WebApp Sec mailing list archives

Re: Securing through the IIS web server domain logon

From: Saqib.N.Ali () seagate com
Date: Wed, 18 Aug 2004 15:00:20 -0700

You can use AUTH_USER or REMOTE_USER to get the username of the 
authenticated user. More info: 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/servervariables.asp


"Koniszewski, Jeffrey" <JKoniszewski () Kronos com> wrote on 08/17/2004 
02:21:26 PM:

Our application provides security via an application logon and web 
application session. We layer lots of access control on top of the 
user session. The web server is set to serve up files via the iusr 
account, i.e. web server access is via anonymous logon.

We have a customer with high security needs that wants to restrict 
directory access on the web server to domain authenticated users 
(remove iusr access). This, as I understand it, would require the 
web server to prompt for domain authentication. Then file access on 
the web server would be via the authenticated domain user's account.
However, our application still needs to authenticate the user as 
well. Actually, all we probably need is the user name. We have never
set up to work this way. Is there a way to get the user name from 
the IIS domain logon? Is it accessible via the HTTP session? Thanks.

Current thread:

Securing through the IIS web server domain logon Koniszewski, Jeffrey (Aug 18)
- Re: Securing through the IIS web server domain logon Saqib . N . Ali (Aug 18)
- Re: Securing through the IIS web server domain logon Thomas Chiverton (Aug 18)
- Re: Securing through the IIS web server domain logon Ben Timby (Aug 18)
- <Possible follow-ups>
- Re: Securing through the IIS web server domain logon Matt Fisher (Aug 18)
- RE: Securing through the IIS web server domain logon Stan Guzik (Aug 20)
- RE: Securing through the IIS web server domain logon Michael Silk (Aug 20)
- RE: Securing through the IIS web server domain logon Michael Howard (Aug 20)