ASP - Active Directory - Pass Through Authentication

[nNaGg]

Hello,

I am trying to determine a solution using an ASP webpage whereby i can authorize someone based on their Active Directory accounts in our domain. So i will have a web server outside of our domain and when i visit a webpage it will ask for a logon and passwrod, and domain if required. This will then query our Active Directory server to determine if their account exists, and if so authenticate their password, and then let them access the website.

Can this be done? If anyone has any code/thoughts/webpage/hints/etc regarding this could you please let me know.

Your time and efforts are greatly appreciated!

Regards,

Regan Stathers

 

[shaddow]

I knw it can be done programaticaly using ASP code but it's better to tell IIS to disable anonimous acces and use Integrated Windows autentication wich uses the NTFS permissions you chose for that web directory. In this case you alow only your chosed users to have access to that folder.

________
George, M

 

[shaddow]

I almost forgot for Active Directory users use also Digest authentication for Windows Domain Servers.

________
George, M

 

[nNaGg]

How does this work when the web server is not a member of the domain, and is not connected to the network? This case covers when we want our ISP to host our web site, but still integrate Active Directory authentication! Can this happen?

Thanks for your information so far. What exactly is Digest Authentication?

 

[shaddow]

As far as i knw if your ISP server it's not on domain or on network then you dont need Digest authentication for Windows Domain Server only use the Integrated Windows authentication, but your ISP have to manage the users you want to access the web

All i knw it's that it worked with local users from my server (not a domain server)

Here are the Authentication Methods i got from Microsoft's help


Use this dialog box to configure your Web server to verify user identities. You can authenticate individuals or select groups of users to prevent unauthorized persons from establishing a Web (HTTP) connection to restricted content. Anonymous access allows users to establish an anonymous connection. The user logs on to IIS with an anonymous or guest account. There are currently four Authenticated access methods:

· Windows Integrated authentication uses a cryptographic exchange with the user's Web browser to confirm the identity of the user.

· Digest authentication works only with Active Directory® accounts, sending a hash value over the network, rather than a plaintext password. Digest authentication works across proxy servers and other firewalls and is available on Web Distributed Authoring and Versioning (WebDAV) directories.

· Basic authentication transmits passwords across the network in cleartext, an unencrypted form.

· .NET Passport authentication is a Web authentication service.

Enable anonymous access

Select this check box to establish an anonymous connection for users. IIS logs on the user with an anonymous or guest account. By default, the server creates and uses the account IUSR_computername.

User name

This is the user name for the account used for anonymous access only within Windows.

Password

The anonymous user account password is used only within Windows. Anonymous users do not log on by using a user name and password.

Browse

Click to search and select the object type, such as user, and the location, such as your computer or any accessible computer connected on the network.

Authenticated access

Options selected in this section require that users provide a valid Microsoft Windows user name and password before they access any information on your server.

Integrated Windows authentication

Select to ensure that the user name and password are sent across the network in the form of a hash. This provides a secure form of authentication.

Note If this authentication method is enabled, IIS uses Windows Integrated authentication only when Anonymous access is disabled and Anonymous access is denied because Windows file system permissions have been set, requiring users to provide a Windows user name and password before establishing a connection with restricted content.

Digest authentication for Windows domain servers

Select to work with Active Directory® and send a hash value over the network, rather than a cleartext password. This method works across proxy servers and other firewalls. Using Digest authentication requires that a Realm be defined.

Basic authentication (password is sent in cleartext)

Select to send the password across the network in cleartext. Basic authentication is part of the HTTP specification and is supported by most browsers; however, user name and password are not encrypted and could present security risks.

.NET Passport Authentication

Select to enable .NET Passport authentication services on your Web site. NET Passport allows users of your site to create a single sign-in name and password for easy, secure access to all .NET Passport-enabled Web sites and services. .NET Passport-enabled sites rely on the .NET Passport central server to authenticate users rather than hosting and maintaining their own proprietary authentication systems. However, the .NET Passport central server does not authorize or deny a specific users' access to individual .NET Passport-enabled sites. It is the responsibility of the Web site to control user permissions. Using .NET Passport authentication requires that a Default domain be defined.

Default domain

This identifies the Windows domain used for user authentication control.

Select

To authenticate the user or group, click to view a list of all domains to which you are connected.

Realm

This identifies the domain or other operating system authentication controller used to authenticate the user or group.

Select

Click to view a list of all domains and realms to which you are connected.



________
George, M