In IIS 7, how do you configure folder access for basic authentication against domain?
I've done the following:
Enabled Authentication - Basic Mode.
This seems to work for regular folders, but once I convert the folder to an Application in IIS, users get rejected unless I add them specifically to the Security item in Windows. Do I need to do this for every single user?
What if I need all members of domain to access a given url?
Related
I'm working on a web portal where a user is authenticated by LDAP through a perl CGI form. The authentication process uses the Net::LDAPS module. When logged in, the system keeps the user's authenticated status and creates a CGI cookie and the user can perform various actions through the portal, mostly interactions with a database, until the user logs out.
On the same server there's a directory with some files. I want a user to be able to log in to the web portal and then browse the file directory and be able to download those files.
The simplest way I can think of is placing an htaccess file with "Options +Indexes" and ldap authentication into the directory, but that would require another login that's not linked with the web portal.
Is there a way to link the web portal cgi-based ldap authentication to htaccess file?
You mention that the user can log out and then no longer use the portal. But there is no portable way for logging out a user with basic authentication. They will be able to continue browsing the directories.
Instead of your CGI script that authenticates the user, you can simply configure LDAP authentication for both the data directories and the portal. Ugly, but it would work.
The better and cleaner option for you will be to provide access to the data directories not directly but through the portal only. If you use Apache's path info feature (https://httpd.apache.org/docs/2.4/de/mod/core.html#acceptpathinfo) you don't even have to bother about checking the path for malicious "../../.." constructs and the URIs will look very natural to your users.
We are developing a Intranet portal that uses integrated authentication, but a few sections of the site will be exposed to users who are not in the domain. For those users we plan to use anonymous access. However, our display logic for the entire application is based on the user logged into the portal, so we are not fully comfortable with this approach. The URL has to be same for both types of users and transitioning between both the environments has to be seamless.
We tried using user controls in pages to authenticate but things didnt pan out. When the page is reached the standard windows authentication grey box pops up.
Is there any way to intercept the request at the IIS level like an HTTP application?
If applicable we would disable anonymous access and for unauthenticated users we will impersonate with a least privileged domain account and redirect to the home page.
SharePoint isn't really designed for the scenario you describe of mixing types of authentication. It dedicates a web application to one type of authentication. You can then 'extend' that web application to use another type of authentication on another address. For example, your intranet portal would use Windows authentication. It could then be extended to use anonymous authentication on another port or domain name.
One option for what you describe is to configure two separate web applications. One is for users that need to authenticate. The other is for anonymous access. Configure the content in the appropriate locations and link between the two as necessary. Users within your domain should not receive a login prompt when connecting to the authenticated site if you use this approach. Users outside your domain will receive a login box and won't be able to access.
Consider using forms authentication for users outside your domain if they need to access your intranet. (Once again the 'forms authenticated' part of your site would be extended to a unique domain name or port.) This would mean they will be prompted to enter their credentials in a form on the page when first connecting.
Read more about authentication on the Authentication Resource Center.
A couple of final points... If you can use SharePoint's default authentication mechanisms rather than writing your own controls, use them as they are well tested and secure. Also, don't be tempted to change SharePoint's IIS settings unless you are certain there is no other way to do what you need. SharePoint regularly updates these itself and may overwrite your changes (or give you grief in other ways).
A developer posts their code from a staging site (which requires authentication) to the live public site (which should not) and suddenly the live site is requiring authentication (which is not good).
They don't have permissions to change any settings on the server(s) and there is no call from the code on the live site to anything on the staging site, that I can locate. (No forgotten calls to an image on the staging site or anything)
Can the group think of some file that might have been removed/changed that could cause this to happen? I checked this question as well - [HTTP Authentication in ASP Classic via IIS] - but none of those methods are being used.
App is Classic ASP, IIS6.0 server.
Security Settings - Anonymous Access permitted on the live site. Account for anonymous internet users allowed read access to the directory where the site is located - user is unable to change directory or site permissions on the server.
Thanks!
Did the files retain their security permissions from the folder they were copied from? Reset the permissions on the files.
Are you using a four-part URL to get to the site (http://www.somesite.com/)? That will default to the Internet zone and not intranet, prompting for authentication.
User will get challenged when Anonymous Access is turned off in IIS. What are the security settings? Without that information, we will not be able to help much.
When I setup IIS6 to develop projects locally I have to enable "Integrated Windows Authentication" under directory security in order for my CSS & Images to show up. (Note: I have double checked that network service has rights to all directories in my web application)
However this often causes my browser to prompt me for windows login username and password when I am running the application.
Is there anyway to get around entering a windows login password all the time ?
(I am using windows xp pro 64bit)
Maybe it is some problem with the kerberos authentication to your web site. Just disable it on your site. from the c:\Inetpub\AdminScripts directory run this command.
cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "NTLM"
Or change the authentication to anonymous. And make sure that the user in the directory security tab (IUSR_computername) has access to said directories. It is not the application pool user who access files and other resources.
Well it certainly is not as it's supposed to be!
You say you've double checked that Network Service has access to the directories. But with anonymous access, the account that needs access is the IUSR_[machinename] account. The account is specified under the Directory Security tab.
If all else fails, for local development you might as well grant everyone access to the directories.
We are having some issues getting SharePoint to work as we want it to.
We have an enterprise MOSS configuration on our domain and have the entry http://intranet pointing to it on port 80.
We also have another site collection and have pointed an internet domain name http:/nww.oursector.nhs.uk at it. We have done this to allow those outside our domain but on the same physical network to view it. Our network admin hasd configured the firewall to redirect any requests to this url to our sharepoint server.
The problem with this is that we have had to turn on anonymous access otherwise SharePoint sees this url as external and blocks authenticated access to the site. This means that all users need to manually sign in to the site, which is making working with SharePoint quite problematic.
Is there a way to configure SharePoint to allow the url http:/nww.oursector.nhs.uk to access the site collection without having anonymous access turned on for the site? I want users to be able to browse to the site and if authenticated then fine, if not then prompt them to login.
Can anyone suggest a way to achieve this?
I would say you need to use SharePoint's alternate access mapping to use the correct authentication type depending on the method users are using to access the website.
Basically i think this would work as follows for your situation:
For internal users, use the default zone, using NTLM with SSO configured.
Thus users should be signed in transparently without requiring to login.
For external users, extend the web application, using the extranet zone, using anonymous access.
This will allow external users, to browse the website without signing on.
See:
http://blogs.msdn.com/sharepoint/archive/2007/03/06/what-every-sharepoint-administrator-needs-to-know-about-alternate-access-mappings-part-1.aspx