Restricted access to the Web site - two options 1

[seaport]

I have a Web site that only authorized users can access. I am trying to figure out how to implement this restriction. There will be about 120 users accessing the Web site now and the number of users will grow. Currently, I think I have two options:

First option: set up a user group in the domain and add authorized users into this group. All these users have to enter user name and password in the domain logon dialog box before they get to the web server. I have two concerns for this option. First concern is that someone told me I have to buy license for each user I add in the domain. Second concern is that I have to use Windows API to build a simple Web user management tool (with Access 2000) so my staff can add or remove users from that domain user group.

Second option: disable the domain user logon on the Web site and put a log-on page (asp page) as the home page of the web site. With this option, anyone through Internet can get on the Web server by IUSR account. But only authorized user can pass the log-on page. Certain I need to build a simple Web user management tool, but with this option I do not have to use Windows API. My only concern is that disabling the domain may jeopardize the security of my server.

By the way, I am going to install Verisign certificate on the Web server.

So, which option should I take? How important is the domain user logon on the Web site?

Seaport

 

[tuur]

Hi,

From my point of experience, I would go for the second option.

Just create a login page on the server, you should put it on a secure page (https (indeed, verisign)) to make sure that the data being transmitted between client and server is encrypted. (nothing new i guess)

I'm not really sure why you are asking how important the domain user logon is. Are you using it right now?
If you just build your own login and session handling, you don't need this.

Keep me posted!

Regards,

Tuur