authentication with iis4

rpage at rpage at
Tue Mar 3 11:14:31 EST 1998

   Hi! You should be able to code a custom error message using one of the 
   scripting languages (VBScript, JScript) that would prompt for 
   authentication. I haven't done this, but I don't see any reason why it 
   could not be done.
    Richard M. Page                         | Voice      (405) 744-5347
    Head, Library Systems Department        | Fax        (405) 744-7579
    224A Library, Oklahoma State University | 
    Stillwater, OK 74078-1070               | E-Mail: rpage at
   =+=+=+=+=+=+=+=+=+=+= +=+=+=+=+=+=+=+=+=+=+=

______________________________ Reply Separator _________________________________
Subject: Re[2]: authentication with iis4  
Author:  "Glen Davies" <GLEN at>  at SMTP
Date:    3/3/98 1:00 PM

Thanks. This is sort of what I am wanting, but instead of returning an error 
saying that you are not allowed access I want it to prompt for basic 
user id and password if the ip doesn't match. ie. if a user requests 
a page and their ip matches they automatically get it no questions 
asked. If their ip doesn't match then they get prompted for userid 
and password. If their user id and password fail then they get the 
access denied message. Do you know if this is possible?
>    Hi! This isn't quite true. You can restrict to the directory or file level 
>    with IIS4. At each level, right-click on the item, choose properties, and 
>    then the file access tab. You can then either automatically grant or deny 
>    access based upon exact IP numbers, ranges, or domains. You do need to use 
>    the Management Console for this level of control, but it is there.
>    As an example, try the page:
>    You should get a page, using a custom error message, telling you that you 
>    need to be a member of OSU for access. I get different page continuing the 
>    process to get to OCLC. This is done with IP restrictions at the file-level
>    and a custom error message.
>    --Richard
______________________________ Reply Separator _________________________________
Subject: Re: authentication with iis4 
Author:  <kstevens at > at SMTP 
Date:    3/2/98 7:21 AM
You can restrict by IP address on IIS 4.0 only by logical server.  You 
cannot limit by IP address on a directory-by-directory or file-by-file 
basis.  However, IIS includes the capability to run "virtual servers," which 
allows several sites to run on the same physical server, using different IP 
addresses or port numbers.  This provides a workaround to the problem, since 
each of the virtual servers can be configured with its own set of IP address 
restrictions.  If you have a spare IP address (or want to instruct users to 
specify a nonstandard port), you can add a virtual server with the root 
pointing to the "secure" subdirectory.
The security configuration is fairly easy to set up.  Both settings are 
under the "Directory Security" property tab.  "IP address and domain 
restrictions" allows you to restrict the site by IP address/domain name. 
"Anonymous access and authentication control" allows you to disable 
anonymous access and enable either unencrypted (Basic) or encrypted (Windows 
NT Challenge/Response) authentication.  Challenge/Response only works from 
IE browsers 3.0 and higher.  Authentication is based on the built-in Windows 
NT security, so you will have to set up user account(s) and assign 
permissions to the files and directories you need to limit access to.
Hope that helps!
Kevin Stevens
Computing Systems Manager
Pratt Institute Libraries
Brooklyn, NY
-----Original Message-----
From: Glen Davies <GLEN at>
To: Multiple recipients of list <web4lib at> 
Date: Thursday, February 26, 1998 8:08 PM
Subject: authentication with iis4
>Does anybody know if the following user authentication scheme is 
>possible with iis4. I want to have  subdirectory of the server for 
>which the server first of all checks the client ip, if the ip is valid 
access is
>allowed, if not the client is asked for basic userid and password. 
>It is a bit hard to tell from the online documentation. It is obvious that 
>it does one or the other but it is not clear if two levels of 
>authentication are possible. I want to find out if this is possible >before 
I go to the bother of downloading and installing it. 
Glen Davies
Information Technology Librarian
Christchurch College of Education
New Zealand
glen at
64-3-343 7737
"I've been drunk for about a week now, and I thought it might
 sober me up to sit in a library" F.Scott Fitzgerald
                                  The Great Gatsby, ch3

More information about the Web4lib mailing list