Monday, December 20, 2010

IIS Basic Authentication

On the world wide web, the oldest and most widely supported authentication method is Basic Authentication. IIS Basic Authentication is included as an option when you set up each IIS directory. Any directory you want to protect must be on a NTFS partition.

How to set up IIS Basic Authentication

Setting up IIS Basic Authentication is similar to setting up NTCR.

In Internet Service Manager (IIS1-3) or the Microsoft Management Console for IIS (IIS4 and up) select the directory you want to protect. Turn on Basic (Clear Text) and turn off Windows NT Challenge Response. It is OK to leave Allow Anonymous on.

Create an account for the each user to whom you want to give access, remove the permissions for "IUSR_machinename" from the directory, and add permissions for the users you added.
Alternatively you can set up a group, permit access to that group, and add permitted users to that group.

Remember the user will need execute rights if the directory has any ASP, ISAPI extensions, counters etc.

IIS Basic Authentication is the way to go if you accept the need for SSL and don't mind paying the performance penalty. Keep in mind that you will need a SSL certificate if you don't already have one.

You won't want to use IIS Basic Authentication if you are concerned about the security of your NT accounts and performance. IIS calls LogonUser and ImpersonateLoggedOnUser for each and every request, which is expensive in terms of CPU cycles.

By default when you create a Web site/virtual directory in IIS you will have Anonymous Access AND Windows NT Challenge/Response enabled. Now in order to identify the user accessing your site through their login you can get the username using Request.ServerVariables("LOGON_USER"). This will return a value only if Anonymous Access is DISABLED and you only have Basic Authentication OR Windows NT Challenge/Response ENABLED

In such a case, Request.ServerVariables("LOGON_USER") will give you both the domain name and username in the format: domainName\username. If you just want the username there are a few ways of getting it. For example, you could use:

'displays: DSRC\BEECHWOOD when I login
Response.Write(Request.ServerVariables("LOGON_USER"))

'To get only the username...
Dim strNTUser, iPos
strNTUser = RTrim(Request.ServerVariables("LOGON_USER"))
iPos = Len(strNTUser) - InStr(1, strNTUser,"\",1)
strNTUser = Right(strNTUser, iPos)

'strNTUser now contains just BEECHWOOD
Or, to make life a little easier just use the split function

Dim arrSomething, strNTUser
arrSomething = split(Request.ServerVariables("LOGON_USER"),"\")
strNTUser = arrSomething(1)



No comments:

Post a Comment