Flicks Software

Products

Authentication
Tutorial
Page 3 of 4

Click here for Authentication Software



Back to index

NT Challenge Response

Using NT Challenge Response is an obvious choice, and is included as one of the options when you set up each IIS directory. Any directory you want to protect must be on a NTFS partition.

Definitions

  • NTCR = NT Challenge Response (Integrated Windows Authentication in Windows 2000)
  • NTLM = NT Lan Manager
  • NTFS = NT File System

How to set up NTCR (Integrated Windows Authentication in Windows 2000)

In Internet Service Manager (IIS1-3) or the Microsoft Management Console for IIS (IIS4 and up) select the directory you want to protect. Make sure Basic (Clear Text) is off and Windows NT Challenge Response is on. You can leave Allow Anonymous on.

Create an account for each user you want to provide access, remove the permissions for "IUSR_machinename" from the directory, and add permissions for the added users. Alternatively, you could set up a group, permit access to that group, and add permitted users to the group. Remember, the user will need execute rights if the directory has any ASP, ISAPI extensions, counters, and so on.
Note that when the user returns to a non-protected page, they will be prompted for their username and password again, unless you have also granted them read-access to non-protected pages. However cancelling the prompt will let them in, disconcerting though this may be.
If the user has permission to access the directory but is in a different domain than the IIS machine, the user will have to prepend the domain name, so IIS knows where to look for the password.

Because NTCR (Integrated Windows Authentication in Windows 2000) uses a token mechanism for verifying users, the password of the currently logged in user is not available to IIS. This will have an impact if you are trying to access a resource which is not on the same machine as IIS, since IIS will not be able to login using the current user to a machine elsewhere on the LAN. For example if an NTCR (Integrated Windows Authentication in Windows 2000) protected ASP page tried to read an Access mdb file on another machine, it would fail. Similarly for SQL Server with Integrated or Mixed security. See Q166029, Q149425.

NTCR/NTFS is the way to go if you are on a Windows Network. For intranets NTCR (Integrated Windows Authentication in Windows 2000) can be an ideal solution, where all users are on accessible domains, there aren't too many users, and you can require the use of a compatible browser (Internet Explorer is the only browser which supports NTCR).

You won't want to use NTCR/NTFS if



Back to index

IIS Basic Authentication

IIS Basic Authentication is included as an option when you set up each IIS directory. Any directory you want to protect must be on a NTFS partition.

Definitions

  • SSL = Secure Socket Layer.

How to set up IIS Basic Authentication

Setting up IIS Basic Authentication is similar to setting up NTCR (Integrated Windows Authentication in Windows 2000).

In Internet Service Manager (IIS1-3) or the Microsoft Management Console for IIS (IIS4 and up) select the directory you want to protect. Turn on Basic (Clear Text) and turn off Windows NT Challenge Response. It is OK to leave Allow Anonymous on.

When you select Basic (Clear Text) you will be warned that you Windows NT usernames and passwords will be transmitted without being encrypted. For your NT accounts this is a pretty serious issue. You should only consider this option in combination with SSL, which is slow and requires you to buy a certificate from Verisign or Thawte (among others).

Create an account for the each user to whom you want to give access, remove the permissions for "IUSR_machinename" from the directory, and add permissions for the users you added.
Alternatively you could set up a group, permit access to that group, and add permitted users to that group.
Remember the user will need execute rights if the directory has any ASP, ISAPI extensions, counters etc.

IIS Basic Authentication is the way to go if you accept the need for SSL and don't mind paying the performance penalty. You already have a certificate or you don't mind paying for one and setting it up.

You won't want to use IIS Basic Authentication if you are concerned about the security of your NT accounts and performance. IIS calls LogonUser and ImpersonateLoggedOnUser for each and every request, which is expensive in terms of CPU cycles.



Back to index

A Third Party Basic Authentication filter

AuthentiX is a fast, filter based third party tool for IIS (3,4,5, AND 6/.NET Server) authentication developed by Flicks Software (the author of this tutorial).
It allows you to protect content directories and individual files by asking for usernames and passwords held separately from the Windows NT/2000 usernames and passwords, ensuring the the security of your NT accounts.

Definitions

  • ODBC = Open Database Connectivity.

How to set up AuthentiX, a third party Basic Authentication filter

Setting up AuthentiX is easy and straighforward.

  • Download the free evaluation version, unzip it and run setup.exe. Installshield will guide you through the rest of the installation process.
  • Make sure Windows Basic Authentication (Clear Text) is off and Allow Anonymous is on. You can leave Windows NT Challenge Response on or off.
  • Create a user. From the main AuthentiX dialog, click the Users button, then Add. Type a username and password and click OK. The user will be added to the User List. Click OK.
  • Create a group. From the main AuthentiX dialog, click the Groups button, then Add. You will see this screen. Type a Groupname, click on a user (to highlight it) listed in the Non-Members list box, and click Add. The user will be moved to the Members list box. Click OK. You should now see the group in the group list. Click OK.
  • Protect a directory. From the main AuthentiX dialog, click the Access button, then Add. You will see this screen. Click the Browse button and select a directory that is part of your web directories, and that you would like to protect. Click the By Group button and add the group you created in the previous step. Click OK. You should now see that the group is protecting that directory. Verify that the group is protecting the desired directory and click OK twice
  • Using a browser, go to the URL that the directory is accessed from using IIS. It should prompt you for your username and password.
  • Type the username and password and you should be granted access.
You can see how to set up ODBC and other advanced options by downloading the online Windows help file or checking out the online Guided Tour. Because the pace of enhancements and improvements to this product sometimes outstrips the documentation, you can find out more by working with the free evaluation download.

Authentix, a third party Basic Authentication filter is the way to go if

  • You want the high performance that a filter offers
  • You want to be able to add and modify users from ASP and ASP.NET FILES and don't want the ASP pages and ASP.NET relates files to have SysAdmin priviledges
  • You want browser independence
  • You don't want any chance of compromising NT username/password security
  • You want to separate your web-users from your NT Accounts
  • You are concerned about performance. In addition to the speed associated with filter based solutions, AuthentiX is unique in that it does not impersonate an NT account to grant access, eliminating the CPU-expensive call to LogonUser on every request.
  • You have directories you want to validate against an ODBC database
  • You want to authenticate multiple IIS servers against a single ODBC machine on the LAN.
  • You want to use browser based remote administration
  • you need to protect all content in a directory: htm, asp, gif, jpg, zip, and so on.
  • you want advanced features like
    • limiting concurrent logins,
    • bandwith, request and login throttling,
    • protect by IP, Domain Name and by referrer
You won't want to use a third party Basic OR Cookie Based Authentication filter if
  • protecting your premium content directories does not warrant the price of registration.
  • Basic Authentication and Cookie Based Authentication is not secure enough for your purposes
  • you want all accounts of every type in the NT user account database, for administrative reasons.

<=== Previous Page

next Page ===>

By Kevin Flick, Flicks Software
http://www.flicks.com/

Copyright © 1998-2018 Kevin Flick
All rights reserved.
This document may not be reproduced or distributed in whole or in part without prior written permission from the author.


Top