Drew Wutka
DWUTKA at marlow.com
Thu Jul 31 21:22:25 CDT 2003
Sorry, I'm WAY behind on my list posts (It's showing 633 unread right now....). This is definitely my ball of wax, in fact, Susan and I just wrote up an article about this. Okay, here's the deal, there is a MAJOR drawback to using Integrated Windows Authentication. The drawback is, that you cannot use any resources that are not directly located on the IIS server. For example, if you have an IIS server hosting your Intranet, and you have a file server that has company databases on it, you cannot access the company databases from the Intranet, through ASP. In fact, I don't even think a link would work either...in fact I am 98% sure of that, but I'm too swamped to test it. The reason is, the Integrated method creates a local token, not a domain token, so it's only valid on the local machine, not anywhere else on the domain. Now, Anonymous and Plain Text Authentication both create valid network tokens. So both of those methods are able to access other network resources. However, with Anonymous, you can't tell who is hitting the site, because everyone is using the same 'anonymous' account. You can tell the IP Address though, and I would guess there has got to be a way to get the logged on user from the current IP address from a domain controller....would have to think about how to do that. With Plain Text authentication though, you can tell who's logged in (in fact the login credentials can be in the URL), but the name and password are sent through the lines in plain text (as the method is titled). In fact, you can retrieve the password through ASP. There is a fourth option, but only if the IIS server is a controlling server on an Active Directory domain. It is called digest authentication, but it also requires that your domain uses reversible encryption. It works a lot like Integrated Windows authentication, but it doesn't have the local resource issue. Drew -----Original Message----- From: Haslett, Andrew [mailto:andrew.haslett at ilc.gov.au] Sent: Thursday, July 31, 2003 5:48 PM To: 'Access Developers discussion and problem solving' Subject: RE: [AccessD] OT: Retreiving user login name via ASP No drawbacks at all. In fact its a (very simple) security enhancement, in that only authorised users of your domain can now access the site. Don't know your environment, but if your site were to hold sensitive information and it were hacked from outside somehow, then its an extra step for the hackers to get around since anonymous access is disabled. Cheers, Andrew -----Original Message----- From: Jim DeMarco [mailto:Jdemarco at hshhp.org] Sent: Thursday, 31 July 2003 9:40 PM To: Access Developers discussion and problem solving Subject: RE: [AccessD] OT: Retreiving user login name via ASP Got it. I had to disable Anonymous Access and now I see the user name. Any thoughts on what effect doing this will have if we disable anonymous access on our intranet? Thanks a lot for the help Andrew. Jim DeMarco Director of Product Development HealthSource/Hudson Health Plan -----Original Message----- From: Haslett, Andrew [mailto:andrew.haslett at ilc.gov.au] Sent: Wednesday, July 30, 2003 6:15 PM To: 'Access Developers discussion and problem solving' Subject: RE: [AccessD] OT: Retreiving user login name via ASP Jim, In IIS, right click the website in question to bring up its properties. Under Directory Security you will see options for a number of methods of authentication. Uncheck everything except integrated and the Users NT login will then be used to authenticate them to your site. Their details should also then be passed to those HTTP server variables for you to access. If that doesn't work then there must be a setting incorrect somewhere as it does work - we use it in our apps on the intranet at work. Cheers, Andrew -----Original Message----- From: Jim DeMarco [mailto:Jdemarco at hshhp.org] Sent: Thursday, 31 July 2003 2:52 AM To: Access Developers discussion and problem solving Subject: RE: [AccessD] OT: Retreiving user login name via ASP Andrew, This didn't work. How do I know if we're using Integrated Authentication? Is that Windows or IIS? Thanks, Jim -----Original Message----- From: Haslett, Andrew [mailto:andrew.haslett at ilc.gov.au] Sent: Tuesday, July 29, 2003 8:09 PM To: 'Access Developers discussion and problem solving' Subject: RE: [AccessD] OT: Retreiving user login name via ASP If using Integrated Authentication, the NT user name is passed through the browser HTTP Server variables. Try this: Response.Write (Request.ServerVariables("LOGON_USER")) This returns a string in the format domain\username If LOGON_USER doesn't work, try REMOTE_USER Cheers, Andrew -----Original Message----- From: Jim DeMarco [mailto:Jdemarco at hshhp.org] Sent: Wednesday, 30 July 2003 6:35 AM To: Access Developers discussion and problem solving Subject: [AccessD] OT: Retreiving user login name via ASP Having a disagreement with the boss that maybe someone here can clear up for me. He thinks there is a way to return the Win2K user login name from an ASP page. I'm not 100% certain but I don't know that I've ever seen that done. Does anyone know if it's possible? If it is a code sample would be appreciated. Thanks, Jim DeMarco **************************************************************************** ******* "This electronic message is intended to be for the use only of the named recipient, and may contain information from Hudson Health Plan (HHP) that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately, either by contacting the sender at the electronic mail address noted above or calling HHP at (914) 631-1611. If you are not the intended recipient, please do not forward this email to anyone, and delete and destroy all copies of this message. Thank You". **************************************************************************** ******* _______________________________________________ AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com IMPORTANT - PLEASE READ ******************** This email and any files transmitted with it are confidential and may contain information protected by law from disclosure. If you have received this message in error, please notify the sender immediately and delete this email from your system. No warranty is given that this email or files, if attached to this email, are free from computer viruses or other defects. They are provided on the basis the user assumes all responsibility for loss, damage or consequence resulting directly or indirectly from their use, whether caused by the negligence of the sender or not. _______________________________________________ AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com **************************************************************************** ******* "This electronic message is intended to be for the use only of the named recipient, and may contain information from Hudson Health Plan (HHP) that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately, either by contacting the sender at the electronic mail address noted above or calling HHP at (914) 631-1611. If you are not the intended recipient, please do not forward this email to anyone, and delete and destroy all copies of this message. Thank You". **************************************************************************** ******* _______________________________________________ AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com IMPORTANT - PLEASE READ ******************** This email and any files transmitted with it are confidential and may contain information protected by law from disclosure. If you have received this message in error, please notify the sender immediately and delete this email from your system. No warranty is given that this email or files, if attached to this email, are free from computer viruses or other defects. They are provided on the basis the user assumes all responsibility for loss, damage or consequence resulting directly or indirectly from their use, whether caused by the negligence of the sender or not. _______________________________________________ AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com **************************************************************************** ******* "This electronic message is intended to be for the use only of the named recipient, and may contain information from Hudson Health Plan (HHP) that is confidential or privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error or are not the named recipient, please notify us immediately, either by contacting the sender at the electronic mail address noted above or calling HHP at (914) 631-1611. If you are not the intended recipient, please do not forward this email to anyone, and delete and destroy all copies of this message. Thank You". **************************************************************************** ******* _______________________________________________ AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com IMPORTANT - PLEASE READ ******************** This email and any files transmitted with it are confidential and may contain information protected by law from disclosure. If you have received this message in error, please notify the sender immediately and delete this email from your system. No warranty is given that this email or files, if attached to this email, are free from computer viruses or other defects. They are provided on the basis the user assumes all responsibility for loss, damage or consequence resulting directly or indirectly from their use, whether caused by the negligence of the sender or not. _______________________________________________ AccessD mailing list AccessD at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/accessd Website: http://www.databaseadvisors.com