: : > : > > : > > : : > > : > If you INCLUDE anonymous logons, they will be checked first and
thus
: > > : > everyone will logon anonymously. So, IIS security works the
: opposite
: > of
: > > a
: > > : > router routing packets. A router will check to see if the
: destination
: > > : > network has a defined route, and if not route through the DFG
: (default
: > > : > gateway). IIS uses the DFG if it exists, no matter what defined
: > routes
: > > : > exist.
: > > :
: > > : FWIW, IIS will first use the credentials provided by the browser, if
: > they
: > > : exist. Without credentials, IIS will assume anonymous access. In
: other
: > > : words, once a user has authenticated, he will continue to browse as
an
: > > : authenticated user for the lifetime of the client browser session
: (until
: > > the
: > > : browser is closed), even on anonymous content - so it is like the
: router
: > > : example.
: > >
: > > Thanks for the reply Tom but I have to disagree with you unless MSFT
has
: > bad
: > > documentation which is not unknown to happen.
: > >
: > > Note
: > >
: > > a.. If Anonymous authentication is enabled, IIS will always try to
: > > authenticate using it first, even if other methods are enabled.
: > >
: >
:
http://www.microsoft.com/windows200...indows2000/en/server/iis/htm/core/iiabasc.htm
: >
: > That's true, unless the browser has already authenticated. Go ahead and
: try
: > it. Create some content that allows anonymous but does not explicitly
: give
: > NTFS permissions to the authenticated user. Browse to some other
content
: > that does not allow anonymous so the browser must authenticate. Then
try
: to
: > browse to the anonymous content that does not allow NTFS permissions for
: the
: > user used to authenticate. If I'm wrong, then there's something wrong
: with
: > my environment.
: >
: > See also
http://support.microsoft.com/?kbid=264921
: > NOTES:
: > * When your browser establishes a connection with a Web site by using
: Basic
: > or NTLM authentication, it does not fall back to Anonymous during the
rest
: > of that session with the server. If you try to connect to a Web page
that
: is
: > marked for Anonymous only after authenticating, you will be denied.
(This
: > may or may not hold true for Netscape).
: > * When Internet Explorer has established a connection with the server by
: > using Basic or NTLM authentication, it passes the credentials for every
: new
: > request for the duration of the session.
: >
: > If someone from MS would care to comment, it would be appreciated.
Ok, fair enough but the OP, IMHO had users connect to a page that had
anonymous access enabled and was wondering why he could not track
authenticated users, so the connection established was using anonymous, not
Basic or Integrated. Only after he gave them a 401, did the authentication
allow known users in.
We agree the OP should have a logon for authenticated users and then
redirect them to where the anonymous users gain access. I was aware that if
they authenticated first it would be used unless they tried connecting to a
page where anonymous only was set but my response related to if anonymous is
enabled when connecting anonymous will always be tested first.
I ran into the same problem years ago, and as you suggested, I offered a
link for authenticated users.
--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center -
http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation -
http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library -
http://msdn.microsoft.com/library/default.asp