Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > NT Authentication with ASP

Reply
Thread Tools

NT Authentication with ASP

 
 
Baranidharan
Guest
Posts: n/a
 
      04-16-2004
Hi

I am creating an intranet site. I want to display the name of the user
who has logged into the user. In case of Anonymous users i want to
fill their name as 'Guest'. I tried the following code.

<%
if Request.ServerVariables("REMOTE_USER") = "" then
Response.Write ("Welcome Guest")
else
Response.Write ("Welcome" + Request.Servervariables("REMOTE_USER") )
end if
%>

But even for authenticated users, i get the message as "Welcome
Guest".

If for preventing the Anonymous user i add
<%
if Request.ServerVariables("REMOTE_USER") = "" then
Response.Status = "401 Forbidden"
else
....
endif

then i get the authenticated user 's name (The REMOTE_USER Variable
only then gets updated correctly ). Where have i gone wrong?
 
Reply With Quote
 
 
 
 
Tom Kaminski [MVP]
Guest
Posts: n/a
 
      04-16-2004
"Baranidharan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Hi
>
> I am creating an intranet site. I want to display the name of the user
> who has logged into the user. In case of Anonymous users i want to
> fill their name as 'Guest'. I tried the following code.
>
> <%
> if Request.ServerVariables("REMOTE_USER") = "" then
> Response.Write ("Welcome Guest")
> else
> Response.Write ("Welcome" + Request.Servervariables("REMOTE_USER") )
> end if
> %>
>
> But even for authenticated users, i get the message as "Welcome
> Guest".
>
> If for preventing the Anonymous user i add
> <%
> if Request.ServerVariables("REMOTE_USER") = "" then
> Response.Status = "401 Forbidden"
> else
> ....
> endif
>
> then i get the authenticated user 's name (The REMOTE_USER Variable
> only then gets updated correctly ). Where have i gone wrong?


You have to force the user to logon if you want to get their name. If you
only allow anonymous access there's no way to grab the name.

--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserv...y/centers/iis/



 
Reply With Quote
 
 
 
 
Roland Hall
Guest
Posts: n/a
 
      04-16-2004
"Tom Kaminski [MVP]" wrote in message
news:c5okrm$(E-Mail Removed)...
: "Baranidharan" <(E-Mail Removed)> wrote in message
: news:(E-Mail Removed) om...
: > I am creating an intranet site. I want to display the name of the user
: > who has logged into the user. In case of Anonymous users i want to
: > fill their name as 'Guest'. I tried the following code.
: >
: > <%
: > if Request.ServerVariables("REMOTE_USER") = "" then
: > Response.Write ("Welcome Guest")
: > else
: > Response.Write ("Welcome" + Request.Servervariables("REMOTE_USER") )
: > end if
: > %>
: >
: > But even for authenticated users, i get the message as "Welcome
: > Guest".
: >
: > If for preventing the Anonymous user i add
: > <%
: > if Request.ServerVariables("REMOTE_USER") = "" then
: > Response.Status = "401 Forbidden"
: > else
: > ....
: > endif
: >
: > then i get the authenticated user 's name (The REMOTE_USER Variable
: > only then gets updated correctly ). Where have i gone wrong?
:
: You have to force the user to logon if you want to get their name. If you
: only allow anonymous access there's no way to grab the name.

To add...

This is a security issue, not an ASP issue.

If you INCLUDE anonymous logons, they will be checked first and thus
everyone will logon anonymously. So, IIS security works the opposite of a
router routing packets. A router will check to see if the destination
network has a defined route, and if not route through the DFG (default
gateway). IIS uses the DFG if it exists, no matter what defined routes
exist.

So one option is to have a page where everyone can see it but only allow
authenticated users to logon and give them special access where anonymous
access is not allowed.

And, it's better to use integrated authentication than Basic.

HTH...

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp



 
Reply With Quote
 
Baranidharan
Guest
Posts: n/a
 
      04-17-2004
Hi All,

Thanx for your suggestions. Is there any other method to get the name
of the user logged in.

Coz i do not want to stop anonymous login (ppl across the network need
it )
But like in the example i hv said i want to find their username if at
all they are authenticated users.

Might be asking for more but is there just a way to do it.

Baranidharan.K.M


"Roland Hall" <nobody@nowhere> wrote in message news:<#(E-Mail Removed)>...
> "Tom Kaminski [MVP]" wrote in message
> news:c5okrm$(E-Mail Removed)...
> : "Baranidharan" <(E-Mail Removed)> wrote in message
> : news:(E-Mail Removed) om...
> : > I am creating an intranet site. I want to display the name of the user
> : > who has logged into the user. In case of Anonymous users i want to
> : > fill their name as 'Guest'. I tried the following code.
> : >
> : > <%
> : > if Request.ServerVariables("REMOTE_USER") = "" then
> : > Response.Write ("Welcome Guest")
> : > else
> : > Response.Write ("Welcome" + Request.Servervariables("REMOTE_USER") )
> : > end if
> : > %>
> : >
> : > But even for authenticated users, i get the message as "Welcome
> : > Guest".
> : >
> : > If for preventing the Anonymous user i add
> : > <%
> : > if Request.ServerVariables("REMOTE_USER") = "" then
> : > Response.Status = "401 Forbidden"
> : > else
> : > ....
> : > endif
> : >
> : > then i get the authenticated user 's name (The REMOTE_USER Variable
> : > only then gets updated correctly ). Where have i gone wrong?
> :
> : You have to force the user to logon if you want to get their name. If you
> : only allow anonymous access there's no way to grab the name.
>
> To add...
>
> This is a security issue, not an ASP issue.
>
> If you INCLUDE anonymous logons, they will be checked first and thus
> everyone will logon anonymously. So, IIS security works the opposite of a
> router routing packets. A router will check to see if the destination
> network has a defined route, and if not route through the DFG (default
> gateway). IIS uses the DFG if it exists, no matter what defined routes
> exist.
>
> So one option is to have a page where everyone can see it but only allow
> authenticated users to logon and give them special access where anonymous
> access is not allowed.
>
> And, it's better to use integrated authentication than Basic.
>
> HTH...

 
Reply With Quote
 
Tom Kaminski [MVP]
Guest
Posts: n/a
 
      04-19-2004
"Roland Hall" <nobody@nowhere> wrote in message
news:%(E-Mail Removed)...
> If you INCLUDE anonymous logons, they will be checked first and thus
> everyone will logon anonymously. So, IIS security works the opposite of a
> router routing packets. A router will check to see if the destination
> network has a defined route, and if not route through the DFG (default
> gateway). IIS uses the DFG if it exists, no matter what defined routes
> exist.


FWIW, IIS will first use the credentials provided by the browser, if they
exist. Without credentials, IIS will assume anonymous access. In other
words, once a user has authenticated, he will continue to browse as an
authenticated user for the lifetime of the client browser session (until the
browser is closed), even on anonymous content - so it is like the router
example.

--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserv...y/centers/iis/



 
Reply With Quote
 
Tom Kaminski [MVP]
Guest
Posts: n/a
 
      04-19-2004
"Baranidharan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Hi All,
>
> Thanx for your suggestions. Is there any other method to get the name
> of the user logged in.
>
> Coz i do not want to stop anonymous login (ppl across the network need
> it )
> But like in the example i hv said i want to find their username if at
> all they are authenticated users.
>
> Might be asking for more but is there just a way to do it.


Perhaps give your users a "logon" link to click?

--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserv...y/centers/iis/



 
Reply With Quote
 
Roland Hall
Guest
Posts: n/a
 
      04-20-2004
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:c60e2f$(E-Mail Removed)...
: "Roland Hall" <nobody@nowhere> wrote in message
: news:%(E-Mail Removed)...
: > If you INCLUDE anonymous logons, they will be checked first and thus
: > everyone will logon anonymously. So, IIS security works the opposite of
a
: > router routing packets. A router will check to see if the destination
: > network has a defined route, and if not route through the DFG (default
: > gateway). IIS uses the DFG if it exists, no matter what defined routes
: > exist.
:
: FWIW, IIS will first use the credentials provided by the browser, if they
: exist. Without credentials, IIS will assume anonymous access. In other
: words, once a user has authenticated, he will continue to browse as an
: authenticated user for the lifetime of the client browser session (until
the
: browser is closed), even on anonymous content - so it is like the router
: example.

Thanks for the reply Tom but I have to disagree with you unless MSFT has bad
documentation which is not unknown to happen.

Note

a.. If Anonymous authentication is enabled, IIS will always try to
authenticate using it first, even if other methods are enabled.
http://www.microsoft.com/windows2000...re/iiabasc.htm

This may have changed for .NET and/or W2K3 but if not.....

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp


 
Reply With Quote
 
Tom Kaminski [MVP]
Guest
Posts: n/a
 
      04-20-2004
"Roland Hall" <nobody@nowhere> wrote in message
news:(E-Mail Removed)...
> "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
> news:c60e2f$(E-Mail Removed)...
> : "Roland Hall" <nobody@nowhere> wrote in message
> : news:%(E-Mail Removed)...
> : > If you INCLUDE anonymous logons, they will be checked first and thus
> : > everyone will logon anonymously. So, IIS security works the opposite

of
> a
> : > router routing packets. A router will check to see if the destination
> : > network has a defined route, and if not route through the DFG (default
> : > gateway). IIS uses the DFG if it exists, no matter what defined

routes
> : > exist.
> :
> : FWIW, IIS will first use the credentials provided by the browser, if

they
> : exist. Without credentials, IIS will assume anonymous access. In other
> : words, once a user has authenticated, he will continue to browse as an
> : authenticated user for the lifetime of the client browser session (until
> the
> : browser is closed), even on anonymous content - so it is like the router
> : example.
>
> Thanks for the reply Tom but I have to disagree with you unless MSFT has

bad
> documentation which is not unknown to happen.
>
> Note
>
> a.. If Anonymous authentication is enabled, IIS will always try to
> authenticate using it first, even if other methods are enabled.
>

http://www.microsoft.com/windows2000...re/iiabasc.htm

That's true, unless the browser has already authenticated. Go ahead and try
it. Create some content that allows anonymous but does not explicitly give
NTFS permissions to the authenticated user. Browse to some other content
that does not allow anonymous so the browser must authenticate. Then try to
browse to the anonymous content that does not allow NTFS permissions for the
user used to authenticate. If I'm wrong, then there's something wrong with
my environment.

See also http://support.microsoft.com/?kbid=264921
NOTES:
* When your browser establishes a connection with a Web site by using Basic
or NTLM authentication, it does not fall back to Anonymous during the rest
of that session with the server. If you try to connect to a Web page that is
marked for Anonymous only after authenticating, you will be denied. (This
may or may not hold true for Netscape).
* When Internet Explorer has established a connection with the server by
using Basic or NTLM authentication, it passes the credentials for every new
request for the duration of the session.

If someone from MS would care to comment, it would be appreciated.

--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserv...y/centers/iis/



 
Reply With Quote
 
Tom Kaminski [MVP]
Guest
Posts: n/a
 
      04-20-2004
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:c6344a$(E-Mail Removed)...
> "Roland Hall" <nobody@nowhere> wrote in message
> news:(E-Mail Removed)...
> > "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
> > news:c60e2f$(E-Mail Removed)...
> > : "Roland Hall" <nobody@nowhere> wrote in message
> > : news:%(E-Mail Removed)...
> > : > If you INCLUDE anonymous logons, they will be checked first and thus
> > : > everyone will logon anonymously. So, IIS security works the

opposite
> of
> > a
> > : > router routing packets. A router will check to see if the

destination
> > : > network has a defined route, and if not route through the DFG

(default
> > : > gateway). IIS uses the DFG if it exists, no matter what defined

> routes
> > : > exist.
> > :
> > : FWIW, IIS will first use the credentials provided by the browser, if

> they
> > : exist. Without credentials, IIS will assume anonymous access. In

other
> > : words, once a user has authenticated, he will continue to browse as an
> > : authenticated user for the lifetime of the client browser session

(until
> > the
> > : browser is closed), even on anonymous content - so it is like the

router
> > : example.
> >
> > Thanks for the reply Tom but I have to disagree with you unless MSFT has

> bad
> > documentation which is not unknown to happen.
> >
> > Note
> >
> > a.. If Anonymous authentication is enabled, IIS will always try to
> > authenticate using it first, even if other methods are enabled.
> >

>

http://www.microsoft.com/windows2000...re/iiabasc.htm
>
> That's true, unless the browser has already authenticated. Go ahead and

try
> it. Create some content that allows anonymous but does not explicitly

give
> NTFS permissions to the authenticated user. Browse to some other content
> that does not allow anonymous so the browser must authenticate. Then try

to
> browse to the anonymous content that does not allow NTFS permissions for

the
> user used to authenticate. If I'm wrong, then there's something wrong

with
> my environment.
>
> See also http://support.microsoft.com/?kbid=264921
> NOTES:
> * When your browser establishes a connection with a Web site by using

Basic
> or NTLM authentication, it does not fall back to Anonymous during the rest
> of that session with the server. If you try to connect to a Web page that

is
> marked for Anonymous only after authenticating, you will be denied. (This
> may or may not hold true for Netscape).
> * When Internet Explorer has established a connection with the server by
> using Basic or NTLM authentication, it passes the credentials for every

new
> request for the duration of the session.
>
> If someone from MS would care to comment, it would be appreciated.


Added microsoft.public.inetserver.iis to the thread because asp.general is
really the wrong forum for this issue ...

--
Tom Kaminski IIS MVP
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://mvp.support.microsoft.com/
http://www.microsoft.com/windowsserv...y/centers/iis/



 
Reply With Quote
 
Roland Hall
Guest
Posts: n/a
 
      04-20-2004
"Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
news:c6348i$(E-Mail Removed)...
: "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
: news:c6344a$(E-Mail Removed)...
: > "Roland Hall" <nobody@nowhere> wrote in message
: > news:(E-Mail Removed)...
: > > "Tom Kaminski [MVP]" <tomk (A@T) mvps (D.O.T) org> wrote in message
: > > news:c60e2f$(E-Mail Removed)...
: > > : "Roland Hall" <nobody@nowhere> wrote in message
: > > : news:%(E-Mail Removed)...
: > > : > If you INCLUDE anonymous logons, they will be checked first and
thus
: > > : > everyone will logon anonymously. So, IIS security works the
: opposite
: > of
: > > a
: > > : > router routing packets. A router will check to see if the
: destination
: > > : > network has a defined route, and if not route through the DFG
: (default
: > > : > gateway). IIS uses the DFG if it exists, no matter what defined
: > routes
: > > : > exist.
: > > :
: > > : FWIW, IIS will first use the credentials provided by the browser, if
: > they
: > > : exist. Without credentials, IIS will assume anonymous access. In
: other
: > > : words, once a user has authenticated, he will continue to browse as
an
: > > : authenticated user for the lifetime of the client browser session
: (until
: > > the
: > > : browser is closed), even on anonymous content - so it is like the
: router
: > > : example.
: > >
: > > Thanks for the reply Tom but I have to disagree with you unless MSFT
has
: > bad
: > > documentation which is not unknown to happen.
: > >
: > > Note
: > >
: > > a.. If Anonymous authentication is enabled, IIS will always try to
: > > authenticate using it first, even if other methods are enabled.
: > >
: >
:
http://www.microsoft.com/windows2000...re/iiabasc.htm
: >
: > That's true, unless the browser has already authenticated. Go ahead and
: try
: > it. Create some content that allows anonymous but does not explicitly
: give
: > NTFS permissions to the authenticated user. Browse to some other
content
: > that does not allow anonymous so the browser must authenticate. Then
try
: to
: > browse to the anonymous content that does not allow NTFS permissions for
: the
: > user used to authenticate. If I'm wrong, then there's something wrong
: with
: > my environment.
: >
: > See also http://support.microsoft.com/?kbid=264921
: > NOTES:
: > * When your browser establishes a connection with a Web site by using
: Basic
: > or NTLM authentication, it does not fall back to Anonymous during the
rest
: > of that session with the server. If you try to connect to a Web page
that
: is
: > marked for Anonymous only after authenticating, you will be denied.
(This
: > may or may not hold true for Netscape).
: > * When Internet Explorer has established a connection with the server by
: > using Basic or NTLM authentication, it passes the credentials for every
: new
: > request for the duration of the session.
: >
: > If someone from MS would care to comment, it would be appreciated.

Ok, fair enough but the OP, IMHO had users connect to a page that had
anonymous access enabled and was wondering why he could not track
authenticated users, so the connection established was using anonymous, not
Basic or Integrated. Only after he gave them a 401, did the authentication
allow known users in.

We agree the OP should have a logon for authenticated users and then
redirect them to where the anonymous users gain access. I was aware that if
they authenticated first it would be used unless they tried connecting to a
page where anonymous only was set but my response related to if anonymous is
enabled when connecting anonymous will always be tested first.

I ran into the same problem years ago, and as you suggested, I offered a
link for authenticated users.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Enabling Windows Authentication from inside Forms Authentication (ASP.NET 2.0) Michael D. Ober ASP .Net Security 6 10-30-2006 03:17 PM
windows authentication VS Kerberos authentication in ASP.NET 2.0? nenzax ASP .Net Security 1 12-18-2005 11:03 AM
ASP.NET Authentication and Windows Authentication Fabio Gouw ASP .Net Security 2 11-16-2004 01:01 PM
ASP.Net Forms authentication with basic authentication popup Brett Porter ASP .Net Security 2 01-20-2004 02:17 PM
ASP.Net Forms authentication with basic authentication popup Brett Porter ASP .Net 2 01-20-2004 02:17 PM



Advertisments