Our company Intranet site is comprised of multiple "subwebs" (for lack of a
better term). Each subweb has its own unique IIS Authentication method. The
root of the Intranet has Integrated Authentication set (so users who are
logged onto our network do not have to supply a username and password. Their
IE Security settings automatically pass this information. I then have a
subweb for each department. For this example I'll use the IT subweb. The IT
subweb utilizes the FileSystemObject so I am required to use Anonymous
Authentication. I have read numerous articles that Integrated Authentication
cannot be used when FSO access files on a remote server (only the C drive
can be accessed on the web server). So what I have done is created a Domain
Account, granted the proper share and NTFS permissions on the remote server,
and specified this account as the anonymous account for the IT subweb. This
scenario works fine.



My issue now is Mixed Mode Authentication. Within the IT subweb, any HTML
form cannot use the POST method. I am required to use the GET method. In
most cases the GET method is ok but there are some cases where the form
value could be so long that it breaches the QueryString limitations of IE
when I submit my form to the forms processing page (a separate page than the
form). Also, the form data is exposed in the QueryString and I do not always
want it to be displayed.



My question is, is there any way to use Integrated Authentication on a
subweb (web directory) that utilizes the FSO to access files on a remote
server? I know the issue is that there is no username and password when
using this method to pass to the remote server. Only a hash is created.



My FSO functions are accessed via an include file within my ASP pages.
Another thought I have had is to place these functions into a DLL and access
this DLL from my ASP pages. My question here is, is it possible to run this
DLL as a specific user when it is accessed and ignore the IIS Authentication
method? I am not too familiar with COM and COM+ but one thought is to
register an FSO DLL in COM+ and set the identity of that component as a
Domain Account that has the proper permissions to the remote resource. Then
I can access this DLL from any subweb and still use Integrated
Authentication. Is this possible?



I am looking for any solutions to be able to use FSO (or another File
browsing method?) and Integrated Authentication.





Additional Details:

-          Windows 2003 Server running IIS 6

-          Web Server and Remote File Server are part of the same domain

-          Microsoft Article pertaining to FSO and Integrated Authentication

http://support.Microsoft.com/default.aspx?scid=kb;EN-US;q197964

Hi Matt,

Thanks for posting!

From your description, my understanding is that you want to run the FSO
object under the specific credential without the IIS authentication. If I
have misunderstood anything, please let me know.

Based on my experience, we can use the impersonation for the ASP
application at the current stage. This means when the FSO object is
executed, the credential info is set as the specific one which is different
with the IIS authentication. The following KB article demonstrates how to
impersonate a user for ASP application:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;248187

I hope the information will be helpful! If you have any concerns or issues,
it's my pleasure to be a future assistance.

Regards,

Yuan Ren [MSFT]
Microsoft Online Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006.  Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

Thank you very much Yuan. This appears to be exactly what I am looking for.
I will try this out in the next couple weeks.


""Yuan Ren[MSFT]"" <v-y***@online.microsoft.com> wrote in message
Show quoteHide quote

Hi Matt,

You are welcome:)

Regards,

Yuan Ren [MSFT]
Microsoft Online Support

This solution does work for me. One question I have though, is it possible
to encrypt the password that I specify? The idea of having an unencrypted
password in my ASP pages is not sitting well with my boss. If it is not
possible to encrypt it what security measures should/can I take?

Thanks.


""Yuan Ren[MSFT]"" <v-y***@online.microsoft.com> wrote in message
Show quoteHide quote

Hi Matt,

Thanks for your reply!

For the current issue, I think you can encrypt the password by call Win32
API. I'm sorry I am not a specialist in Win32 API and COM. However, there
are many samples demonstrate how to approach this:

"Encryption using the Win32 Crypto API":
http://www.codeproject.com/cpp/EncryptionCryptoAPI.asp

"A simple set of classes to encrypt data"
http://www.codeproject.com/cpp/encrypt.asp

In my opinion, you can use these methods in the COM dll which is used to
impersonation.

Regards,

Yuan Ren [MSFT]
Microsoft Online Support

Thank you for your help. I will look into the information you provided.

""Yuan Ren[MSFT]"" <v-y***@online.microsoft.com> wrote in message
Show quoteHide quote

Hi Matt,

You are welcome:) If you have any issues in the future, please post a new
thread in the newsgroup. It's my pleasure to be assistance.

Regards,

Yuan Ren [MSFT]
Microsoft Online Support

keep IIS in RAM
Post Image Data to Server from embedded user control in IE
IIS 7 default setting
Authentication with IE
IE prompts for a password when using anonymous authentication
Basic authentication against automated attacks
Web services difficulties
List of all SSL pages
NT Authentication - 2nd challenge/response
HTTP to HTTPS specified request cannot...from current Application