IIS Auth Question

[pcthuglife]

Ok here's the scenario. I'm not really a Windows or IIS guy, I've always done web dev in a LAMP environment so just bare with me. The company I work for has a client with a Windows (I believe 2000) domain. Then they have a web server running IIS on Win2k. The LAN and server are completely separate for security reasons. The web site has what in LAMP terms, and htaccess style login prompt. The users don't have the checkbox that says "click here to remember your password" because I guess that feature has been disabled via group policy.

So now to the actual question, the users want to be able to log in to the web site without having to enter their username and password. Why? Well we all know that users can be lazy, myself included. So the real question is, is this possible? I know that there are several ways to do this, but can it be done securely?

Thanks for any/all feedback!

 

[spyordie007]

I'm not sure what you mean by "The LAN and server are completely separate for security reasons."; if you mean separate network segments but members of the same domain integrated windows authentication could easily be enabled so that their credentials are passed automatically.

 

[pcthuglife]

well the server is DMZ'd off. It has a 192.168.x.x address. The lan clients have a 10.x.10.x. There's not way to connect locally to the server over the lan. I'm not familiar with IIS authentication techniques. It looks like an htaccess login prompt. Basically it's not a login field on the web page itself, it's a prompt that pops up before the page loads. They want to be able to basically bypass this prompt all together and login without manually typing their usernames and passwords.

 

[spyordie007]

It looks like an htaccess login prompt. Basically it's not a login field on the web page itself, it's a prompt that pops up before the page loads.

It's called "basic authentication"; just like with apache, etc. the username and password are passed by the client to the server as part of the get request.
http://httpd.apache.org/docs/1.3/howto/auth.html#basicworks

So my old question still stands, are the clients and server members of the same domain? I'm assuming yes since you need some way to manage those accounts. That being the case look up integrated windows authentication.

 

[pcthuglife]

Ok so if integrated windows authentication is setup on the IIS server, and the server is on the same domain as the lan clients, and the client uses IE... they should authenticate automatically when they try to view the password protected page?

I noticed in that apache link an "Allow From" parameter. I've never used that in my htaccess rules in the past but it definitely sounded interesting. This is a little off topic but would I be able to say:
Allow From x.x.x.x
and users coming from that ip address would be permitted to access the content automatically?

 

[spyordie007]

yes, you could do the same in IIS by using a guest user account to access the files and than restricting the site/virtual directory to certain IPs

 

[pcthuglife]

Alright and now just to sum everything up...

If the lan and server are on the same domain, then enabling integrated windows authentication should let the server automatically authenticate the user if they use IE.

If the server is not a part of the network, then we should be able to setup an
Allow From
rule that allows the public ip of the lan. Then the users will just have to manually authenticate if they feel like browsing to the site from another location off of their lan.

Are both of these assumptions correct?
Thanks again for your help and patience btw.

 

[tyanni]

No - you can't have anonymous authentication turned on, allow access from certain IPs, and then expect it to work when they have an IP different from the allowed range. Its either all or nothing, as far as I know. I could be wrong, but I don't think I am.

So - option 1 is to turn on anonymous auth, and allow access from all IPs - however, anyone can connect to this server now, including people from the internet.

Option 2 is to turn anonymous auth on, and allow access from only the work ip range. However, if they are offsite somewhere and not using a VPN, they won't be able to browse the site.

Option 3 is to use integrated windows auth, and it will not prompt them for a user\pass when on the domain.

Tim

 

[pcthuglife]

Right I can either choose to use Allow From and specify the ip address, OR, if the server is part of the same domain, simply enable integrated windows auth?

If they are not on the specified ip, or if their domain credentials do not match, they should just be prompted for the username and password as usual?

 

[tyanni]

No, if the ip's are not in the ip range, than they are just denied access. I am not sure about integrated authentication, but I believe you are correct in that you will be prompted for a user\pass if off of the domain.

Tim

 

[pcthuglife]

What if we gave multiple authentication techniques:

Require AuthUser
Order allow,deny
Allow from x.x.x.x
Satisfy any

Sort of as listed here:
http://httpd.apache.org/docs/1.3/howto/auth.html#satisfy

 

[tyanni]

aren't you using IIS?

 

[pcthuglife]

Well yeah but when spyordie sent me the link to the apache site earlier i thought he was implying that they both handled basic authentication similarly. Does IIS have anything like the apache satisfy parameter?

 

[Thor86]

Just add the website to the client's Trusted or Intranet Sites list in their IE browser. If they don't change their passwords often, you can also setup to use their current login access.

 

[pcthuglife]

Just add the website to the client's Trusted or Intranet Sites list in their IE browser.

How will that automatically authenticate the users? do you store usernames and passwords in the trusted sites portion of IE?

 

[LOFBenson]

If the web server cannot authenticate to the LAN DC (so you can't use integrated security) I would suggest using certificates to authenticate the users. You can link digital certificates to local or domain accounts in IIS5 as long as the passwords on the accounts dont change. Even if you can not save which certificate to use for the web site IE6 will list your certificates and you just pick it from the list and hit OK.

 

[Rilex]

Originally posted by: Thor86
Just add the website to the client's Trusted or Intranet Sites list in their IE browser. If they don't change their passwords often, you can also setup to use their current login access.

No need to do this as long as the user is using the NetBIOS (not FQDN) for the web address.

 

[spyordie007]

Originally posted by: Rilex

Originally posted by: Thor86
Just add the website to the client's Trusted or Intranet Sites list in their IE browser. If they don't change their passwords often, you can also setup to use their current login access.

No need to do this as long as the user is using the NetBIOS (not FQDN) for the web address.

AND the server name is resolving to the Local Intranet Zone AND you've enabled integrated windows authentication. You still have to enable it on the server, or it wont matter what the client sends.

Well yeah but when spyordie sent me the link to the apache site earlier i thought he was implying that they both handled basic authentication similarly. Does IIS have anything like the apache satisfy parameter?

Basic authentication is a standard, however IIS and Apache implement them a little differently. In IIS the allowed/denied address range gets evaluated before authentication, they function independently of each other so you cannot have the IP filter applied based upon authentication (or lack thereof).

No offense but you're really scaring me with your lack of knowledge on this topic, as a web developer you should be intimately familiar with techniques for securing web applications. If you don't know how to do it correctly from the web server you should be doing it within you application. Either way you need a solid understanding of the topic else you could end up improperly securing the site and end up liable in the event of a breach.

Even if you do work out a good way of managing authentication (i.e. using integrated windows authentication from the LAN and basic authentication for non-domain members) you need to figure out how to secure the data while it's en-route (i.e. SSL); you do realize that using basic authentication (and many other web authentication mechanisms) send credentials in clear text right?

My point is you cant just take up advice offered here as-is; you're going to need to do your homework.

Erik

 

[pcthuglife]

No offense but you're really scaring me with your lack of knowledge on this topic

hmm that seems a little harsh. I'm not the web developer for this site, I'm not the server admin, I don't even know the URL. My question had to do with IIS/Windows Server Authentication techniques. I do PHP development in a LAMP environment so I'm not familiar with the mechanisms that IIS and MS has built in. But thanks for all of your help in this thread.

 

[spyordie007]

I do PHP development in a LAMP environment so I'm not familiar with the mechanisms that IIS and MS has built in.

So sounds like my post is very valid. Have you considered building authentication into your application rather than relying on the server to provide it?

Is this site PHP or something else?

Just a word of warning, if the apps are written in PHP permissions on the php extensions and code are going to have to be carefully evaluated on the server else integrated windows authentication OR basic authentication can be problematic. Another problem is that it exposes the source code to users

Personally when writing an application in PHP for any server I build authentication in rather than trying to have the server do it. There are just so many better options (and control) available to you (the developer) if you do it this way.

 

[pcthuglife]

So sounds like my post is very valid. Have you considered building authentication into your application rather than relying on the server to provide it?

Dude, I've already stated that I'm not the developer. I don't even know what the site's URL is. All I know is that it's hosted on a Win2k server running IIS. The users who access the site want to be able to authenticate securely without manually entering the username and password. The scope of this thread was supposed to be whether or not that's possible, and if so, how it could be accomplished.

Personally when writing an application in PHP for any server I build authentication in rather than trying to have the server do it.

A little off topic but I agree with you 100%. I always use a MySQL backend to authenticate users when I built a PHP web app. It's fast, easy, and extensible. For a site without any user specific requirements, htaccess is still a viable option, especially when paired with SSL.