When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles
ASPFAQs.com
Message Board
Related Web Technologies
User Tips!
Coding Tips

Sections:
Sample Chapters
Commonly Asked Message Board Questions
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Security
Stump the SQL Guru!
XML Info
Information:
Feedback
Author an Article
ASP ASP.NET ASP FAQs Message Board Feedback
Print this page.
Published: Friday, February 02, 2001

Authentication Methods in IIS

By Akhilesh


For More Information...
For more information on authentication, be sure to check out the 4Guys Authentication Article Index! You'll find numerous articles on methods for allowing Web access to only a certain set of users.

- continued -

Intoduction
In IIS you can setup various authentication methods for entire sites or virtual directories. These authentication methods determine who can access the Web pages in the site/virtual directory. The three Authentication methods available are:

    1. Anonymous Access - This authentication method requires NO username or password to access the site. Anyone can just type in the URL and access the site. This is the default access method for IIS sites/virtual directories and is the authentication mode for 99.9999% of the World Wide Web.

    2. Basic Authentication - The authentication method requires you to type in a valid NT login and password to gain access to the system (the NT login must be a valid NT login for the NT domain that the Web server is on). Where Basis Authentication is enabled you will get a popup window asking for the username and password when trying to first visit a resource in that protected site/virtual directory. After you enter the required information the username and password will be transmitted over the network WITHOUT any encryption. This will enable anyone trying to compromise your site examine passwords during the authentication process.

    3. Windows NT Challenge/Response (referred to as Integrated Windows Authentication in IIS 5) - This is supposedly the most secure form of Authentication in IIS. When you login, NT validates your login and ONLY the username is transmitted over the network. No password is transmitted. So under no circumstances can your password be compromised. Note that this method will NOT work with Netscape!

By default when you create a Web site/virtual directory in IIS you will have Anonymous Access AND Windows NT Challenge/Response enabled. Now in order to identify the user accessing your site through their login you can get the username using Request.ServerVariables("LOGON_USER"). This will return a value only if Anonymous Access is DISABLED and you only have Basic Authentication OR Windows NT Challenge/Response ENABLED

In such a case, Request.ServerVariables("LOGON_USER") will give you both the domain name and username in the format: domainName\username. If you just want the username there are a few ways of getting it. For example, you could use:

'displays:  DSRC\BEECHWOOD when I login
Response.Write(Request.ServerVariables("LOGON_USER"))

'To get only the username...
Dim strNTUser, iPos
strNTUser = RTrim(Request.ServerVariables("LOGON_USER"))
iPos = Len(strNTUser) - InStr(1, strNTUser,"\",1)
strNTUser = Right(strNTUser, iPos)

'strNTUser now contains just BEECHWOOD

Or, to make life a little easier just use the split function

Dim arrSomething, strNTUser
arrSomething = split(Request.ServerVariables("LOGON_USER"),"\")
strNTUser = arrSomething(1)

'Again, strNTUser will have BEECHWOOD

(For more information on split be sure to check out: Parsing with join and split!)

In most cases you would want to save this username in a database and have it associated to a UserID of some sort. This way, when a user enters your site you associate the username retrieved using Request.ServerVariables("LOGON_USER") with what you have in the Database and get his UserId. So if a username is not in your Database then you know that this user is accessing your site for the first time. (There may be times when you don't need to use this database approach. If you have a secure area on your site where you just want those folks who have a user account on your NT domain to be able to access the site, then you just need to disable Allow Anonymous and not worry about any sort of database tie-in.)

Now that we've looked at an overview of IIS's available authentication modes, let's examine how to setup IIS to handle such authentication. In Part 2 we'll look at the process of setting up these various authentication modes!

  • Read Part 2!


  • ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article