Solved

Capturing username in IIS 7 log file

Posted on 2011-02-24
14
932 Views
Last Modified: 2012-08-13
We are currently using 'basic authentication' in IIS 7.5 and are able to capture the UserName into the log file.  We want to get away from the pop-it it uses and move to a web form.
Ive already created this web form login page that uses the same LDAP to connect to the AD and switched to Anonymous authentication.

Is there a way to use form based login and still capture the username like we were doing before?

We are using ColdFusion BTW not that I think it will matter.

TIA
0
Comment
Question by:WebStalkers
  • 6
  • 5
  • 3
14 Comments
 
LVL 7

Expert Comment

by:jrwarren
ID: 34972299
You can make it more simple, if interested.
   You can turn off Anonymous Authentication.
   Check #CGI.Auth_User# (If they logged onto the machine via the domain it will be populated).
   Use that to authenticate them and record the #CGI.Auth_User# per page, as it is called.
0
 
LVL 2

Author Comment

by:WebStalkers
ID: 34972361
So there will be no authentication setting in IIS?
Does  #CGI.Auth_User# write directly into the IIS log?
And I dont understand how you get #CGI.Auth_User# since you will be using a #form.varName# variable.
0
 
LVL 2

Author Comment

by:WebStalkers
ID: 34972692
my bad of course #cgi.auth_user# writes to the IIS log.  But that comes from the login pop-up using 'basic authentication'.  Or is there another way your thinking of?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 7

Expert Comment

by:jrwarren
ID: 34972780
I think Isee what you are asking...
   If you are using a form for authentication you would go the route of using cfldap, correct?  Using this method you bypass IIS security and venture into coldfusion managing the authentication and security.  you would then need Coldfusion to write its own logs with the information desired in it or send the information to a new database that can be directly imported into your metrics program.

I snipped this bit of code from the adobe Forums - This is similar to what you are using?

<cfparam 
    type="string"
    name="LoginMessage"
    default="">
  <cfldap
      action="QUERY"
      name="GetUserInfo"
      attributes="dn"
      start="ou=users,o=myCompanyName"
      Scope="subtree"
      filter="cn=#form.varName#"
      server="ldapServerName"
      Port="389"
      username="cn=adminName,ou=users,o=myCompanyName"
      password="adminPassword"
   >
       <cfif #GetUserInfo.recordcount# gt 0>
            <cftry>
                <cfldap
                    action="QUERY"
                    name="AuthenticateUser"
                    attributes="dn"
                    start="ou=users,o=myCompanyName"
                    maxrows="1"
                    Scope="subtree"
                    filter="(&(objectclass=user)(sAMAccountName=#GetUserInfo.dn#))"
                    server="ldapServerName"
                    Port="389"
                    username="#GetUserInfo.dn#"
                    password="#form.varPassword#">
                <cfset LoginMessage = "User Authentication Passed">
                    <cfcatch type="any">
                        <cfset LoginMessage = "User Authentication Failed">
                    </cfcatch>
            </cftry>
              <cfelse>
                 <cfset LoginMessage = "Username not found">
       </cfif>

<html>
  <head>
     <title>Active Directory Login</title>
  </head>
  <body>
      Login Status:
          <br>
          <br>
              <cfoutput>#LoginMessage#</cfoutput>
          <br>
          <br>
  </body>
</html>

Open in new window


If you want to let IIS maintain the security structure you are going to have to dig into the cgi.auth_user variable and authenticate them through basic authentication with anonymous access off.

0
 
LVL 4

Accepted Solution

by:
Hammo777 earned 250 total points
ID: 34972829
Another option if is to use integrated authentication.  It is supported in IE by default for intranet sites and other browsers can be configured (or they get a pop-up).  This uses the credentials from the user's windows login and will show in the IIS log.  When they hit a page IIS authenticates them silently based on their windows credentials.  Then you could still do the web form and LDAP stuff if you wanted (wouldn't really need to) and control what they get via ColdFusion.
0
 
LVL 2

Author Comment

by:WebStalkers
ID: 34972914
Yes im using ldap that is similar to what you pasted above. So using that and anon auth we are gettign everything we need in the IIS logs except the username is replaced by a hyphen.  Thats just how it is according to Microsoft.
I did think about doing my over logging through CF but im not sure what type of overhead that would put on the system. Maybe Ill try as an experiment.
0
 
LVL 7

Assisted Solution

by:jrwarren
jrwarren earned 250 total points
ID: 34972922
That still requires the use of cgi.auth_user to snap the username into Coldfusion.  But it does make the authentication transparent.  Some companies like seeing the Username and Password prompt though.
0
 
LVL 7

Expert Comment

by:jrwarren
ID: 34972950
Yes im using ldap that is similar to what you pasted above. So using that and anon auth we are gettign everything we need in the IIS logs except the username is replaced by a hyphen. Thats just how it is according to Microsoft.

  Yes the username when passing through a form is held only by ColdFusion and does not push to the logs, because IIS sees it as an Anonymous session.  Removeing anonymous requires a user/pass and will then change the - to a username, but you must authenticate them either through basic or integrated (as hammo777 brought up)  With either basic or Integrated you would still need to pass the username up to Coldfusion.
0
 
LVL 4

Expert Comment

by:Hammo777
ID: 34972952
What you say about some companies wanting to see the login prompt is true.  That's why I suggested he still use his web form/ldap solution to give management a warm fuzzy that people are being authenticated.
0
 
LVL 7

Expert Comment

by:jrwarren
ID: 34972999
to give management a warm fuzzy that people are being authenticated.
  Hahaa...
  I feel ethically, it is wrong to put in code that does nothing and only 'looks' like it does something, plus if webstalkers is constrained by audits, HIPAA, SOX, etc., then they would breach that quickly and find he has intentionally coded something improperly.

  What would happen if a security auditor with admin privileges hit the page and keyed in a user/pass that had no access to the app, but still was authenticated because the integrated login passed behind the scenes?

   The security auditor would be screaming for someone's head... and perhaps job.
0
 
LVL 2

Author Comment

by:WebStalkers
ID: 34973805
Yea I cant be doing that because this is for a government intranet site and we have auditors checking it out now and then.

Thanks for the info guys, this gives me some things to think about.  Ill try some of these out next week.
0
 
LVL 2

Author Closing Comment

by:WebStalkers
ID: 34973822
Gives me some things to look at.
0
 
LVL 7

Expert Comment

by:jrwarren
ID: 34973885
Grats and good luck.
0
 
LVL 4

Expert Comment

by:Hammo777
ID: 34973916
In response to the security auditor question:
Nothing would happen because the integrated authentication would only get him to the login page.  As far as IIS is concerned he would have access to the other pages but my CF app wouldn't let him past the login prompt.
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question