Intranet / IIS?

[Rob Meade]

Hi all,

This is a bit off topic I suspect, but I was hoping that most of you would
know the answer...

I want to have my IIS prompt for username/password credentials when a user
browses to the site externally, ie, not on my own network, but if they are
on the network (they would have already logged onto the domain) then they
should not be challenged.

I've been changing the security options but I seem to either get everyone
challenge (on and off of the lan) or no one challenged if I turn on
anonymous access...

Anyone got any URL's for configuring this or can offer some advice? I've
never tried this before as I've always allowed anonymous access and used the
server for development purposes only, now I want to build my own little
Intranet application (.net 2 - just to try and touch on relevance for this
group )...

Any help appreciated..

Regards

Rob

 

[George Ter-Saakov]

Unfortunately it's not possible to do with one page. (there is a workaround
though).
Problem is that if page is not protected (anonymous disabled) then IIS will
not authenticate anyone.
If it's protected then IIS will attempt to authenticate everyone.
------------------------------------------------
The workaround I came up with :

Make login.aspx not protected (anonymous enabled) and check for the IP
address if it's from within the network then redirect to login1.aspx which
is protected and IIS will NT authenticate person.


George.

 

[Rob]

Unfortunately it's not possible to do with one page. (there is a workaround
though).
Problem is that if page is not protected (anonymous disabled) then IIS will
not authenticate anyone.
If it's protected then IIS will attempt to authenticate everyone.

Hi George, thanks for your reply. I'm not really bothered about it
being for a single page, it would make more sense that the entire site
was protected. I had always assumed that the IIS/Windows way of
securing things would be better than developing my own login etc, plus
if the user is already logged in on the network/domain it kinda make
sense to use that (for this project at least). Is this the same as
"Forms" security/login in .net? I'm maybe getting confused between
all the options...

The spec of what I would be looking for would be:

a) external visitors to the network are challenged to login (ideally
in a Windows type of popup)
b) users of the network get in because they are "on" the network
etc...I would then pickup perhaps the Logon_User session variable to
display their NT name (SharePoint stylee)...

Make login.aspx not protected (anonymous enabled) and check for the IP
address if it's from within the network then redirect to login1.aspx which
is protected and IIS will NT authenticate person.

I see, but it would presumably require me to test as you mentioned for
the IP address, and I'd be looking for a 192.168 etc etc kinda range,
I'm guessing with the right tools someone could "spoof" their IP
address to appear as if they had a local IP address on my network?
Whilst they'd not get passed the firewall to do anything on the
servers, my web app might be compromised?

I'm surely not the first person thats wanted to do something like
this? I'm thinking of my 123-reg.co.uk account (domain name
registration thingy)...when I browse their site there's a link to
login (obviously they do have content that would be available to
people without accounts also - which I'd maybe not have for my
Intranet) - I click on login and I'm presented with the Windows
dialogue thingy to login, I enter my details and I'm in - sounds very
similar to what you've suggested, with regards to the two pages, one
area protected, one area not - but they're obviously not checking for
a local user.

Any more thoughts?

 

[George Ter-Saakov]

I'm guessing with the right tools someone could "spoof" their IP

address to appear as if they had a local IP address on my network?

Well, I do not see any problem with spoofing. It's not like you a letting
them in. They still have to pass NT Authentication.
So even if they guy smart enough to spoof IP he would fail NT Authentication
and go nowere.

George