IIS6, SQL authentication and logging, can it be done?
From: Wes (wes_at_checkind.com)
Date: 05/23/03
- Previous message: Sarah: "Re: Folder security"
- Next in thread: Roger Abell [MVP]: "Re: IIS6, SQL authentication and logging, can it be done?"
- Reply: Roger Abell [MVP]: "Re: IIS6, SQL authentication and logging, can it be done?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 May 2003 10:21:17 +0100
Hi,
I need to build an extranet and ideally would like to authenticate the users
from a database table, authorize them from a text file of usernames in each
protected directory and have all HTTP server access logged, with
authenticated username, back into the same database.
I've so far spent a couple of days looking into various options and so far
found nothing that does exactly what I need.
Passport authentication is no use to me as I would prefer to keep control of
the users myself.
Forms authentication allows me to authenticate against my database, and in
theory write out appropriate web.config files to each directory for
authorization. I have two problems with Forms though - as I understand it
IIS needs to have anonymous access enabled and the users are then
authenticated for the ASP.NET application. This means the username doesn't
get logged by IIS as there is no user as far as it's concerned. After
further reading to find a way round this I discovered that Forms
authorization only works against .aspx files by default, that I need to
register other file extensions to be protected and that there is fairly
large overhead involved with this, and that finally the user needs to have
Office 2000 SR1a or above installed to avoid getting a login box appear in
the Office application for a protected file.
Windows authentication and folder ACL authorization is the other option. The
users would be authenticated against IIS so all HTTP access would be logged
with a username and the ACL will protect the files. The only problem is, I
don't really want to create lots of Windows accounts. Even though logins
will be SSL protected and the extranet group of users be prevented from
logging in, it just worries me! Plus there is the disadvantage of having to
manage the windows users and a database for the rest of the system, where I
would prefer just to manage a database for everything.
This can be easily be achieved using Apache and MySQL, but I need to use
IIS6 and SQL Server 2000.
It seems Forms does half what I need, and Windows the other half. I really
feel I must be missing something here; it's so simple to do with Apache, why
not with IIS?
I don't really want to write a custom IIS Logging module (if that would even
help?!) and I have found and currently looking at Authentix (www.flicks.com)
and IISProtect (www.iisprotect.com) but don't see why I can't do what I need
using IIS alone.
Installing Apache on the Windows 2003 server isn't an option (and from a
brief look around I'm not sure Apache will authenticate or log to SQL Server
with or without ODBC, though I did only look at this quickly).
Any help appreciated!
Thanks,
Wes
- Previous message: Sarah: "Re: Folder security"
- Next in thread: Roger Abell [MVP]: "Re: IIS6, SQL authentication and logging, can it be done?"
- Reply: Roger Abell [MVP]: "Re: IIS6, SQL authentication and logging, can it be done?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
