How to use Self-authenticating scripts
There are too many variations to show how to create a
self authenticating script in this tutorial,
however they all share a common means of authenticating.
When a request comes in and the content to be displayed
is protected by a Basic Authentication username and password,
the script sends a 401 Access Denied message, indicating the realm,
and some html that is displayed to the user when the login attempt
A regular http reply looks like this:
HTTP/1.0 200 OK
Date: Wed, 11 Mar 1999 16:31:52 GMT
Last-Modified: Wed, 18 Feb 1998 22:45:46 GMT
Content: Interesting Stuff
A 401 Access denied reply looks like this
HTTP/1.0 401 Access Denied
Once the script sends a 401 Access Denied message, the
browser will pop up a dialog indicating the realm, and
invite the user to enter a username and password.
The user will not see the access denied content unless the
login fails. Some browser keep retrying the pop-up dialog until
it succeeds or the users escapes out, others only pop-up three times.
Date: Wed, 11 Mar 1999 16:35:47 GMT
WWW-Authenticate: Basic realm="Message in Popup"
Content: You cannot get in!
If the user types in a username and password the browser
will send them to the server as a part of the http request header
that looks like the following:
Authorization: Basic cGvcmU6cGRcmU=
The string "cGvcmU6cGRcmU=" is Base64 encoded.
The script will ask the server for this header by requesting the
server variable HTTP_AUTHORIZATION, and decode it.
The resulting string will be in
the format username:password and the script can match these against
acceptable values in order to determine whether to transmit the content or
issue another 401 Denied.
In IIS4 and above, the HTTP_AUTHORIZATION value may not be returned correctly by IIS.
In MMC, select the directory in which the ASP page calling this function resides.
If Basic (Clear Text) is off, and NTCR (Integrated Windows Authentication in Windows 2000) is on, then HTTP_AUTHORIZATION will not return
the correct value. This problem did not occur in IIS3.
Microsoft bug Case Number is SR X980 2166010 644.
Recommended workaround is to either
Make sure that Allow Anonymous is checked.
turn Basic (Clear Text) off and NTCR off for that directory.OR
turn Basic (Clear Text) on and NTCR on for that directory,
Self-authenticating scripts is the way to go if
you have the
skills, resources and time to do it.
You want to generate your content in a single program
You won't want Self-authenticating scripts if
You want protected content in normal directory/file/html format
You are worried about maintaining the content. Scripts can become fairly
complex when the content becomes large, and changes are not easily made.
If you have content stored in a database then this can be more flexible,
but you have the added complexity and performance hit of interfacing
to the database.
Back to index
Certificate based authentication.
Client certificates are an advanced form of authentication, and
at this time they are still very much in their infancy
with respect to
compatibility and ease of use.
SSL = secure socket layer.
= Microsoft Management Console.
How to use Certificate based authentication
Since this technology is still maturing, be sure to have
the latest versions of IIS installed on your system.
There are several good references to help understand
and use Client Certificate technology. Some articles that
are recommended include:
Obtain a certificate from a certificate issuing authority
such as Verisign or Thawte. Refer to the IIS documentation
on Key Manager.
Select a directory you want to protect in the MMC
Click on the Secure Communicatations Edit button
on the Directory Security property sheet
and use the certificate you obtained.
Select both Enable Client Certificates and Require Client Certificate
Enable client certificates for this resource
Issue client certificates for access to this resource.
"Internet Information Server 4.0 -
Security for the Web-Enabled Enterprise" by Nick Evans
in the Premier Edition of Security Advisor by Advisor.com publications,
"Web Project, Digital IDs" by Jon Udell in the March Edition of Byte magazine.
"Issuing digital certificates with Microsoft Certificate Server" section
of the IIS Security White Paper by Microsoft.
Certificate based authentication is the way to go if
you want a high degree of certainty of the identity of the users
accessing your site
You accept the need for SSL and don't mind paying the performance penalty.
You already have a certificate or you don't mind paying for one and setting it up.
You won't want Certificate based authentication if
The process of issuing a client certificate is too complex
and intimidating for both you and your users
You do not want the performance hit of having all protected
information exchanged via SSL
SPECIAL THANKS TO STEVEN SMITH of ASP ALLIANCE
Kevin Flick, Flicks Software