NT Authentication with ASP

Discussion in 'ASP General' started by Baranidharan, Apr 16, 2004.

  1. Baranidharan

    Baranidharan Guest

    Hi

    I am creating an intranet site. I want to display the name of the user
    who has logged into the user. In case of Anonymous users i want to
    fill their name as 'Guest'. I tried the following code.

    <%
    if Request.ServerVariables("REMOTE_USER") = "" then
    Response.Write ("Welcome Guest")
    else
    Response.Write ("Welcome" + Request.Servervariables("REMOTE_USER") )
    end if
    %>

    But even for authenticated users, i get the message as "Welcome
    Guest".

    If for preventing the Anonymous user i add
    <%
    if Request.ServerVariables("REMOTE_USER") = "" then
    Response.Status = "401 Forbidden"
    else
    ....
    endif

    then i get the authenticated user 's name (The REMOTE_USER Variable
    only then gets updated correctly ). Where have i gone wrong?
    Baranidharan, Apr 16, 2004
    #1
    1. Advertising

  2. "Baranidharan" <> wrote in message
    news:...
    > Hi
    >
    > I am creating an intranet site. I want to display the name of the user
    > who has logged into the user. In case of Anonymous users i want to
    > fill their name as 'Guest'. I tried the following code.
    >
    > <%
    > if Request.ServerVariables("REMOTE_USER") = "" then
    > Response.Write ("Welcome Guest")
    > else
    > Response.Write ("Welcome" + Request.Servervariables("REMOTE_USER") )
    > end if
    > %>
    >
    > But even for authenticated users, i get the message as "Welcome
    > Guest".
    >
    > If for preventing the Anonymous user i add
    > <%
    > if Request.ServerVariables("REMOTE_USER") = "" then
    > Response.Status = "401 Forbidden"
    > else
    > ....
    > endif
    >
    > then i get the authenticated user 's name (The REMOTE_USER Variable
    > only then gets updated correctly ). Where have i gone wrong?


    You have to force the user to logon if you want to get their name. If you
    only allow anonymous access there's no way to grab the name.

    --
    Tom Kaminski IIS MVP
    http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
    http://mvp.support.microsoft.com/
    http://www.microsoft.com/windowsserver2003/community/centers/iis/
    Tom Kaminski [MVP], Apr 16, 2004
    #2
    1. Advertising

  3. Baranidharan

    Roland Hall Guest

    "Tom Kaminski [MVP]" wrote in message
    news:c5okrm$...
    : "Baranidharan" <> wrote in message
    : news:...
    : > I am creating an intranet site. I want to display the name of the user
    : > who has logged into the user. In case of Anonymous users i want to
    : > fill their name as 'Guest'. I tried the following code.
    : >
    : > <%
    : > if Request.ServerVariables("REMOTE_USER") = "" then
    : > Response.Write ("Welcome Guest")
    : > else
    : > Response.Write ("Welcome" + Request.Servervariables("REMOTE_USER") )
    : > end if
    : > %>
    : >
    : > But even for authenticated users, i get the message as "Welcome
    : > Guest".
    : >
    : > If for preventing the Anonymous user i add
    : > <%
    : > if Request.ServerVariables("REMOTE_USER") = "" then
    : > Response.Status = "401 Forbidden"
    : > else
    : > ....
    : > endif
    : >
    : > then i get the authenticated user 's name (The REMOTE_USER Variable
    : > only then gets updated correctly ). Where have i gone wrong?
    :
    : You have to force the user to logon if you want to get their name. If you
    : only allow anonymous access there's no way to grab the name.

    To add...

    This is a security issue, not an ASP issue.

    If you INCLUDE anonymous logons, they will be checked first and thus
    everyone will logon anonymously. So, IIS security works the opposite of a
    router routing packets. A router will check to see if the destination
    network has a defined route, and if not route through the DFG (default
    gateway). IIS uses the DFG if it exists, no matter what defined routes
    exist.

    So one option is to have a page where everyone can see it but only allow
    authenticated users to logon and give them special access where anonymous
    access is not allowed.

    And, it's better to use integrated authentication than Basic.

    HTH...

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
    Roland Hall, Apr 16, 2004
    #3
  4. Baranidharan

    Baranidharan Guest

    Hi All,

    Thanx for your suggestions. Is there any other method to get the name
    of the user logged in.

    Coz i do not want to stop anonymous login (ppl across the network need
    it :) )
    But like in the example i hv said i want to find their username if at
    all they are authenticated users.

    Might be asking for more but is there just a way to do it.

    Baranidharan.K.M


    "Roland Hall" <nobody@nowhere> wrote in message news:<#>...
    > "Tom Kaminski [MVP]" wrote in message
    > news:c5okrm$...
    > : "Baranidharan" <> wrote in message
    > : news:...
    > : > I am creating an intranet site. I want to display the name of the user
    > : > who has logged into the user. In case of Anonymous users i want to
    > : > fill their name as 'Guest'. I tried the following code.
    > : >
    > : > <%
    > : > if Request.ServerVariables("REMOTE_USER") = "" then
    > : > Response.Write ("Welcome Guest")
    > : > else
    > : > Response.Write ("Welcome" + Request.Servervariables("REMOTE_USER") )
    > : > end if
    > : > %>
    > : >
    > : > But even for authenticated users, i get the message as "Welcome
    > : > Guest".
    > : >
    > : > If for preventing the Anonymous user i add
    > : > <%
    > : > if Request.ServerVariables("REMOTE_USER") = "" then
    > : > Response.Status = "401 Forbidden"
    > : > else
    > : > ....
    > : > endif
    > : >
    > : > then i get the authenticated user 's name (The REMOTE_USER Variable
    > : > only then gets updated correctly ). Where have i gone wrong?
    > :
    > : You have to force the user to logon if you want to get their name. If you
    > : only allow anonymous access there's no way to grab the name.
    >
    > To add...
    >
    > This is a security issue, not an ASP issue.
    >
    > If you INCLUDE anonymous logons, they will be checked first and thus
    > everyone will logon anonymously. So, IIS security works the opposite of a
    > router routing packets. A router will check to see if the destination
    > network has a defined route, and if not route through the DFG (default
    > gateway). IIS uses the DFG if it exists, no matter what defined routes
    > exist.
    >
    > So one option is to have a page where everyone can see it but only allow
    > authenticated users to logon and give them special access where anonymous
    > access is not allowed.
    >
    > And, it's better to use integrated authentication than Basic.
    >
    > HTH...
    Baranidharan, Apr 17, 2004
    #4
  5. "Roland Hall" <nobody@nowhere> wrote in message
    news:%...
    > If you INCLUDE anonymous logons, they will be checked first and thus
    > everyone will logon anonymously. So, IIS security works the opposite of a
    > router routing packets. A router will check to see if the destination
    > network has a defined route, and if not route through the DFG (default
    > gateway). IIS uses the DFG if it exists, no matter what defined routes
    > exist.


    FWIW, IIS will first use the credentials provided by the browser, if they
    exist. Without credentials, IIS will assume anonymous access. In other
    words, once a user has authenticated, he will continue to browse as an
    authenticated user for the lifetime of the client browser session (until the
    browser is closed), even on anonymous content - so it is like the router
    example.

    --
    Tom Kaminski IIS MVP
    http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
    http://mvp.support.microsoft.com/
    http://www.microsoft.com/windowsserver2003/community/centers/iis/
    Tom Kaminski [MVP], Apr 19, 2004
    #5
  6. "Baranidharan" <> wrote in message
    news:...
    > Hi All,
    >
    > Thanx for your suggestions. Is there any other method to get the name
    > of the user logged in.
    >
    > Coz i do not want to stop anonymous login (ppl across the network need
    > it :) )
    > But like in the example i hv said i want to find their username if at
    > all they are authenticated users.
    >
    > Might be asking for more but is there just a way to do it.


    Perhaps give your users a "logon" link to click?

    --
    Tom Kaminski IIS MVP
    http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
    http://mvp.support.microsoft.com/
    http://www.microsoft.com/windowsserver2003/community/centers/iis/
    Tom Kaminski [MVP], Apr 19, 2004
    #6
  7. Baranidharan

    Roland Hall Guest

    "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
    news:c60e2f$...
    : "Roland Hall" <nobody@nowhere> wrote in message
    : news:%...
    : > If you INCLUDE anonymous logons, they will be checked first and thus
    : > everyone will logon anonymously. So, IIS security works the opposite of
    a
    : > router routing packets. A router will check to see if the destination
    : > network has a defined route, and if not route through the DFG (default
    : > gateway). IIS uses the DFG if it exists, no matter what defined routes
    : > exist.
    :
    : FWIW, IIS will first use the credentials provided by the browser, if they
    : exist. Without credentials, IIS will assume anonymous access. In other
    : words, once a user has authenticated, he will continue to browse as an
    : authenticated user for the lifetime of the client browser session (until
    the
    : browser is closed), even on anonymous content - so it is like the router
    : example.

    Thanks for the reply Tom but I have to disagree with you unless MSFT has bad
    documentation which is not unknown to happen.

    Note

    a.. If Anonymous authentication is enabled, IIS will always try to
    authenticate using it first, even if other methods are enabled.
    http://www.microsoft.com/windows200...indows2000/en/server/iis/htm/core/iiabasc.htm

    This may have changed for .NET and/or W2K3 but if not.....

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
    Roland Hall, Apr 20, 2004
    #7
  8. "Roland Hall" <nobody@nowhere> wrote in message
    news:...
    > "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
    > news:c60e2f$...
    > : "Roland Hall" <nobody@nowhere> wrote in message
    > : news:%...
    > : > If you INCLUDE anonymous logons, they will be checked first and thus
    > : > everyone will logon anonymously. So, IIS security works the opposite

    of
    > a
    > : > router routing packets. A router will check to see if the destination
    > : > network has a defined route, and if not route through the DFG (default
    > : > gateway). IIS uses the DFG if it exists, no matter what defined

    routes
    > : > exist.
    > :
    > : FWIW, IIS will first use the credentials provided by the browser, if

    they
    > : exist. Without credentials, IIS will assume anonymous access. In other
    > : words, once a user has authenticated, he will continue to browse as an
    > : authenticated user for the lifetime of the client browser session (until
    > the
    > : browser is closed), even on anonymous content - so it is like the router
    > : example.
    >
    > Thanks for the reply Tom but I have to disagree with you unless MSFT has

    bad
    > documentation which is not unknown to happen.
    >
    > Note
    >
    > a.. If Anonymous authentication is enabled, IIS will always try to
    > authenticate using it first, even if other methods are enabled.
    >

    http://www.microsoft.com/windows200...indows2000/en/server/iis/htm/core/iiabasc.htm

    That's true, unless the browser has already authenticated. Go ahead and try
    it. Create some content that allows anonymous but does not explicitly give
    NTFS permissions to the authenticated user. Browse to some other content
    that does not allow anonymous so the browser must authenticate. Then try to
    browse to the anonymous content that does not allow NTFS permissions for the
    user used to authenticate. If I'm wrong, then there's something wrong with
    my environment.

    See also http://support.microsoft.com/?kbid=264921
    NOTES:
    * When your browser establishes a connection with a Web site by using Basic
    or NTLM authentication, it does not fall back to Anonymous during the rest
    of that session with the server. If you try to connect to a Web page that is
    marked for Anonymous only after authenticating, you will be denied. (This
    may or may not hold true for Netscape).
    * When Internet Explorer has established a connection with the server by
    using Basic or NTLM authentication, it passes the credentials for every new
    request for the duration of the session.

    If someone from MS would care to comment, it would be appreciated.

    --
    Tom Kaminski IIS MVP
    http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
    http://mvp.support.microsoft.com/
    http://www.microsoft.com/windowsserver2003/community/centers/iis/
    Tom Kaminski [MVP], Apr 20, 2004
    #8
  9. "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
    news:c6344a$...
    > "Roland Hall" <nobody@nowhere> wrote in message
    > news:...
    > > "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
    > > news:c60e2f$...
    > > : "Roland Hall" <nobody@nowhere> wrote in message
    > > : news:%...
    > > : > If you INCLUDE anonymous logons, they will be checked first and thus
    > > : > everyone will logon anonymously. So, IIS security works the

    opposite
    > of
    > > a
    > > : > router routing packets. A router will check to see if the

    destination
    > > : > network has a defined route, and if not route through the DFG

    (default
    > > : > gateway). IIS uses the DFG if it exists, no matter what defined

    > routes
    > > : > exist.
    > > :
    > > : FWIW, IIS will first use the credentials provided by the browser, if

    > they
    > > : exist. Without credentials, IIS will assume anonymous access. In

    other
    > > : words, once a user has authenticated, he will continue to browse as an
    > > : authenticated user for the lifetime of the client browser session

    (until
    > > the
    > > : browser is closed), even on anonymous content - so it is like the

    router
    > > : example.
    > >
    > > Thanks for the reply Tom but I have to disagree with you unless MSFT has

    > bad
    > > documentation which is not unknown to happen.
    > >
    > > Note
    > >
    > > a.. If Anonymous authentication is enabled, IIS will always try to
    > > authenticate using it first, even if other methods are enabled.
    > >

    >

    http://www.microsoft.com/windows200...indows2000/en/server/iis/htm/core/iiabasc.htm
    >
    > That's true, unless the browser has already authenticated. Go ahead and

    try
    > it. Create some content that allows anonymous but does not explicitly

    give
    > NTFS permissions to the authenticated user. Browse to some other content
    > that does not allow anonymous so the browser must authenticate. Then try

    to
    > browse to the anonymous content that does not allow NTFS permissions for

    the
    > user used to authenticate. If I'm wrong, then there's something wrong

    with
    > my environment.
    >
    > See also http://support.microsoft.com/?kbid=264921
    > NOTES:
    > * When your browser establishes a connection with a Web site by using

    Basic
    > or NTLM authentication, it does not fall back to Anonymous during the rest
    > of that session with the server. If you try to connect to a Web page that

    is
    > marked for Anonymous only after authenticating, you will be denied. (This
    > may or may not hold true for Netscape).
    > * When Internet Explorer has established a connection with the server by
    > using Basic or NTLM authentication, it passes the credentials for every

    new
    > request for the duration of the session.
    >
    > If someone from MS would care to comment, it would be appreciated.


    Added microsoft.public.inetserver.iis to the thread because asp.general is
    really the wrong forum for this issue ...

    --
    Tom Kaminski IIS MVP
    http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
    http://mvp.support.microsoft.com/
    http://www.microsoft.com/windowsserver2003/community/centers/iis/
    Tom Kaminski [MVP], Apr 20, 2004
    #9
  10. Baranidharan

    Roland Hall Guest

    "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
    news:c6348i$...
    : "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
    : news:c6344a$...
    : > "Roland Hall" <nobody@nowhere> wrote in message
    : > news:...
    : > > "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
    : > > news:c60e2f$...
    : > > : "Roland Hall" <nobody@nowhere> wrote in message
    : > > : news:%...
    : > > : > If you INCLUDE anonymous logons, they will be checked first and
    thus
    : > > : > everyone will logon anonymously. So, IIS security works the
    : opposite
    : > of
    : > > a
    : > > : > router routing packets. A router will check to see if the
    : destination
    : > > : > network has a defined route, and if not route through the DFG
    : (default
    : > > : > gateway). IIS uses the DFG if it exists, no matter what defined
    : > routes
    : > > : > exist.
    : > > :
    : > > : FWIW, IIS will first use the credentials provided by the browser, if
    : > they
    : > > : exist. Without credentials, IIS will assume anonymous access. In
    : other
    : > > : words, once a user has authenticated, he will continue to browse as
    an
    : > > : authenticated user for the lifetime of the client browser session
    : (until
    : > > the
    : > > : browser is closed), even on anonymous content - so it is like the
    : router
    : > > : example.
    : > >
    : > > Thanks for the reply Tom but I have to disagree with you unless MSFT
    has
    : > bad
    : > > documentation which is not unknown to happen.
    : > >
    : > > Note
    : > >
    : > > a.. If Anonymous authentication is enabled, IIS will always try to
    : > > authenticate using it first, even if other methods are enabled.
    : > >
    : >
    :
    http://www.microsoft.com/windows200...indows2000/en/server/iis/htm/core/iiabasc.htm
    : >
    : > That's true, unless the browser has already authenticated. Go ahead and
    : try
    : > it. Create some content that allows anonymous but does not explicitly
    : give
    : > NTFS permissions to the authenticated user. Browse to some other
    content
    : > that does not allow anonymous so the browser must authenticate. Then
    try
    : to
    : > browse to the anonymous content that does not allow NTFS permissions for
    : the
    : > user used to authenticate. If I'm wrong, then there's something wrong
    : with
    : > my environment.
    : >
    : > See also http://support.microsoft.com/?kbid=264921
    : > NOTES:
    : > * When your browser establishes a connection with a Web site by using
    : Basic
    : > or NTLM authentication, it does not fall back to Anonymous during the
    rest
    : > of that session with the server. If you try to connect to a Web page
    that
    : is
    : > marked for Anonymous only after authenticating, you will be denied.
    (This
    : > may or may not hold true for Netscape).
    : > * When Internet Explorer has established a connection with the server by
    : > using Basic or NTLM authentication, it passes the credentials for every
    : new
    : > request for the duration of the session.
    : >
    : > If someone from MS would care to comment, it would be appreciated.

    Ok, fair enough but the OP, IMHO had users connect to a page that had
    anonymous access enabled and was wondering why he could not track
    authenticated users, so the connection established was using anonymous, not
    Basic or Integrated. Only after he gave them a 401, did the authentication
    allow known users in.

    We agree the OP should have a logon for authenticated users and then
    redirect them to where the anonymous users gain access. I was aware that if
    they authenticated first it would be used unless they tried connecting to a
    page where anonymous only was set but my response related to if anonymous is
    enabled when connecting anonymous will always be tested first.

    I ran into the same problem years ago, and as you suggested, I offered a
    link for authenticated users.

    --
    Roland Hall
    /* This information is distributed in the hope that it will be useful, but
    without any warranty; without even the implied warranty of merchantability
    or fitness for a particular purpose. */
    Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
    WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
    MSDN Library - http://msdn.microsoft.com/library/default.asp
    Roland Hall, Apr 20, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brett Porter
    Replies:
    2
    Views:
    755
    Andrea D'Onofrio [MSFT]
    Jan 20, 2004
  2. Brett Porter
    Replies:
    2
    Views:
    192
    Andrea D'Onofrio [MSFT]
    Jan 20, 2004
  3. Fabio Gouw

    ASP.NET Authentication and Windows Authentication

    Fabio Gouw, Nov 15, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    142
    Ken Schaefer
    Nov 16, 2004
  4. nenzax
    Replies:
    1
    Views:
    225
    Dominick Baier [DevelopMentor]
    Dec 18, 2005
  5. Michael D. Ober
    Replies:
    6
    Views:
    288
    Michael D. Ober
    Oct 30, 2006
Loading...

Share This Page