qadwjoh has asked for the wisdom of the Perl Monks concerning the following question:

Hi.

I've been developing web browser based tool running off a set of Perl CGI scripts and web pages to be served via IIS and I want to control access to it via Active Directory. I have them stored in one directory so basically I want to protect the entire directory.

Does anyone know if I can set this up automatically in IIS 5.0 or if I have to create my own scripts/web pages to prompt for username/password details and then validate this against an entry in the Active Directory? If so, how do I prevent users from bypassing this and creating their own http requests to pages in my directory? Do I use cookies? Or do I use a combination of setting up IIS in some way and managing users via code in my perl scripts and web pages?

Any help would be very much appreciated.

Thanks,
Andrew
  • Comment on IIS authentication with Active Directory

Replies are listed 'Best First'.
Re: IIS authentication with Active Directory
by meetraz (Hermit) on Mar 10, 2003 at 17:04 UTC
    By default, the only thing you need to do is edit the NTFS permissions of the files you want to protect. Edit the security of the files/folders, and remove the "Anonymous web user" or "Web applications" groups, and the IUSR/IWAM accounts if they have rights. Basically, remove everything except administrators/system. Then, individually add the users/groups from Active Directory that you want to have rights to these web pages.
[reply]
      Hi,

      Thanks for the help, but I tried this and am still unable to produce a dialogue asking me for my Active Directory username, password and domain. What setting(s) should I have in the IIS Manager control panel? I want to be able to allow anyone who can be authenticated through my company's Active Directory to have access, not just certain groups or users.

      thanks,
      Andrew
[reply]
        In IIS, open up the properties window for the directory you want to protect. Click "Directory Security" then under authentication control, click "Edit". Make sure "Anonymous" and "Basic" are unchecked, and that "Integrated Windows" is checked.

        To allow all AD users to connect, you still have to remove the anonymous web users from the directory. Then, add your Domain Users group with Read permissions.

[reply]

Back to Seekers of Perl Wisdom