Re: Way to synchronize Basic Auth with IIS session?
From: Steve K. (skonde_at_hotmail.com)
Date: 04/28/03
- Next message: Vahan Babakhanian: "which Cert Auth is "optimal" for a small company?"
- Previous message: Karl Levinson [x y], mvp: "Re: IP Restrictions"
- In reply to: David Wang [Msft]: "Re: Way to synchronize Basic Auth with IIS session?"
- Next in thread: David Wang [Msft]: "Re: Way to synchronize Basic Auth with IIS session?"
- Reply: David Wang [Msft]: "Re: Way to synchronize Basic Auth with IIS session?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Apr 2003 14:33:41 -0400
We want to be able to do this as well, David. Is the answer then in fact to
have a Windows 2003 server on the network running IIS6.0? Where do I obtain
the CustomAuth sample?
And do you have any recommendations for Commercial Software that forces
client side logouts on connections to an IIS5.0 webserver configured with
Basic Authentication?
Thanks in advance,
Steve K.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:%23J99PNl$CHA.2412@TK2MSFTNGP10.phx.gbl...
> It is impossible to force a logout with Basic authentication. It is a
> client-side credential caching problem that has no server-side solution.
>
> IIS6 and its CustomAuth sample should exactly fit your need. It does
> form-based authentication (i.e. using cookies, which are crushable
whenever
> you want) of the username/password and does LogonUser of that credential
on
> the server, so the users that have Windows accounts continue to play
nicely
> with AD. You can install the CustomAuth at exactly the right vdir that
you
> need authenticated access (don't do it at the root or else it'd apply to
the
> entire website). You can view it as Basic auth where credentials are
> entered via a web page, has a logout facility, can be isolated to branches
> in URL namespace, and still does LogonUser at the end.
>
> Download RC2 quickly and try it out.
>
> Similar things to CustomAuth can be done on IIS5, but I do not have a
> ready-made sample to point you to. You can probably get the bulk of the
> idea and code from the IIS6 CustomAuth sample (written in C) to create
> something for IIS5. There are also commercial SW that implement the exact
> same idea for IIS5 as well.
>
> --
> //David
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "eruess" <eruess_at_reddingpath_dot_com> wrote in message
> news:0p6cnVevX9e9kA6jXTWcoQ@speakeasy.net...
> I've run into the same problem most people eventually do when they start
to
> play with Basic Authentication - Basic Auth credentials persisting after
> session termination. I've been reading posts and docs until my eyes bleed
> and I can't seem to find a way to get this done simply, elegantly or even
> completely.
>
> So far I understand that a) There's no direct method in the HTTP/1.1
> protocol to instruct a client to destroy Basic Auth creds and b) MS
provides
> code for an ActiveX routine to destroy IE's Basic Auth creds (but only for
> IE version x.x+ & even then, only with client's permission to run the
> ActiveX). IMO the use of the ActiveX thing totally goes against the whole
> point of Basic Auth (e.g. cross-browser compatibility with what is
> essentially going to be Windows auth; which is why I wanted to use Basic
> Auth it in the first place).
>
> Here's what I'm trying to accomplish:
>
> User enters website anonymously, a session is started. If they never
choose
> to access password-protected materials, then we don't care what they do,
> they live in anonymous-land as IUSR_IISBOX and they happily surf the
public
> content. However, if they want to enter the private/password protected
> content, I need a way for them to not only authenticate themselves against
> the AD box, but at that point I want their physical user ID to change from
> IUSR_Whatever to MyDomain\SomeUser. Because a) I will present content to
> them based upon their AD group membership and b) SQL rights are inherited
> from AD group membership for when they start tinkering with the database.
> And I want them to be able to do this with Netscape, IE, or whatever
browser
> will support basic auth.
>
> This all works fine, btw, with Basic Auth... I have a prototype of the
> system up and running and I can login and prove I have correct SQL rights
> all that jazz. The nasty crux of the problem is when I want to LOGOUT. I
> can end the session, and the session is terminated just fine, but the
client
> still sends valid creds in the HTTP headers, and that's a major problem!
> The only "realistic" option I've seen thus far is to instruct the
> users/clients to close their browser - but I think most of us would agree,
> if we've learned anything from doing IT support, you simply can't trust
> users to follow IT instructions accurately... Realistically, I am forced
to
> assume the browser is rarely, if ever closed.
>
> So as an ASP/VB guy, I'm starting to wonder if I'm going to be forced to
> write my own authentication system that grabs data from a simple form
input.
> I've never done something like that before (that is, written
authentication
> routines, impersonated users, et al), but I've got plenty of development
> time so I could figure it out (and the company doesn't want to spring for
a
> 3rd party app unless it's the only option left)... But does it need to
come
> to that? The existing Basic Auth system is SO close to working, isn't
there
> some way, any way to sync up, no matter how hack it may be, a session
> termination with Basic Auth by somehow re-forcing a re-authorization /
> prompt? I've been banging my head against this off and on for a week now.
>
> Here's the nuts & bolts of the setup:
>
> I'm running an IIS 5.0 w2ksa box (this resides on internet) and a seperate
> ActiveDirectory pdc box which also hosts SQL server (this resides on our
> intranet).
>
> I have my web page split into anonymous / password protected areas,
default
> entry is anonymous, all private stuff is contained within 1 parent folder
> that has anon access turned off, basic auth turned on. I have about 80 -
> 100 users in the AD whom I want accessing the password protected areas in
> varying states of authorization, all of whom are listed & appropriately
> grouped in the AD already.
>
> SQL logins are soley inherited from AD groups, and SQL of course is using
> windows auth only.
>
> The ease of having all the user admin in essentially 1 place, and then
> having SQL inherit it all is a VERY attractive prospect I won't readily
opt
> out of - I would really like basic auth (or something that functions
> identically for my intents and purposes) to work, somehow, but I'm
stumped.
>
>
>
- Next message: Vahan Babakhanian: "which Cert Auth is "optimal" for a small company?"
- Previous message: Karl Levinson [x y], mvp: "Re: IP Restrictions"
- In reply to: David Wang [Msft]: "Re: Way to synchronize Basic Auth with IIS session?"
- Next in thread: David Wang [Msft]: "Re: Way to synchronize Basic Auth with IIS session?"
- Reply: David Wang [Msft]: "Re: Way to synchronize Basic Auth with IIS session?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
