WebApp Sec mailing list archives

Re: Securing through the IIS web server domain logon

From: Ben Timby <asp () webexc com>
Date: Wed, 18 Aug 2004 17:36:46 -0500

It is available via the REMOTE_USER CGI variable...

in asp:

<%
strDomainUser = Request.ServerVariables("REMOTE_USER")
%>

see:
http://hoohoo.ncsa.uiuc.edu/cgi/env.html

Hope that helps.

Koniszewski, Jeffrey wrote:

Our application provides security via an application logon and web application session. We layer lots of access control 
on top of the user session. The web server is set to serve up files via the iusr account, i.e. web server access is via 
anonymous logon.

We have a customer with high security needs that wants to restrict directory access on the web server to domain 
authenticated users (remove iusr access). This, as I understand it, would require the web server to prompt for domain 
authentication. Then file access on the web server would be via the authenticated domain user's account. However, our 
application still needs to authenticate the user as well. Actually, all we probably need is the user name. We have never set 
up to work this way. Is there a way to get the user name from the IIS domain logon? Is it accessible via the HTTP session? 
Thanks.

Current thread:

Securing through the IIS web server domain logon Koniszewski, Jeffrey (Aug 18)
- Re: Securing through the IIS web server domain logon Saqib . N . Ali (Aug 18)
- Re: Securing through the IIS web server domain logon Thomas Chiverton (Aug 18)
- Re: Securing through the IIS web server domain logon Ben Timby (Aug 18)
- <Possible follow-ups>
- Re: Securing through the IIS web server domain logon Matt Fisher (Aug 18)
- RE: Securing through the IIS web server domain logon Stan Guzik (Aug 20)
- RE: Securing through the IIS web server domain logon Michael Silk (Aug 20)
- RE: Securing through the IIS web server domain logon Michael Howard (Aug 20)