authentication with iis4

Kevin Stevens kstevens at pratt.edu
Tue Mar 3 09:43:57 EST 1998 

Richard is absolutely right... sorry for the oversight.  Keeping up with the
latest version of everything isn't easy!

As far as I know, blocking an IP address in the IIS file security tab denies
access entirely, no ifs ands or buts.  It won't allow you to roll over from
anonymous to basic or challenge authentication.  It would be a nice feature
for the next generation!

One possible solution, depending on your environment, would be to use
authentication without any IP address restrictions.  If the workstation is
already authenticated to the server/domain, it should automatically go to a
"restricted" page without asking for a user ID and password, assuming that
permissions are set up correctly.  In reality, this just moves the
ID/password check from the point at which you pull up the page to the point
you log in to Windows.  If you need this convenience just for public
workstations, you could use a utility such as TweakUI to automatically log
them in.  Implementing something like this across an entire campus would be
next to impossible, however.

There may also be third party programs/scripts that use their own filtering
or authentication schemes to provide the type of functionality you're
seeking.

Good luck!

Kevin Stevens
Computing Systems Manager
Pratt Institute Libraries
Brooklyn, NY

-----Original Message-----
From: Glen Davies <GLEN at rimu.cce.ac.nz>
To: Multiple recipients of list <web4lib at library.berkeley.edu>
Date: Monday, March 02, 1998 7:29 PM
Subject: Re[2]: authentication with iis4


>Hi
>
>Thanks. This is sort of what I am wanting, but instead of returning an
error
>saying that you are not allowed access I want it to prompt for basic
>user id and password if the ip doesn't match. ie. if a user requests
>a page and their ip matches they automatically get it no questions
>asked. If their ip doesn't match then they get prompted for userid
>and password. If their user id and password fail then they get the
>access denied message. Do you know if this is possible?
>
>Thanks
>Regards
>Glen
>
>>
>>    Hi! This isn't quite true. You can restrict to the directory or file
level
>>    with IIS4. At each level, right-click on the item, choose properties,
and
>>    then the file access tab. You can then either automatically grant or
deny
>>    access based upon exact IP numbers, ranges, or domains. You do need to
use
>>    the Management Console for this level of control, but it is there.
>>
>>    As an example, try the page:
>>
>>       http://www.library.okstate.edu/info/oklafs/fsosu.htm
>>
>>    You should get a page, using a custom error message, telling you that
you
>>    need to be a member of OSU for access. I get different page continuing
the
>>    process to get to OCLC. This is done with IP restrictions at the
file-level
>>    and a custom error message.
>>
>>    --Richard
>>
>______________________________ Reply Separator
_________________________________
>Subject: Re: authentication with iis4
>Author:  <kstevens at pratt.edu > at SMTP
>Date:    3/2/98 7:21 AM
>
>You can restrict by IP address on IIS 4.0 only by logical server.  You
>cannot limit by IP address on a directory-by-directory or file-by-file
>basis.  However, IIS includes the capability to run "virtual servers,"
which
>allows several sites to run on the same physical server, using different IP
>addresses or port numbers.  This provides a workaround to the problem,
since
>each of the virtual servers can be configured with its own set of IP
address
>restrictions.  If you have a spare IP address (or want to instruct users to
>specify a nonstandard port), you can add a virtual server with the root
>pointing to the "secure" subdirectory.
>
>The security configuration is fairly easy to set up.  Both settings are
>under the "Directory Security" property tab.  "IP address and domain
>restrictions" allows you to restrict the site by IP address/domain name.
>"Anonymous access and authentication control" allows you to disable
>anonymous access and enable either unencrypted (Basic) or encrypted
(Windows
>NT Challenge/Response) authentication.  Challenge/Response only works from
>IE browsers 3.0 and higher.  Authentication is based on the built-in
Windows
>NT security, so you will have to set up user account(s) and assign
>permissions to the files and directories you need to limit access to.
>
>Hope that helps!
>
>Kevin Stevens
>Computing Systems Manager
>Pratt Institute Libraries
>Brooklyn, NY
>
>-----Original Message-----
>From: Glen Davies <GLEN at rimu.cce.ac.nz>
>To: Multiple recipients of list <web4lib at library.berkeley.edu>
>Date: Thursday, February 26, 1998 8:08 PM
>Subject: authentication with iis4
>
>
>>Hi
>>
>>Does anybody know if the following user authentication scheme is
>>possible with iis4. I want to have  subdirectory of the server for
>>which the server first of all checks the client ip, if the ip is valid
>access is
>>allowed, if not the client is asked for basic userid and password.
>>
>>It is a bit hard to tell from the online documentation. It is obvious that
>>it does one or the other but it is not clear if two levels of
>>authentication are possible. I want to find out if this is possible
>before
>I go to the bother of downloading and installing it.
>***********************************************************
>Glen Davies
>Information Technology Librarian
>Christchurch College of Education
>Christchurch
>New Zealand
>glen at rimu.cce.ac.nz
>64-3-343 7737
>************************************************************
>"I've been drunk for about a week now, and I thought it might
> sober me up to sit in a library" F.Scott Fitzgerald
>                                  The Great Gatsby, ch3
>************************************************************

More information about the Web4lib mailing list