When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles [1.x] [2.0]
ASPFAQs.com
Message Board
Related Web Technologies
User Tips!
Coding Tips
Search

Sections:
Book Reviews
Sample Chapters
Commonly Asked Message Board Questions
Headlines from ASPWire.com
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Security
Stump the SQL Guru!
Web Hosts
XML Info
Information:
Advertise
Feedback
Author an Article
Technology Jobs

















internet.com
IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers
ASP ASP.NET ASP FAQs Message Board Feedback ASP Jobs
Print this page.

Windows Systems Administrator
Jupitermedia
US-CT-Darien

Justtechjobs.com Post A Job | Post A Resume

Published: Friday, February 02, 2001

Authentication Methods in IIS
By Akhilesh

For More Information...
For more information on authentication, be sure to check out the 4Guys Authentication Article Index! You'll find numerous articles on methods for allowing Web access to only a certain set of users.

- continued -

Intoduction
In IIS you can setup various authentication methods for entire sites or virtual directories. These authentication methods determine who can access the Web pages in the site/virtual directory. The three Authentication methods available are:

    1. Anonymous Access - This authentication method requires NO username or password to access the site. Anyone can just type in the URL and access the site. This is the default access method for IIS sites/virtual directories and is the authentication mode for 99.9999% of the World Wide Web.

    2. Basic Authentication - The authentication method requires you to type in a valid NT login and password to gain access to the system (the NT login must be a valid NT login for the NT domain that the Web server is on). Where Basis Authentication is enabled you will get a popup window asking for the username and password when trying to first visit a resource in that protected site/virtual directory. After you enter the required information the username and password will be transmitted over the network WITHOUT any encryption. This will enable anyone trying to compromise your site examine passwords during the authentication process.

    3. Windows NT Challenge/Response (referred to as Integrated Windows Authentication in IIS 5) - This is supposedly the most secure form of Authentication in IIS. When you login, NT validates your login and ONLY the username is transmitted over the network. No password is transmitted. So under no circumstances can your password be compromised. Note that this method will NOT work with Netscape!

By default when you create a Web site/virtual directory in IIS you will have Anonymous Access AND Windows NT Challenge/Response enabled. Now in order to identify the user accessing your site through their login you can get the username using Request.ServerVariables("LOGON_USER"). This will return a value only if Anonymous Access is DISABLED and you only have Basic Authentication OR Windows NT Challenge/Response ENABLED

In such a case, Request.ServerVariables("LOGON_USER") will give you both the domain name and username in the format: domainName\username. If you just want the username there are a few ways of getting it. For example, you could use: 

'displays:  DSRC\BEECHWOOD when I login
Response.Write(Request.ServerVariables("LOGON_USER"))

'To get only the username...
Dim strNTUser, iPos
strNTUser = RTrim(Request.ServerVariables("LOGON_USER"))
iPos = Len(strNTUser) - InStr(1, strNTUser,"\",1)
strNTUser = Right(strNTUser, iPos)

'strNTUser now contains just BEECHWOOD

Or, to make life a little easier just use the split function 

Dim arrSomething, strNTUser
arrSomething = split(Request.ServerVariables("LOGON_USER"),"\")
strNTUser = arrSomething(1)

'Again, strNTUser will have BEECHWOOD

(For more information on split be sure to check out: Parsing with join and split!)

In most cases you would want to save this username in a database and have it associated to a UserID of some sort. This way, when a user enters your site you associate the username retrieved using Request.ServerVariables("LOGON_USER") with what you have in the Database and get his UserId. So if a username is not in your Database then you know that this user is accessing your site for the first time. (There may be times when you don't need to use this database approach. If you have a secure area on your site where you just want those folks who have a user account on your NT domain to be able to access the site, then you just need to disable Allow Anonymous and not worry about any sort of database tie-in.)

Now that we've looked at an overview of IIS's available authentication modes, let's examine how to setup IIS to handle such authentication. In Part 2 we'll look at the process of setting up these various authentication modes!

  • Read Part 2!

    Windows Internet Technology | ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article



    • JupiterOnlineMedia

    internet.comearthweb.comDevx.commediabistro.comGraphics.com

    Search:

    Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

    Jupitermedia Corporate Info


    Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

    Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers
    Solutions
    Whitepapers and eBooks
    Microsoft Article: HyperV-The Killer Feature in WinServer ‘08
    Avaya Article: How to Feed Data into the Avaya Event Processor
    Microsoft Article: Install What You Need with Win Server ‘08
    HP eBook: Putting the Green into IT
    Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
    Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
    Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
    		 Avaya Article: Setting Up a SIP A/S Development Environment
    IBM Article: How Cool Is Your Data Center?
    Microsoft Article: Managing Virtual Machines with Microsoft System Center
    HP eBook: Storage Networking , Part 1
    Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
    MORE WHITEPAPERS, EBOOKS, AND ARTICLES
    Webcasts
    Intel Video: Are Multi-core Processors Here to Stay?
    On-Demand Webcast: Five Virtualization Trends to Watch
    HP Video: Page Cost Calculator
    Intel Video: APIs for Parallel Programming
    		HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
    Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
    MORE WEBCASTS, PODCASTS, AND VIDEOS
    Downloads and eKits
    Sun Download: Solaris 8 Migration Assistant
    Sybase Download: SQL Anywhere Developer Edition
    Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
    		 Red Gate Download: SQL Compare Pro 6
    Iron Speed Designer Application Generator
    MORE DOWNLOADS, EKITS, AND FREE TRIALS
    Tutorials and Demos
    How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
    eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
    IBM Article: Collaborating in the High-Performance Workplace
    HP Demo: StorageWorks EVA4400
    		 Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
    Microsoft How-to Article: Get Going with Silverlight and Windows Live
    MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES