Home All Groups Group Topic Archive Search About

Anonymous and NTLM

microsoft.public.inetserver.iis.security
Author
13 Jun 2005 10:21 PM
rgmullen
I have a customer requirement where they would like to alllow certain
users to use NTLM as they enter our secure site while others would
login through a web form. The desired action would be to check the
interactive user's credentials upon entry to the site then compare it
to an ACL we have. If they are not in this list they would be
redirected to the web form login.

It appears to me that enabling both Anonymous and NTLM is IIS will use
the lowest credentials needed to complete a given resource request. IT
would seem that the goal of this requirement could be met by denying
access to the initial page to IUSR_<servername> account and then
redirecting in ASP code on failure but this would seem to be less than
ellegant at best.

Can anyone offer a suggestion as to how the initial resource can be
left unsecured yet have the server challenge for credentials anyway?

Author
14 Jun 2005 12:46 AM
Bernard Cheah [MVP]
This is by design, browsers will always attempt to connect anonymously, and
base on authentication challenge header receive from web server, it will
then proceed with next supported auth method. refer this kb
INFO: How IIS Authenticates Browser Clients
http://support.microsoft.com/?id=264921

--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/


<rgmul***@gmail.com> wrote in message
Show quoteHide quote
news:1118701316.418324.33580@g47g2000cwa.googlegroups.com...
>I have a customer requirement where they would like to alllow certain
> users to use NTLM as they enter our secure site while others would
> login through a web form. The desired action would be to check the
> interactive user's credentials upon entry to the site then compare it
> to an ACL we have. If they are not in this list they would be
> redirected to the web form login.
>
> It appears to me that enabling both Anonymous and NTLM is IIS will use
> the lowest credentials needed to complete a given resource request. IT
> would seem that the goal of this requirement could be met by denying
> access to the initial page to IUSR_<servername> account and then
> redirecting in ASP code on failure but this would seem to be less than
> ellegant at best.
>
> Can anyone offer a suggestion as to how the initial resource can be
> left unsecured yet have the server challenge for credentials anyway?
>
Author
14 Jun 2005 2:44 PM
Borco
Thank you.



Post Other interesting topics
Problem w/ Integrated Auth -- Receiving User/Pass dialog box against IIS6
integrated vs basic
Accessing Site as Anonymous
401.3 on IIS after SP1
ASP.NET app permissions
Passing User Credentials to site running under Integrated Security
Logging into website - remove log in box
Server attack - info please?
Can't get rid of localstart.asp
Most secure solution for ftp (IIS?)