Published: Friday, February 02, 2001
Authentication Methods in IIS
By Akhilesh
| For More Information... |
|---|
|
For more information on authentication, be sure to check out the 4Guys
Authentication Article Index! You'll find
numerous articles on methods for allowing Web access to only a certain set of users.
|
Intoduction
In IIS you can setup various authentication methods for entire sites or virtual directories.
These authentication methods determine who can access the Web pages in the site/virtual
directory. The three Authentication methods available are:
1. Anonymous Access - This authentication method requires NO username or password
to access the site. Anyone can just type in the URL and access the site. This is the
default access method for IIS sites/virtual directories and is the authentication mode for
99.9999% of the World Wide Web.
2. Basic Authentication - The authentication method requires you to type in a
valid NT login and password to gain access to the system (the NT login must be a valid NT login
for the NT domain that the Web server is on). Where Basis Authentication
is enabled you will get a popup window asking for the username and password when trying to
first visit a resource in that protected site/virtual directory.
After you enter the required information the username and password will be transmitted over
the network WITHOUT any encryption. This will enable anyone trying to compromise your site
examine passwords during the authentication process.
3. Windows NT Challenge/Response (referred to as Integrated Windows Authentication
in IIS 5) - This is supposedly the most secure form of
Authentication in IIS. When you login, NT validates your login and ONLY the username is
transmitted over the network. No password is transmitted. So under no circumstances can your
password be compromised. Note that this method will NOT work with Netscape!
By default when you create a Web site/virtual directory in IIS you will have Anonymous
Access AND Windows NT Challenge/Response enabled.
Now in order to identify the user accessing your site through their login you can get the
username using Request.ServerVariables("LOGON_USER"). This will return a value only if
Anonymous Access is DISABLED and you only have Basic Authentication OR Windows NT
Challenge/Response ENABLED
In such a case, Request.ServerVariables("LOGON_USER") will give you both the
domain name and username in the format: domainName\username. If you just want
the username there are a few ways of getting it. For example, you could use:
'displays: DSRC\BEECHWOOD when I login
Response.Write(Request.ServerVariables("LOGON_USER"))
'To get only the username...
Dim strNTUser, iPos
strNTUser = RTrim(Request.ServerVariables("LOGON_USER"))
iPos = Len(strNTUser) - InStr(1, strNTUser,"\",1)
strNTUser = Right(strNTUser, iPos)
'strNTUser now contains just BEECHWOOD
|
Or, to make life a little easier just use the split function
Dim arrSomething, strNTUser
arrSomething = split(Request.ServerVariables("LOGON_USER"),"\")
strNTUser = arrSomething(1)
'Again, strNTUser will have BEECHWOOD
|
(For more information on split be sure to check out:
Parsing with join and split!)
In most cases you would want to save this username in a database and have it associated to a
UserID of some sort. This way, when a user enters your site you associate the
username retrieved using Request.ServerVariables("LOGON_USER")
with what you have in the Database and get his UserId. So if a username is not
in your Database then you know that this user is accessing your site for the first time.
(There may be times when you don't need to use this database approach. If you have a secure
area on your site where you just want those folks who have a user account on your NT domain to
be able to access the site, then you just need to disable Allow Anonymous and not worry
about any sort of database tie-in.)
Now that we've looked at an overview of IIS's available authentication modes, let's examine
how to setup IIS to handle such authentication. In Part 2
we'll look at the process of setting up these various authentication modes!
Read Part 2!
