RE: Securing through the IIS web server domain logon

["Stan Guzik" <SGuzik () ImmediaTech com>]

Hello Jeff,

The customer can have high security needs and they can restrict
directory access but you don't need to use domain authentication.  Also
if your application is shared with multiple customers then each customer
will need their own domain account.  This leads into a Microsoft
licensing issue.  The more customers you have the more Microsoft
licenses you need.  If this is the approach you want to go with, the
authenticated username is a server variable you can grab in your asp
code.

Alternatively you can write an ISAPI filter that intercepts all traffic
to your web server and do your authorization/authentication in the
filter.  If authorization/authentication is OK then let the traffic
pass.  If not OK, stop the traffic.  You don't need domain accounts for
this.

Good Luck,
Stan Guzik





-----Original Message-----
From: Koniszewski, Jeffrey [mailto:JKoniszewski () Kronos com] 
Sent: Tuesday, August 17, 2004 5:21 PM
To: webappsec () securityfocus com
Subject: Securing through the IIS web server domain logon

Our application provides security via an application logon and web
application session. We layer lots of access control on top of the user
session. The web server is set to serve up files via the iusr account,
i.e. web server access is via anonymous logon.

We have a customer with high security needs that wants to restrict
directory access on the web server to domain authenticated users (remove
iusr access). This, as I understand it, would require the web server to
prompt for domain authentication. Then file access on the web server
would be via the authenticated domain user's account. However, our
application still needs to authenticate the user as well. Actually, all
we probably need is the user name. We have never set up to work this
way. Is there a way to get the user name from the IIS domain logon? Is
it accessible via the HTTP session? Thanks.