Re: IIS With Basic Authentication Set/FormsAuthentication - HELP PLS!?

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 09/04/05

  • Next message: David Wang [Msft]: "Re: IIS With Basic Authentication Set/FormsAuthentication - HELP PLS!?"
    Date: Sun, 4 Sep 2005 22:49:32 +1000
    
    

    When IIS "protects" things, it is using mechanisms that are built into the
    HTTP specification. Since all requests to the server involve HTTP in some
    way, this is how you get all your resources (images, documents, ASP.NET
    pages etc) protected.

    On the other hand, currently, only requests for resources mapped to the
    ASP.NET ISAPI filter can take advantage of functionality built into the .NET
    Framework (forms based authentication). So this means that images etc that
    are handled by the static file handler are not protected.

    This will change in IIS7, where there will be a single, unified event
    pipeline, and you can hook into this pipeline using managed code (i.e. the
    forms authentication HTTP module supplied with .NET).

    Cheers
    Ken

    -- 
    IIS Blog: www.adopenstatic.com/cs/blogs/ken/
    Web: www.adopenstatic.com
    "Chad Beckner" <cbeckner@iupui.edu> wrote in message 
    news:e0tUL5NsFHA.3216@TK2MSFTNGP12.phx.gbl...
    :  So, in effect, how does that protect files in a directory (.gif, .htm,
    : etc)?  That, to me, doesn't seem to provide "true"security of an area, 
    like
    : IIS does...  Does anyone know if this has changed in 2.0?
    :
    :  For now, I guess I can keep using the ISAPI filter that I built... Unless
    : anyone else has a better solution.  However, I am disappointed that I 
    can't
    : set up this kind of security in .NET/FormsAuthentication like I can with 
    IIS
    : Basic.  I want to protect ALL files (and not have everything be processed
    : through the isapi_aspnet dll) in a particular area and have them
    : authenticate before accessing it, but without a "windows logon" prompt.
    :
    : Thanks for the help,
    :
    : Chad
    :
    : "Sam Santiago" <ssantiago@n0spam-SoftiTechture.com> wrote in message
    : news:Oi0PhrNsFHA.2008@TK2MSFTNGP10.phx.gbl...
    : When you use Forms authentication you have to set IIS to Anonymous
    : authentication.  Check out this article for a discussion on the 
    combinations
    : between ASP.NET authentication and IIS authentication:
    :
    : 
    nhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp
    :
    : If you think you can customize ASP.NET to use forms with Basis
    : Authentication you'll probably have to write an HTTP Module.  Check out 
    this
    : article for a discussion on Modules and Handlers:
    :
    : 
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/elmah.asp
    :
    : Good luck.
    :
    : -- 
    : _______________________________
    : Sam Santiago
    : ssantiago@n0spam-SoftiTechture.com
    : http://www.SoftiTechture.com
    : _______________________________
    : "Chad Beckner" <cbeckner@iupui.edu> wrote in message
    : news:uQIFS58rFHA.3352@TK2MSFTNGP14.phx.gbl...
    : > Hi everyone,
    : >
    : >  First off, sorry for the cross-post...
    : >
    : >  I am developing a site (ASP.NET) in which the root will be set with
    : > Anonymous AND/OR Basic permissions.  Past that I will have an 
    application
    : > (directory) in which I will be developing applications, which will have
    : > IIS
    : > Basic Authentication set (this can't be avoided).  In the past, I have
    : > been
    : > able to use a ISAPI Filter to add the response headers dynamically, and
    : > add
    : > the authentication to the request, therefore, allowing users into the
    : > secure
    : > directory, and all of this is form based, there is no browser prompt for
    : > their username/password (and it adds it to every request, images, .htm
    : > files, .asp files, etc).  Now I am trying to do this with ASP.NET (VB),
    : > again, trying to avoid the browser prompt, and add the authentication to
    : > every request (again, images, .htm files, aspx files, etc).  However, I
    : > have
    : > been unsuccessful using FormsAuthentication with the directory set to 
    IIS
    : > Basic Authentication (since IIS sees the request first, I get a browser
    : > prompt. I want to replace this with a redirect to a login form).  I have
    : > been able to get the FormsAuthentication to set the cookie, but when it
    : > tries to go into the Basic secured directory, I get a browser prompt. 
    Any
    : > help would be greatly appreciated!! (Do I need to write another ISAPI
    : > Filter, can I use FormsAuthentication to do this??  Suggestions?)
    : >
    : >  I have looked at hundreds of articles (or at least it seems!), and am 
    not
    : > 100% how to write an ISAPI filter in .NET, if that needs to be done. 
    Any
    : > pointers to live artices, code, etc. would be very helpful.
    : >
    : >  Overall, basically, I want to use Basic Authentication protocol and
    : > FormsAuthentication to access an IIS-set Basic Authentication directory,
    : > but
    : > I want to use a form instead of the normal windows logon prompt.  Our
    : > users
    : > share computers, so having them being able to "save their password" is a
    : > major security concern, which is why I need a login form page.
    : >
    : > Thanks!
    : >
    : > Chad
    : >
    : >
    :
    : 
    

  • Next message: David Wang [Msft]: "Re: IIS With Basic Authentication Set/FormsAuthentication - HELP PLS!?"

    Relevant Pages

    • RE: Name mapping : 1 certificate, multiple user accounts
      ... If you have Basic Authentication disabled in IIS, ... Integrated authentication will prompt if the prerequisites for transparent ...
      (microsoft.public.inetserver.iis.security)
    • Re: IIS With Basic Authentication Set/FormsAuthentication - HELP PLS!?
      ... IIS does... ... When you use Forms authentication you have to set IIS to Anonymous ... > Basic Authentication set. ... > again, trying to avoid the browser prompt, and add the authentication to ...
      (microsoft.public.dotnet.security)
    • Re: IIS With Basic Authentication Set/FormsAuthentication - HELP PLS!?
      ... IIS does... ... When you use Forms authentication you have to set IIS to Anonymous ... > Basic Authentication set. ... > again, trying to avoid the browser prompt, and add the authentication to ...
      (microsoft.public.inetserver.iis.security)
    • Re: IIS With Basic Authentication Set/FormsAuthentication - HELP PLS!?
      ... IIS does... ... When you use Forms authentication you have to set IIS to Anonymous ... > Basic Authentication set. ... > again, trying to avoid the browser prompt, and add the authentication to ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • RE: IIS protection
      ... "Is there another way to protect the server or allow individual user ... Sure, to achieve this, enabling user authentication is necessary: ... Use NTFS Security to Protect a Web Page Running on IIS 4.0 or ... enable either Basic authentication or Integrated windows auth: ...
      (microsoft.public.inetserver.iis)