginMessage = "User Authentication Failed">
                    </cfcatch>
            </cftry>
              <cfelse>
                 <cfset LoginMessage = "Username not found">
       </cfif>

<html>
  <head>
     <title>Active Directory Login</title>
  </head>
  <body>
      Login Status:
          <br>
          <br>
              <cfoutput>#LoginMessage#</cfoutput>
          <br>
          <br>
  </body>
</html>

Open in new window


If you want to let IIS maintain the security structure you are going to have to dig into the cgi.auth_user variable and authenticate them through basic authentication with anonymous access off.

0
 
LVL 4

Accepted Solution

by:
Hammo777 earned 250 total points
ID: 34972829
Another option if is to use integrated authentication.  It is supported in IE by default for intranet sites and other browsers can be configured (or they get a pop-up).  This uses the credentials from the user's windows login and will show in the IIS log.  When they hit a page IIS authenticates them silently based on their windows credentials.  Then you could still do the web form and LDAP stuff if you wanted (wouldn't really need to) and control what they get via ColdFusion.
0
 
LVL 2

Author Comment

by:WebStalkers
ID: 34972914
Yes im using ldap that is similar to what you pasted above. So using that and anon auth we are gettign everything we need in the IIS logs except the username is replaced by a hyphen.  Thats just how it is according to Microsoft.
I did think about doing my over logging through CF but im not sure what type of overhead that would put on the system. Maybe Ill try as an experiment.
0
 
LVL 7

Assisted Solution

by:jrwarren
jrwarren earned 250 total points
ID: 34972922
That still requires the use of cgi.auth_user to snap the username into Coldfusion.  But it does make the authentication transparent.  Some companies like seeing the Username and Password prompt though.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 7

Expert Comment

by:jrwarren
ID: 34972950
Yes im using ldap that is similar to what you pasted above. So using that and anon auth we are gettign everything we need in the IIS logs except the username is replaced by a hyphen. Thats just how it is according to Microsoft.

  Yes the username when passing through a form is held only by ColdFusion and does not push to the logs, because IIS sees it as an Anonymous session.  Removeing anonymous requires a user/pass and will then change the - to a username, but you must authenticate them either through basic or integrated (as hammo777 brought up)  With either basic or Integrated you would still need to pass the username up to Coldfusion.
0
 
LVL 4

Expert Comment

by:Hammo777
ID: 34972952
What you say about some companies wanting to see the login prompt is true.  That's why I suggested he still use his web form/ldap solution to give management a warm fuzzy that people are being authenticated.
0
 
LVL 7

Expert Comment

by:jrwarren
ID: 34972999
to give management a warm fuzzy that people are being authenticated.
  Hahaa...
  I feel ethically, it is wrong to put in code that does nothing and only 'looks' like it does something, plus if webstalkers is constrained by audits, HIPAA, SOX, etc., then they would breach that quickly and find he has intentionally coded something improperly.

  What would happen if a security auditor with admin privileges hit the page and keyed in a user/pass that had no access to the app, but still was authenticated because the integrated login passed behind the scenes?

   The security auditor would be screaming for someone's head... and perhaps job.
0
 
LVL 2

Author Comment

by:WebStalkers
ID: 34973805
Yea I cant be doing that because this is for a government intranet site and we have auditors checking it out now and then.

Thanks for the info guys, this gives me some things to think about.  Ill try some of these out next week.
0
 
LVL 2

Author Closing Comment

by:WebStalkers
ID: 34973822
Gives me some things to look at.
0
 
LVL 7

Expert Comment

by:jrwarren
ID: 34973885
Grats and good luck.
0
 
LVL 4

Expert Comment

by:Hammo777
ID: 34973916
In response to the security auditor question:
Nothing would happen because the integrated authentication would only get him to the login page.  As far as IIS is concerned he would have access to the other pages but my CF app wouldn't let him past the login prompt.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Recently while working on a project I got a very annoying cfdocument has no body error message. I had never seen this error before. So I checked the code. The code was pretty simple; it was Just showing me the cfdocumnt tag and inside that tag a …
Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now