• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 944
  • Last Modified:

Capturing username in IIS 7 log file

We are currently using 'basic authentication' in IIS 7.5 and are able to capture the UserName into the log file.  We want to get away from the pop-it it uses and move to a web form.
Ive already created this web form login page that uses the same LDAP to connect to the AD and switched to Anonymous authentication.

Is there a way to use form based login and still capture the username like we were doing before?

We are using ColdFusion BTW not that I think it will matter.

TIA
0
WebStalkers
Asked:
WebStalkers
  • 6
  • 5
  • 3
2 Solutions
 
jrwarrenCommented:
You can make it more simple, if interested.
   You can turn off Anonymous Authentication.
   Check #CGI.Auth_User# (If they logged onto the machine via the domain it will be populated).
   Use that to authenticate them and record the #CGI.Auth_User# per page, as it is called.
0
 
WebStalkersAuthor Commented:
So there will be no authentication setting in IIS?
Does  #CGI.Auth_User# write directly into the IIS log?
And I dont understand how you get #CGI.Auth_User# since you will be using a #form.varName# variable.
0
 
WebStalkersAuthor Commented:
my bad of course #cgi.auth_user# writes to the IIS log.  But that comes from the login pop-up using 'basic authentication'.  Or is there another way your thinking of?
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
jrwarrenCommented:
I think Isee what you are asking...
   If you are using a form for authentication you would go the route of using cfldap, correct?  Using this method you bypass IIS security and venture into coldfusion managing the authentication and security.  you would then need Coldfusion to write its own logs with the information desired in it or send the information to a new database that can be directly imported into your metrics program.

I snipped this bit of code from the adobe Forums - This is similar to what you are using?

<cfparam 
    type="string"
    name="LoginMessage"
    default="">
  <cfldap
      action="QUERY"
      name="GetUserInfo"
      attributes="dn"
      start="ou=users,o=myCompanyName"
      Scope="subtree"
      filter="cn=#form.varName#"
      server="ldapServerName"
      Port="389"
      username="cn=adminName,ou=users,o=myCompanyName"
      password="adminPassword"
   >
       <cfif #GetUserInfo.recordcount# gt 0>
            <cftry>
                <cfldap
                    action="QUERY"
                    name="AuthenticateUser"
                    attributes="dn"
                    start="ou=users,o=myCompanyName"
                    maxrows="1"
                    Scope="subtree"
                    filter="(&(objectclass=user)(sAMAccountName=#GetUserInfo.dn#))"
                    server="ldapServerName"
                    Port="389"
                    username="#GetUserInfo.dn#"
                    password="#form.varPassword#">
                <cfset LoginMessage = "User Authentication Passed">
                    <cfcatch type="any">
                        <cfset LoginMessage = "User Authentication Failed">
                    </cfcatch>
            </cftry>
              <cfelse>
                 <cfset LoginMessage = "Username not found">
       </cfif>

<html>
  <head>
     <title>Active Directory Login</title>
  </head>
  <body>
      Login Status:
          <br>
          <br>
              <cfoutput>#LoginMessage#</cfoutput>
          <br>
          <br>
  </body>
</html>

Open in new window


If you want to let IIS maintain the security structure you are going to have to dig into the cgi.auth_user variable and authenticate them through basic authentication with anonymous access off.

0
 
Hammo777Commented:
Another option if is to use integrated authentication.  It is supported in IE by default for intranet sites and other browsers can be configured (or they get a pop-up).  This uses the credentials from the user's windows login and will show in the IIS log.  When they hit a page IIS authenticates them silently based on their windows credentials.  Then you could still do the web form and LDAP stuff if you wanted (wouldn't really need to) and control what they get via ColdFusion.
0
 
WebStalkersAuthor Commented:
Yes im using ldap that is similar to what you pasted above. So using that and anon auth we are gettign everything we need in the IIS logs except the username is replaced by a hyphen.  Thats just how it is according to Microsoft.
I did think about doing my over logging through CF but im not sure what type of overhead that would put on the system. Maybe Ill try as an experiment.
0
 
jrwarrenCommented:
That still requires the use of cgi.auth_user to snap the username into Coldfusion.  But it does make the authentication transparent.  Some companies like seeing the Username and Password prompt though.
0
 
jrwarrenCommented:
Yes im using ldap that is similar to what you pasted above. So using that and anon auth we are gettign everything we need in the IIS logs except the username is replaced by a hyphen. Thats just how it is according to Microsoft.

  Yes the username when passing through a form is held only by ColdFusion and does not push to the logs, because IIS sees it as an Anonymous session.  Removeing anonymous requires a user/pass and will then change the - to a username, but you must authenticate them either through basic or integrated (as hammo777 brought up)  With either basic or Integrated you would still need to pass the username up to Coldfusion.
0
 
Hammo777Commented:
What you say about some companies wanting to see the login prompt is true.  That's why I suggested he still use his web form/ldap solution to give management a warm fuzzy that people are being authenticated.
0
 
jrwarrenCommented:
to give management a warm fuzzy that people are being authenticated.
  Hahaa...
  I feel ethically, it is wrong to put in code that does nothing and only 'looks' like it does something, plus if webstalkers is constrained by audits, HIPAA, SOX, etc., then they would breach that quickly and find he has intentionally coded something improperly.

  What would happen if a security auditor with admin privileges hit the page and keyed in a user/pass that had no access to the app, but still was authenticated because the integrated login passed behind the scenes?

   The security auditor would be screaming for someone's head... and perhaps job.
0
 
WebStalkersAuthor Commented:
Yea I cant be doing that because this is for a government intranet site and we have auditors checking it out now and then.

Thanks for the info guys, this gives me some things to think about.  Ill try some of these out next week.
0
 
WebStalkersAuthor Commented:
Gives me some things to look at.
0
 
jrwarrenCommented:
Grats and good luck.
0
 
Hammo777Commented:
In response to the security auditor question:
Nothing would happen because the integrated authentication would only get him to the login page.  As far as IIS is concerned he would have access to the other pages but my CF app wouldn't let him past the login prompt.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 6
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now