Internet Security

We have a security product that authenticates our users and allows access to our website within the rights presented by our web application.  This product has protected virtual folders on our web servers and unless the individual has the right to access our web application it prevents them for accessing our site.

I will try this one more time before I give up on this.  I have asked it two times and each time it somehow got put into the community forum and the administrator killed it.  Don't think I like the new format too well.  At any rate, here is my question again.

Our application security then only provides the user with access that the application indicates they can have.  So the first tool is a security gateway.

This product is no longer supported and we would like to develop an internal product that essentially will do the same thing.  Validate the user has rights to our website and then pass the user to our application.

I am finding it difficult to identify a product that will do this or the ability to utilize a microsoft product to do this.

Does anyone know a tool to do this or is available for hire to help with this project?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sean JacksonInformation Security AnalystCommented:
My response to the initial question was this -- you're looking at access control, which can be tied to a database of users, and a programmer can make an authorization script that will validate a user, then check against the database to check what pages that user has access to.  An administrator can get to the admin page, users cannot.  Users can get to their profile page, administrators cannot (should not).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gareth Tomlinson CISSPNetwork and Security ManagerCommented:
Sounds like you were using the Forefront TMG
I understand that F5 are pushing their Big-IP appliance as a replacement for this, if that is the case.
The problem with developing your own will be integration with Active Directory and understanding the policies; again I'm making an assumption that is what you are using.
Essentially you want to issue a Kerberos ticket for the session.
I'm currently working with F5 to test it as a replacement for my 50+ TMGs.... it's a lot more complex a device.
Good luck.
sfletcher1959VPAuthor Commented:
Thanks for the response.  We were not using Forefront MG, we were using another product.  Basically we would use this product to provide a user with a user ID and PW.  This ID would indicated what rights and roles the individual user had.  The product was not a MS product.  It did however use SQL as the database for user profiles.

We have several secure web applications.  If a user attempted to access our secure website, it would prompt then to login in.  Similar to logging in to any banking app or store app.

As an example if I log into my bank, it prompts me for a user ID and PW.  If correctly authenticated, it allows me to see my bank balance.

If I then capture the URL that is in my browser and pointing to my statement page and open a completely new browser, paste the URL it again prompts me to enter my ID and PW.  It knows that in that new browser session, I haven't authenticated.

Our app works the same way.  If you attempt to access our site, it will prompt you for an ID and PW.  Once authenticated you can browse any area within that site.

So the tool that we currently are running only runs in a 32 bit environment, so we have been limited to using Windows 2003 Servers.  Obviously this can't continue.  So I need another tool that will do the same this for a 64 bit environment.

Again, this is not using MS or AD to manage these credentials.
Gareth Tomlinson CISSPNetwork and Security ManagerCommented:
OK, I can see now what you are doing.
I'm afraid I'm not a developer, which I am guuessing is what you are looking for; it might be worth trying the infossec forums to see if anyone can help you there.
sfletcher1959VPAuthor Commented:
In looking at different webpages, I think what we are really looking for is called a Web Portal.  So looking for a recommendation for a security Web Portal or Web Gateway.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Applications

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.