Intranet / IIS?

Unfortunately it's not possible to do with one page. (there is a workaround
though).
Problem is that if page is not protected (anonymous disabled) then IIS will
not authenticate anyone.
If it's protected then IIS will attempt to authenticate everyone.
------------------------------------------------
The workaround I came up with :

Make login.aspx not protected (anonymous enabled) and check for the IP
address if it's from within the network then redirect to login1.aspx which
is protected and IIS will NT authenticate person.
George.


"Rob Meade" <ku***************@edaem.borwrote in message
news:uL****************@TK2MSFTNGP04.phx.gbl...

Hi all,

This is a bit off topic I suspect, but I was hoping that most of you would
know the answer...

I want to have my IIS prompt for username/password credentials when a user
browses to the site externally, ie, not on my own network, but if they are
on the network (they would have already logged onto the domain) then they
should not be challenged.

I've been changing the security options but I seem to either get everyone
challenge (on and off of the lan) or no one challenged if I turn on
anonymous access...

Anyone got any URL's for configuring this or can offer some advice? I've
never tried this before as I've always allowed anonymous access and used
the server for development purposes only, now I want to build my own
little Intranet application (.net 2 - just to try and touch on relevance
for this group ;) )...

Any help appreciated..

Regards

Rob

George Ter-Saakov wrote:

Unfortunately it's not possible to do with one page. (there is a workaround
though).
Problem is that if page is not protected (anonymous disabled) then IIS will
not authenticate anyone.
If it's protected then IIS will attempt to authenticate everyone.

Hi George, thanks for your reply. I'm not really bothered about it
being for a single page, it would make more sense that the entire site
was protected. I had always assumed that the IIS/Windows way of
securing things would be better than developing my own login etc, plus
if the user is already logged in on the network/domain it kinda make
sense to use that (for this project at least). Is this the same as
"Forms" security/login in .net? I'm maybe getting confused between
all the options...

The spec of what I would be looking for would be:

a) external visitors to the network are challenged to login (ideally
in a Windows type of popup)
b) users of the network get in because they are "on" the network
etc...I would then pickup perhaps the Logon_User session variable to
display their NT name (SharePoint stylee)...

Make login.aspx not protected (anonymous enabled) and check for the IP
address if it's from within the network then redirect to login1.aspx which
is protected and IIS will NT authenticate person.

I see, but it would presumably require me to test as you mentioned for
the IP address, and I'd be looking for a 192.168 etc etc kinda range,
I'm guessing with the right tools someone could "spoof" their IP
address to appear as if they had a local IP address on my network?
Whilst they'd not get passed the firewall to do anything on the
servers, my web app might be compromised?

I'm surely not the first person thats wanted to do something like
this? I'm thinking of my 123-reg.co.uk account (domain name
registration thingy)...when I browse their site there's a link to
login (obviously they do have content that would be available to
people without accounts also - which I'd maybe not have for my
Intranet) - I click on login and I'm presented with the Windows
dialogue thingy to login, I enter my details and I'm in - sounds very
similar to what you've suggested, with regards to the two pages, one
area protected, one area not - but they're obviously not checking for
a local user.

Any more thoughts?

I'm guessing with the right tools someone could "spoof" their IP

address to appear as if they had a local IP address on my network?

Well, I do not see any problem with spoofing. It's not like you a letting
them in. They still have to pass NT Authentication.
So even if they guy smart enough to spoof IP he would fail NT Authentication
and go nowere.

George
"Rob" <ba*********@googlemail.comwrote in message
news:11*********************@o61g2000hsh.googlegro ups.com...

George Ter-Saakov wrote:

>Unfortunately it's not possible to do with one page. (there is a
workaround
though).
Problem is that if page is not protected (anonymous disabled) then IIS
will
not authenticate anyone.
If it's protected then IIS will attempt to authenticate everyone.

Hi George, thanks for your reply. I'm not really bothered about it
being for a single page, it would make more sense that the entire site
was protected. I had always assumed that the IIS/Windows way of
securing things would be better than developing my own login etc, plus
if the user is already logged in on the network/domain it kinda make
sense to use that (for this project at least). Is this the same as
"Forms" security/login in .net? I'm maybe getting confused between
all the options...

The spec of what I would be looking for would be:

a) external visitors to the network are challenged to login (ideally
in a Windows type of popup)
b) users of the network get in because they are "on" the network
etc...I would then pickup perhaps the Logon_User session variable to
display their NT name (SharePoint stylee)...

>Make login.aspx not protected (anonymous enabled) and check for the IP
address if it's from within the network then redirect to login1.aspx
which
is protected and IIS will NT authenticate person.

I see, but it would presumably require me to test as you mentioned for
the IP address, and I'd be looking for a 192.168 etc etc kinda range,
I'm guessing with the right tools someone could "spoof" their IP
address to appear as if they had a local IP address on my network?
Whilst they'd not get passed the firewall to do anything on the
servers, my web app might be compromised?

I'm surely not the first person thats wanted to do something like
this? I'm thinking of my 123-reg.co.uk account (domain name
registration thingy)...when I browse their site there's a link to
login (obviously they do have content that would be available to
people without accounts also - which I'd maybe not have for my
Intranet) - I click on login and I'm presented with the Windows
dialogue thingy to login, I enter my details and I'm in - sounds very
similar to what you've suggested, with regards to the two pages, one
area protected, one area not - but they're obviously not checking for
a local user.

Any more thoughts?