WebApp Sec mailing list archives
RE: Securing through the IIS web server domain logon
From: "Stan Guzik" <SGuzik () ImmediaTech com>
Date: Wed, 18 Aug 2004 18:12:27 -0400
Hello Jeff, The customer can have high security needs and they can restrict directory access but you don't need to use domain authentication. Also if your application is shared with multiple customers then each customer will need their own domain account. This leads into a Microsoft licensing issue. The more customers you have the more Microsoft licenses you need. If this is the approach you want to go with, the authenticated username is a server variable you can grab in your asp code. Alternatively you can write an ISAPI filter that intercepts all traffic to your web server and do your authorization/authentication in the filter. If authorization/authentication is OK then let the traffic pass. If not OK, stop the traffic. You don't need domain accounts for this. Good Luck, Stan Guzik -----Original Message----- From: Koniszewski, Jeffrey [mailto:JKoniszewski () Kronos com] Sent: Tuesday, August 17, 2004 5:21 PM To: webappsec () securityfocus com Subject: Securing through the IIS web server domain logon Our application provides security via an application logon and web application session. We layer lots of access control on top of the user session. The web server is set to serve up files via the iusr account, i.e. web server access is via anonymous logon. We have a customer with high security needs that wants to restrict directory access on the web server to domain authenticated users (remove iusr access). This, as I understand it, would require the web server to prompt for domain authentication. Then file access on the web server would be via the authenticated domain user's account. However, our application still needs to authenticate the user as well. Actually, all we probably need is the user name. We have never set up to work this way. Is there a way to get the user name from the IIS domain logon? Is it accessible via the HTTP session? Thanks.
Current thread:
- Securing through the IIS web server domain logon Koniszewski, Jeffrey (Aug 18)
- Re: Securing through the IIS web server domain logon Saqib . N . Ali (Aug 18)
- Re: Securing through the IIS web server domain logon Thomas Chiverton (Aug 18)
- Re: Securing through the IIS web server domain logon Ben Timby (Aug 18)
- <Possible follow-ups>
- Re: Securing through the IIS web server domain logon Matt Fisher (Aug 18)
- RE: Securing through the IIS web server domain logon Stan Guzik (Aug 20)
- RE: Securing through the IIS web server domain logon Michael Silk (Aug 20)
- RE: Securing through the IIS web server domain logon Michael Howard (Aug 20)