Re: IIS user authentication
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 10/11/03
- Next message: Jonathan Maltz [MS-MVP]: "Re: ohhh dear lord"
- Previous message: Karl Levinson [x y] mvp: "Re: anti filter"
- In reply to: Mike Garner: "IIS user authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 10 Oct 2003 23:11:55 -0700
This is a custom, non-standard form of authentication, and it can be
implemented on IIS6 -- though I have to say that it does not exist by
default.
In other words, this is basically standard authentication using Active
Directory, except certain IP address have a get-in-for-free card.
My question concerning the "get-in-for-free" functionality. Do you
authorize differently depending on IP? i.e. 1.2.3.4 can read all files,
but 5.6.7.8 is able to read all files AND write to some files. When you use
Active Directory, ACLs can give you fine-grained control of authorization
after authentication.
The custom solution I have in mind is to simply enable authentication,
enable anonymous access but do not give IUSR any access, and then write a
Wildcard Application Mapping which reads IPs as an anonymous user and then
assigns either the same or different user token for authorization purposes
(depending on whether you authorize differently depending on IP). So at the
end of the day, all requests are authenticated in some way.
Personally, I think a get-in-for-free card based on IP is terribly insecure
since IP packets can be spoofed far more easily than a username/password
combination. Security based on keeping IP address a secret is not very
secure.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Mike Garner" <mgarner@western.edu> wrote in message news:07c701c38eb5$ad5b4350$a301280a@phx.gbl... I'm tasked with migrating an iPlanet (Sun One) Web Server to IIS 6.0. We're running a Server 2003 Native mode Active directory, IIS 6.0 is running on Server 2003 Standard, a members server of the 2003 domain. One of the features I most liked of the iPlanet product was the ability to secure directories based upon client IP, username/password or both. We could tie the username/password part to any full-blown LDAP (except A/D, which doesn't store the passwords in LDAP). With IIS I'd like to replicate this functionality but tie the user auth to active directory. I've got the Digest Authentication working. I also see how to authenticate based upon IP, but how do I combine them? Here's how I'd like it to work: 1)Client browser requests a page from the protected directory. 2)If the client is on a given ip(s), they are explicited allowed regardless of the user. (Deny all, grant these ips...) 3)If the client is denied because of IP, I'd like the user to be prompted for authentication. Using Digest Auth (I guess..) I'll check those credentials against Active Directory. 4)For extra credit, I'd like the browser to provide a single-signon. All our client workstations are WinXP Pro. If the user is already logged onto the computer, I'd like it to try the digest auth with the logged in credentials first... Is this possible with IIS 6.0? I can do steps 1-3 with iPlanet (to my LDAP). So far I've only been able to get IP OR User Auth working but not together in this desired config. Any advice or articles you can find would be most appreciated. Thanks in advance ~Mike email directly if you'd like: mgarner@western.edu
- Next message: Jonathan Maltz [MS-MVP]: "Re: ohhh dear lord"
- Previous message: Karl Levinson [x y] mvp: "Re: anti filter"
- In reply to: Mike Garner: "IIS user authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
