Background: I have an https secure site on IIS. It uses digest
authentication and a unique username/PW is assigned for each user.

New Project: I'm going to create a new page with less secure content
such as procedures, instruction, etc. I'll create a new folder and
security group for seperate access to this page. The new page will have
about 100 new users. I want to utilize the secure site for this new
page but I DON'T want to create 100 new accounts - I'd like to instead
create a single user account so that all 100 new users of this page can
use the same account Username/PW

QUESTION: From a functionality and performance viewpoint (not from a
security standpoint) Is it possible (and is good practice) to have
multiple users logon to the site using the same account simultaneously?

Thanks,
Bryan

Sure, this is exactly what happens when you choose "Anonymous
Authentication" in IIS.

When you enable anonymous authentication, IIS simply logs in a user-defined
anonymous user (IUSR_machinename by default), and all users use that account
to access resources.

Now, IIS does not have any authentication protocols that work as
"authenticate remote username against some password, the log on as another
identity to access resources".
- Anonymous does not authenticate remote users and logs on as user-defined
identity
- Basic, Integrated, Digest, etc all authenticate remote users against
either local SAM or Active Directory and log on as that user
- Cert Mapping uses the identity stored in client-certificate and map to
some NT user


I'm not certain whether you want:
1. those other 100 users to have access to the rest of the secure site as
either themselves or as the single user account
2. the less secured page is only accessible to the 100 users as well as
anyone that digest authenticates

In other words, do you want those 100 new users to be treated like a single
NT user for access to the secured site, and do you care who accesses the
less secured page?

If you do not care who accesses the less secured page, then I suggest
enabling Anonymous Authentication on just the page itself and set its
anonymous username/password as the "single user account".  This way, anyone
can access this less secured page, and the 100 new users still do not have
access to the secured site.

Background: I have an https secure site on IIS. It uses digest
authentication and a unique username/PW is assigned for each user.

New Project: I'm going to create a new page with less secure content
such as procedures, instruction, etc. I'll create a new folder and
security group for seperate access to this page. The new page will have
about 100 new users. I want to utilize the secure site for this new
page but I DON'T want to create 100 new accounts - I'd like to instead
create a single user account so that all 100 new users of this page can
use the same account Username/PW

QUESTION: From a functionality and performance viewpoint (not from a
security standpoint) Is it possible (and is good practice) to have
multiple users logon to the site using the same account simultaneously?

Thanks,
Bryan

Hi David, Actually I'm not sure if it is digest authentication. It
uses a SSL certification. The server is outside the company firewall.
People from other companies can access it. Up to this point, a new user
account / PW is created for each user (it does Not use the company AD
list)

I'd like for the 100 new users to access ONLY the less secure content
in the New folder.

Regarding anonymous access: If I added the existing security groups
(users) to the New folder, would the current users then be able to
access the new Page with their existing credentials (if we enabled
anonymous access) - or do they need to use the anonymous UN/PW for the
New page?

I need to write instructions for the network admin who will actually do
the changes, does this sound correct:

1) In IIS, go to "New Folder" -> directory security -> edit ->
2) Enable Anonymous Access
3) Create the Username/PW as: (can I make the username anything?)
4) (Should I have 'allow IIS to control PW' checked?)
5) Add existing security groups 'Group A, B' to New Folder
6) Assign read & execute to user groups

Bryan

Yes, what I described should work.

Enable authentication everywhere (so the secured content requires
authentication).

Enable anonymous authentication on the less secure content itself (either on
a per-file or per-vdir basis, depending on what suites your needs). This
allows ANYONE to access this content, unauthenticated. Thus, the "100 new
users" will just access it by default, as will your existing users --
everyone can access this content as your defined anonymous user account in
IIS (default is IUSR_MachineName).

Hi David, Actually I'm not sure if it is digest authentication. It
uses a SSL certification. The server is outside the company firewall.
People from other companies can access it. Up to this point, a new user
account / PW is created for each user (it does Not use the company AD
list)

I'd like for the 100 new users to access ONLY the less secure content
in the New folder.

Regarding anonymous access: If I added the existing security groups
(users) to the New folder, would the current users then be able to
access the new Page with their existing credentials (if we enabled
anonymous access) - or do they need to use the anonymous UN/PW for the
New page?

I need to write instructions for the network admin who will actually do
the changes, does this sound correct:

1) In IIS, go to "New Folder" -> directory security -> edit ->
2) Enable Anonymous Access
3) Create the Username/PW as: (can I make the username anything?)
4) (Should I have 'allow IIS to control PW' checked?)
5) Add existing security groups 'Group A, B' to New Folder
6) Assign read & execute to user groups

Bryan

Permission denied when writing to eventlog from global.asa
Secure website (cookie/session)
401 errors filling logfile
Making unique URL - internal and external
Your opinion on SSL and common URL to access site from internal and external
IP address and domain name restrictions not available?.
SSL for FTP
Application Identity
Problem with IUSR account
Is the sessionState cookie a security risk.