Re: Securing through the IIS web server domain logon

["Matt Fisher" <mfisher () spidynamics com>]

> > Is there a way to get the user name from the IIS domain logon?  

  request.servervariables("Logon_user") 



----- Original Message ----- 
From: "Koniszewski, Jeffrey" <JKoniszewski () Kronos com>
To: <webappsec () securityfocus com>
Sent: Tuesday, August 17, 2004 5:21 PM
Subject: Securing through the IIS web server domain logon


Our application provides security via an application logon and web application session. We layer lots of access control 
on top of the user session. The web server is set to serve up files via the iusr account, i.e. web server access is via 
anonymous logon.

We have a customer with high security needs that wants to restrict directory access on the web server to domain 
authenticated users (remove iusr access). This, as I understand it, would require the web server to prompt for domain 
authentication. Then file access on the web server would be via the authenticated domain user's account. However, our 
application still needs to authenticate the user as well. Actually, all we probably need is the user name. We have 
never set up to work this way. Is there a way to get the user name from the IIS domain logon? Is it accessible via the 
HTTP session? Thanks.