NT Authentication with ASP

[Baranidharan]

Hi

I am creating an intranet site. I want to display the name of the user
who has logged into the user. In case of Anonymous users i want to
fill their name as 'Guest'. I tried the following code.

<%
if Request.ServerVariables("REMOTE_USER") = "" then
Response.Write ("Welcome Guest")
else
Response.Write ("Welcome" + Request.Servervariables("REMOTE_USER") )
end if
%>

But even for authenticated users, i get the message as "Welcome
Guest".

If for preventing the Anonymous user i add
<%
if Request.ServerVariables("REMOTE_USER") = "" then
Response.Status = "401 Forbidden"
else
....
endif

then i get the authenticated user 's name (The REMOTE_USER Variable
only then gets updated correctly ). Where have i gone wrong?

 

[Tom Kaminski [MVP]]

Hi

I am creating an intranet site. I want to display the name of the user
who has logged into the user. In case of Anonymous users i want to
fill their name as 'Guest'. I tried the following code.

<%
if Request.ServerVariables("REMOTE_USER") = "" then
Response.Write ("Welcome Guest")
else
Response.Write ("Welcome" + Request.Servervariables("REMOTE_USER") )
end if
%>

But even for authenticated users, i get the message as "Welcome
Guest".

If for preventing the Anonymous user i add
<%
if Request.ServerVariables("REMOTE_USER") = "" then
Response.Status = "401 Forbidden"
else
....
endif

then i get the authenticated user 's name (The REMOTE_USER Variable
only then gets updated correctly ). Where have i gone wrong?

You have to force the user to logon if you want to get their name. If you
only allow anonymous access there's no way to grab the name.

 

[Roland Hall]

in message
: : > I am creating an intranet site. I want to display the name of the user
: > who has logged into the user. In case of Anonymous users i want to
: > fill their name as 'Guest'. I tried the following code.
: >
: > <%
: > if Request.ServerVariables("REMOTE_USER") = "" then
: > Response.Write ("Welcome Guest")
: > else
: > Response.Write ("Welcome" + Request.Servervariables("REMOTE_USER") )
: > end if
: > %>
: >
: > But even for authenticated users, i get the message as "Welcome
: > Guest".
: >
: > If for preventing the Anonymous user i add
: > <%
: > if Request.ServerVariables("REMOTE_USER") = "" then
: > Response.Status = "401 Forbidden"
: > else
: > ....
: > endif
: >
: > then i get the authenticated user 's name (The REMOTE_USER Variable
: > only then gets updated correctly ). Where have i gone wrong?
:
: You have to force the user to logon if you want to get their name. If you
: only allow anonymous access there's no way to grab the name.

To add...

This is a security issue, not an ASP issue.

If you INCLUDE anonymous logons, they will be checked first and thus
everyone will logon anonymously. So, IIS security works the opposite of a
router routing packets. A router will check to see if the destination
network has a defined route, and if not route through the DFG (default
gateway). IIS uses the DFG if it exists, no matter what defined routes
exist.

So one option is to have a page where everyone can see it but only allow
authenticated users to logon and give them special access where anonymous
access is not allowed.

And, it's better to use integrated authentication than Basic.

HTH...

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Baranidharan]

Hi All,

Thanx for your suggestions. Is there any other method to get the name
of the user logged in.

Coz i do not want to stop anonymous login (ppl across the network need
it )
But like in the example i hv said i want to find their username if at
all they are authenticated users.

Might be asking for more but is there just a way to do it.

Baranidharan.K.M

 

[Tom Kaminski [MVP]]

If you INCLUDE anonymous logons, they will be checked first and thus
everyone will logon anonymously. So, IIS security works the opposite of a
router routing packets. A router will check to see if the destination
network has a defined route, and if not route through the DFG (default
gateway). IIS uses the DFG if it exists, no matter what defined routes
exist.

FWIW, IIS will first use the credentials provided by the browser, if they
exist. Without credentials, IIS will assume anonymous access. In other
words, once a user has authenticated, he will continue to browse as an
authenticated user for the lifetime of the client browser session (until the
browser is closed), even on anonymous content - so it is like the router
example.

 

[Tom Kaminski [MVP]]

Hi All,

Thanx for your suggestions. Is there any other method to get the name
of the user logged in.

Coz i do not want to stop anonymous login (ppl across the network need
it )
But like in the example i hv said i want to find their username if at
all they are authenticated users.

Might be asking for more but is there just a way to do it.

Perhaps give your users a "logon" link to click?

 

[Roland Hall]

: : > If you INCLUDE anonymous logons, they will be checked first and thus
: > everyone will logon anonymously. So, IIS security works the opposite of
a
: > router routing packets. A router will check to see if the destination
: > network has a defined route, and if not route through the DFG (default
: > gateway). IIS uses the DFG if it exists, no matter what defined routes
: > exist.
:
: FWIW, IIS will first use the credentials provided by the browser, if they
: exist. Without credentials, IIS will assume anonymous access. In other
: words, once a user has authenticated, he will continue to browse as an
: authenticated user for the lifetime of the client browser session (until
the
: browser is closed), even on anonymous content - so it is like the router
: example.

Thanks for the reply Tom but I have to disagree with you unless MSFT has bad
documentation which is not unknown to happen.

Note

a.. If Anonymous authentication is enabled, IIS will always try to
authenticate using it first, even if other methods are enabled.
http://www.microsoft.com/windows200...indows2000/en/server/iis/htm/core/iiabasc.htm

This may have changed for .NET and/or W2K3 but if not.....

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Tom Kaminski [MVP]]

: : > If you INCLUDE anonymous logons, they will be checked first and thus
: > everyone will logon anonymously. So, IIS security works the opposite of
a
: > router routing packets. A router will check to see if the destination
: > network has a defined route, and if not route through the DFG (default
: > gateway). IIS uses the DFG if it exists, no matter what defined routes
: > exist.
:
: FWIW, IIS will first use the credentials provided by the browser, if they
: exist. Without credentials, IIS will assume anonymous access. In other
: words, once a user has authenticated, he will continue to browse as an
: authenticated user for the lifetime of the client browser session (until
the
: browser is closed), even on anonymous content - so it is like the router
: example.

Thanks for the reply Tom but I have to disagree with you unless MSFT has bad
documentation which is not unknown to happen.

Note

a.. If Anonymous authentication is enabled, IIS will always try to
authenticate using it first, even if other methods are enabled.

http://www.microsoft.com/windows200...indows2000/en/server/iis/htm/core/iiabasc.htm

That's true, unless the browser has already authenticated. Go ahead and try
it. Create some content that allows anonymous but does not explicitly give
NTFS permissions to the authenticated user. Browse to some other content
that does not allow anonymous so the browser must authenticate. Then try to
browse to the anonymous content that does not allow NTFS permissions for the
user used to authenticate. If I'm wrong, then there's something wrong with
my environment.

See also http://support.microsoft.com/?kbid=264921
NOTES:
* When your browser establishes a connection with a Web site by using Basic
or NTLM authentication, it does not fall back to Anonymous during the rest
of that session with the server. If you try to connect to a Web page that is
marked for Anonymous only after authenticating, you will be denied. (This
may or may not hold true for Netscape).
* When Internet Explorer has established a connection with the server by
using Basic or NTLM authentication, it passes the credentials for every new
request for the duration of the session.

If someone from MS would care to comment, it would be appreciated.

 

[Tom Kaminski [MVP]]

opposite
http://www.microsoft.com/windows200...indows2000/en/server/iis/htm/core/iiabasc.htm

That's true, unless the browser has already authenticated. Go ahead and try
it. Create some content that allows anonymous but does not explicitly give
NTFS permissions to the authenticated user. Browse to some other content
that does not allow anonymous so the browser must authenticate. Then try to
browse to the anonymous content that does not allow NTFS permissions for the
user used to authenticate. If I'm wrong, then there's something wrong with
my environment.

See also http://support.microsoft.com/?kbid=264921
NOTES:
* When your browser establishes a connection with a Web site by using Basic
or NTLM authentication, it does not fall back to Anonymous during the rest
of that session with the server. If you try to connect to a Web page that is
marked for Anonymous only after authenticating, you will be denied. (This
may or may not hold true for Netscape).
* When Internet Explorer has established a connection with the server by
using Basic or NTLM authentication, it passes the credentials for every new
request for the duration of the session.

If someone from MS would care to comment, it would be appreciated.

Added microsoft.public.inetserver.iis to the thread because asp.general is
really the wrong forum for this issue ...

 

[Roland Hall]

: : > : > > : > > : : > > : > If you INCLUDE anonymous logons, they will be checked first and
thus
: > > : > everyone will logon anonymously. So, IIS security works the
: opposite
: > of
: > > a
: > > : > router routing packets. A router will check to see if the
: destination
: > > : > network has a defined route, and if not route through the DFG
: (default
: > > : > gateway). IIS uses the DFG if it exists, no matter what defined
: > routes
: > > : > exist.
: > > :
: > > : FWIW, IIS will first use the credentials provided by the browser, if
: > they
: > > : exist. Without credentials, IIS will assume anonymous access. In
: other
: > > : words, once a user has authenticated, he will continue to browse as
an
: > > : authenticated user for the lifetime of the client browser session
: (until
: > > the
: > > : browser is closed), even on anonymous content - so it is like the
: router
: > > : example.
: > >
: > > Thanks for the reply Tom but I have to disagree with you unless MSFT
has
: > bad
: > > documentation which is not unknown to happen.
: > >
: > > Note
: > >
: > > a.. If Anonymous authentication is enabled, IIS will always try to
: > > authenticate using it first, even if other methods are enabled.
: > >
: >
:
http://www.microsoft.com/windows200...indows2000/en/server/iis/htm/core/iiabasc.htm
: >
: > That's true, unless the browser has already authenticated. Go ahead and
: try
: > it. Create some content that allows anonymous but does not explicitly
: give
: > NTFS permissions to the authenticated user. Browse to some other
content
: > that does not allow anonymous so the browser must authenticate. Then
try
: to
: > browse to the anonymous content that does not allow NTFS permissions for
: the
: > user used to authenticate. If I'm wrong, then there's something wrong
: with
: > my environment.
: >
: > See also http://support.microsoft.com/?kbid=264921
: > NOTES:
: > * When your browser establishes a connection with a Web site by using
: Basic
: > or NTLM authentication, it does not fall back to Anonymous during the
rest
: > of that session with the server. If you try to connect to a Web page
that
: is
: > marked for Anonymous only after authenticating, you will be denied.
(This
: > may or may not hold true for Netscape).
: > * When Internet Explorer has established a connection with the server by
: > using Basic or NTLM authentication, it passes the credentials for every
: new
: > request for the duration of the session.
: >
: > If someone from MS would care to comment, it would be appreciated.

Ok, fair enough but the OP, IMHO had users connect to a page that had
anonymous access enabled and was wondering why he could not track
authenticated users, so the connection established was using anonymous, not
Basic or Integrated. Only after he gave them a 401, did the authentication
allow known users in.

We agree the OP should have a logon for authenticated users and then
redirect them to where the anonymous users gain access. I was aware that if
they authenticated first it would be used unless they tried connecting to a
page where anonymous only was set but my response related to if anonymous is
enabled when connecting anonymous will always be tested first.

I ran into the same problem years ago, and as you suggested, I offered a
link for authenticated users.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp