Basic Authentication on ASP Page

[ReportingAnalyst]

Hi,

I have an ASP page which uses basic authentication for the users. The users enters their NT user id and the password to enter to this ASP page. There is no need for them to enter their domain in which they exist.

In my database, the employee table has the NT ID stored. So the script checks for the userid that that the users entered against the DB and then logs them in accordingly. If not, then I display the NT ID they entered and then show that what they entered does not exist in the database.

Certain users enter only the NT ID but still when I do a

strNetworkID = Request.ServerVariables("LOGON_USER")

, I see that even the domain name shows up like

domain_name\NTID

Where does this domain name come from when the users enter only the NTID?

Secondly it looks like I need to add a small strip function to check if there is something before the NTID, then strip that off and then check the NTID against the DB.

Any ideas on the 1st issue.

Thanks.

 

[djtech2k]

MY guess would be the browser setup they have/use. Foe example, in IE you have the choice to get prompted to authentication or assume logged in credentials. I would take a first guess at some kind of client-side issue.

As for fixing it, doing a vbscript replace on the posting of that field would work..

Assuming that these cases are posting a username like "domain\jsmith" then something like this below may work for you.

I would say something like this:

If InStr(strSource,"\") Then
arrStr = split(strSource,"\")
strUserName = arrStr(1)

 

[JadeKnight]

I assume this is going to run on some sort of IIS. I would suggest you look at the build in authentication features of IIS rather than coding something on you're own.

1) IIS has a lot of ways to authenticate
2) It's secure and proven
3) You don't have to code anything

 

[ReportingAnalyst]

Can you recommend of any resources of where to look into the IIS? From what I have right now, I have set Basic Authentication on the page requested over the https server, users enter their NT ID and Password and then see their page. However some are not able to log on in and get the message "HTTP 400 - Unthorized Logon"

We have had network administrators look whether their laptops are in the network domain, but still are not able to see the pages.

Thanks.

 

[JadeKnight]

You have not configured the IIS and clients properly. You must both have permission in the web site and the files you're going to access (ntfs). If users are comming from same domain, use integrated authentication, you can also make the users omit entering user/pass if you add the url to either trusted site or intranet site in their browsers.

Now, from what you've told so far, I would reccomend you to skip the basic authentication thing and go for integrated. That's more secure, due to the fact that you're only passing a validated token to the iis rather than a password in clear text. You haven't told anything about security requirement, but since you want users to autheticate I assume it's some sort of an issue.

I can point you in right direction, however I need to know what version of IIS or OS you're using.

 

[ReportingAnalyst]

Ok, let me do a bit of explaining here. I am working here since the past couple of months revamping this web site from a perl based script to a ASP based script. This perl script used IWA (Integrated Windows Authentication). Web site is for Sales Employees who wish to see their commissions. There are links within the intranet and when they click on the link, it directs them to this secured website (HTPPS). Hence the security over the intranet. This website is over a secured website. It worked for majority of the employees, but a few select employees (5 to 7% of the employees).

For these select employees- Now even with the ASP based script they still are not able to view the website and their reports.

I added this basic authentication for purposes of forcing the users to enter their NT ID and their associated password just to check if these failed employees are now able to log in. But still they cannot log in. I am more of a web app developer and not a IIS person. So any ideas what I should look into the IIS would be helpful.

We use IIS 5.0 and the OS on the web server is I think Windows 2000 with service pack 4.

 

[JadeKnight]

OK, that explains a couple of things. First of all I must advise you to stick with the integrated authentication and SSL. Sounds like this web site is designed by the book. Drop the basic authentication part. This won't help you solve anything nor find the reason why this is failing.

The first thing I would have done is to check the logfiles of the web site. Try to authenticate with a useraccount you know fail, and inspect the logfile. It will give you a pretty good idea why it's failing. If the information is insufficient, there are several log options you can add. Now I must say that this is rather an authentication/IIS/browser issue than a vbs issue. I think you would get the best solution to you're problems from one of the IIS MVP's than me.

Please check out this community link :

http://www.microsoft.com/technet/community/en-us/iis/default.mspx

I would reccomend the "Related Communities" section, and off course the newsgroups :

http://www.microsoft.com/technet/community/newsgroups/topics/iis.mspx

Hope this helps
JK

 

[ReportingAnalyst]

Thanks for the links, I shall look into there.