With IIS, start by denying
the anonymous user’s permission to read the subtree you want to
protect. On a standalone server named UDELL or in a domain of the same name,
that anonymous account by default is IUSR_UDELL.
Normally the anonymous user can read the entire web subtree, either
because you’ve granted read permission for that account or
because it belongs to a group that has read permission. To revoke
read permission, locate the
folder you want to protect (e.g.,
/web/Docbase/ProductAnalysis/docs
) in the
Windows Explorer, do right-click → Properties → Security
→ Permissions, and remove the anonymous user. While you’re
there, add the name of the account to which you do want to grant
access. Be sure to click Replace Permissions on
Subdirectories if you want to apply these changes to the
whole subtree.
You also need to tell IIS that it’s OK to use basic authentication when the anonymous user’s credentials fail—as will happen now that you’ve revoked that user’s permission to read the subtree. In IIS 4, you do this in the Microsoft Management Console (MMC). Find the virtual root corresponding to the directory you want to protect—or one of its parents, if you want basic authentication to be available more broadly on this server—and do right-click → Properties → Directory Security → Anonymous Access and Authentication Control → Edit. Check the Basic Authentication box. If need be, you can use its associated Edit button to specify an authenticating domain controller instead of the default, which is the local server’s directory.
This second step—configuring IIS to use basic authentication for files that the anonymous user doesn’t have permission to read—is crucial but easy to forget. If you do forget, IIS behaves very strangely when you try to access protected pages. It prompts for credentials but accepts none—not even those of the administrator.
To grant access to groups listed in the NT directory, follow the same procedure, but grant permission to a group account rather than an individual user account. Things get trickier when the group gets too big for the local server or the domain controller to handle or when you don’t want your authenticated population to overlap with the domain population.
Solutions to this problem typically involve an Internet Services API (ISAPI) filter, which is the IIS analog to an Apache module. I’m not aware of a freely available filter that’s equivalent to Apache’s AuthenDBI. A low-end commercial product is DAF (dynamic authentication filter, http://www.dafweb.com/), which authenticates users against names and passwords stored in an ODBC database. A high-end commercial product is Microsoft’s Site Server (http://www.microsoft.com/siteserver/), which includes a Personalization and Membership Service that maps between Site Server’s LDAP service and NT’s domain directory. Alternatively, you can create your own authentication filter; we’ll see a trivial example of that later in this chapter.
3.145.130.31