Intranet / IIS?

Discussion in 'ASP .Net' started by Rob Meade, Jul 16, 2007.

  1. Rob Meade

    Rob Meade Guest

    Hi all,

    This is a bit off topic I suspect, but I was hoping that most of you would
    know the answer...

    I want to have my IIS prompt for username/password credentials when a user
    browses to the site externally, ie, not on my own network, but if they are
    on the network (they would have already logged onto the domain) then they
    should not be challenged.

    I've been changing the security options but I seem to either get everyone
    challenge (on and off of the lan) or no one challenged if I turn on
    anonymous access...

    Anyone got any URL's for configuring this or can offer some advice? I've
    never tried this before as I've always allowed anonymous access and used the
    server for development purposes only, now I want to build my own little
    Intranet application (.net 2 - just to try and touch on relevance for this
    group ;) )...

    Any help appreciated..

    Regards

    Rob
     
    Rob Meade, Jul 16, 2007
    #1
    1. Advertising

  2. Unfortunately it's not possible to do with one page. (there is a workaround
    though).
    Problem is that if page is not protected (anonymous disabled) then IIS will
    not authenticate anyone.
    If it's protected then IIS will attempt to authenticate everyone.
    ------------------------------------------------
    The workaround I came up with :

    Make login.aspx not protected (anonymous enabled) and check for the IP
    address if it's from within the network then redirect to login1.aspx which
    is protected and IIS will NT authenticate person.


    George.






    "Rob Meade" <> wrote in message
    news:uL%...
    > Hi all,
    >
    > This is a bit off topic I suspect, but I was hoping that most of you would
    > know the answer...
    >
    > I want to have my IIS prompt for username/password credentials when a user
    > browses to the site externally, ie, not on my own network, but if they are
    > on the network (they would have already logged onto the domain) then they
    > should not be challenged.
    >
    > I've been changing the security options but I seem to either get everyone
    > challenge (on and off of the lan) or no one challenged if I turn on
    > anonymous access...
    >
    > Anyone got any URL's for configuring this or can offer some advice? I've
    > never tried this before as I've always allowed anonymous access and used
    > the server for development purposes only, now I want to build my own
    > little Intranet application (.net 2 - just to try and touch on relevance
    > for this group ;) )...
    >
    > Any help appreciated..
    >
    > Regards
    >
    > Rob
    >
     
    George Ter-Saakov, Jul 16, 2007
    #2
    1. Advertising

  3. Rob Meade

    Rob Guest

    George Ter-Saakov wrote:

    > Unfortunately it's not possible to do with one page. (there is a workaround
    > though).
    > Problem is that if page is not protected (anonymous disabled) then IIS will
    > not authenticate anyone.
    > If it's protected then IIS will attempt to authenticate everyone.


    Hi George, thanks for your reply. I'm not really bothered about it
    being for a single page, it would make more sense that the entire site
    was protected. I had always assumed that the IIS/Windows way of
    securing things would be better than developing my own login etc, plus
    if the user is already logged in on the network/domain it kinda make
    sense to use that (for this project at least). Is this the same as
    "Forms" security/login in .net? I'm maybe getting confused between
    all the options...

    The spec of what I would be looking for would be:

    a) external visitors to the network are challenged to login (ideally
    in a Windows type of popup)
    b) users of the network get in because they are "on" the network
    etc...I would then pickup perhaps the Logon_User session variable to
    display their NT name (SharePoint stylee)...

    > Make login.aspx not protected (anonymous enabled) and check for the IP
    > address if it's from within the network then redirect to login1.aspx which
    > is protected and IIS will NT authenticate person.


    I see, but it would presumably require me to test as you mentioned for
    the IP address, and I'd be looking for a 192.168 etc etc kinda range,
    I'm guessing with the right tools someone could "spoof" their IP
    address to appear as if they had a local IP address on my network?
    Whilst they'd not get passed the firewall to do anything on the
    servers, my web app might be compromised?

    I'm surely not the first person thats wanted to do something like
    this? I'm thinking of my 123-reg.co.uk account (domain name
    registration thingy)...when I browse their site there's a link to
    login (obviously they do have content that would be available to
    people without accounts also - which I'd maybe not have for my
    Intranet) - I click on login and I'm presented with the Windows
    dialogue thingy to login, I enter my details and I'm in - sounds very
    similar to what you've suggested, with regards to the two pages, one
    area protected, one area not - but they're obviously not checking for
    a local user.

    Any more thoughts?
     
    Rob, Jul 16, 2007
    #3
  4. > I'm guessing with the right tools someone could "spoof" their IP
    > address to appear as if they had a local IP address on my network?


    Well, I do not see any problem with spoofing. It's not like you a letting
    them in. They still have to pass NT Authentication.
    So even if they guy smart enough to spoof IP he would fail NT Authentication
    and go nowere.

    George


    "Rob" <> wrote in message
    news:...
    > George Ter-Saakov wrote:
    >
    >> Unfortunately it's not possible to do with one page. (there is a
    >> workaround
    >> though).
    >> Problem is that if page is not protected (anonymous disabled) then IIS
    >> will
    >> not authenticate anyone.
    >> If it's protected then IIS will attempt to authenticate everyone.

    >
    > Hi George, thanks for your reply. I'm not really bothered about it
    > being for a single page, it would make more sense that the entire site
    > was protected. I had always assumed that the IIS/Windows way of
    > securing things would be better than developing my own login etc, plus
    > if the user is already logged in on the network/domain it kinda make
    > sense to use that (for this project at least). Is this the same as
    > "Forms" security/login in .net? I'm maybe getting confused between
    > all the options...
    >
    > The spec of what I would be looking for would be:
    >
    > a) external visitors to the network are challenged to login (ideally
    > in a Windows type of popup)
    > b) users of the network get in because they are "on" the network
    > etc...I would then pickup perhaps the Logon_User session variable to
    > display their NT name (SharePoint stylee)...
    >
    >> Make login.aspx not protected (anonymous enabled) and check for the IP
    >> address if it's from within the network then redirect to login1.aspx
    >> which
    >> is protected and IIS will NT authenticate person.

    >
    > I see, but it would presumably require me to test as you mentioned for
    > the IP address, and I'd be looking for a 192.168 etc etc kinda range,
    > I'm guessing with the right tools someone could "spoof" their IP
    > address to appear as if they had a local IP address on my network?
    > Whilst they'd not get passed the firewall to do anything on the
    > servers, my web app might be compromised?
    >
    > I'm surely not the first person thats wanted to do something like
    > this? I'm thinking of my 123-reg.co.uk account (domain name
    > registration thingy)...when I browse their site there's a link to
    > login (obviously they do have content that would be available to
    > people without accounts also - which I'd maybe not have for my
    > Intranet) - I click on login and I'm presented with the Windows
    > dialogue thingy to login, I enter my details and I'm in - sounds very
    > similar to what you've suggested, with regards to the two pages, one
    > area protected, one area not - but they're obviously not checking for
    > a local user.
    >
    > Any more thoughts?
    >
     
    George Ter-Saakov, Jul 19, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gildas Garcia

    need advices : intranet archecture design

    Gildas Garcia, Jul 4, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    362
    Gildas Garcia
    Jul 4, 2003
  2. buran
    Replies:
    0
    Views:
    375
    buran
    Sep 13, 2003
  3. rb
    Replies:
    2
    Views:
    2,071
  4. DevX
    Replies:
    7
    Views:
    405
  5. Primoz Bradac

    How to get username on IIS run intranet (ASP)

    Primoz Bradac, Aug 12, 2008, in forum: ASP General
    Replies:
    5
    Views:
    336
    Bob Barrows [MVP]
    Aug 12, 2008
Loading...

Share This Page