Newbie Needs Help!

Hi,
I'd appreciate some advise... I've been assigned the task of creating form
based authentication via SQL Server for a section of our corporate web site.
I know classic ASP quite well, but the ASP .NET world is very different.
And from what I've read, ASP .NET has some great functionality built into it
for form based authentication. What I'd like to know is how to make this
work.
Currently, our corporate web server is IIS 5.0 on a Win2K Pro Server in our
DMZ. (We are upgrading to IIS 6 / Win2003 Pro Server next month.) I need
to manage access to a handful of subfolders in the website. The subfolders
contain .html, .asp, and .pdf files.
Will IIS 5.0 support ASP .Net's built in methods for the integrated form
based authentication approach? (The .Net Framework, ver 1.1, is installed).
Obviously, I could go the classic ASP approach and place code in the top of
each page to do some kind of check for authentication. If the check
passes, generate the page, else redirect to the login. However, I'd prefer
to not have to modify every page.
Assuming that setup will work, how will an ASP .NET form based
authentication manage access to .pdf files and static .html files?
At this point, please don't send any code. I'd just appreciate a response
as to whether this is possible and it if it is, what's the best approach to
make it happen.
Thanks kindly,
-JoeAFAIK, forms based authentication is used only to control access to pages in
your ASP.NET application. It simply works by testing to see if you have a
valid ticket for the current session (usually set once login is successful)
if there isn't one then the user is redirected to a login page, usually
defined in the Web.Config file.
Access to files via a direct URL will, I think, only be controlled by the
filesystem access allowed to the directory in question, so I there is a
security restrictions in place then the user might be prompted to enter
their credentials into a windows dialog box.
Hope that help a bit.
IIS 5 does indeed support ASP.NET 1.1 and all that goes with it.
MattC
"Joe Rigley" <jcrigley@.spartanmotors.com> wrote in message
news:unlXnGfOFHA.2604@.TK2MSFTNGP10.phx.gbl...
> Hi,
> I'd appreciate some advise... I've been assigned the task of creating
> form based authentication via SQL Server for a section of our corporate
> web site. I know classic ASP quite well, but the ASP .NET world is very
> different. And from what I've read, ASP .NET has some great functionality
> built into it for form based authentication. What I'd like to know is how
> to make this work.
> Currently, our corporate web server is IIS 5.0 on a Win2K Pro Server in
> our DMZ. (We are upgrading to IIS 6 / Win2003 Pro Server next month.) I
> need to manage access to a handful of subfolders in the website. The
> subfolders contain .html, .asp, and .pdf files.
> Will IIS 5.0 support ASP .Net's built in methods for the integrated form
> based authentication approach? (The .Net Framework, ver 1.1, is
> installed). Obviously, I could go the classic ASP approach and place code
> in the top of each page to do some kind of check for authentication. If
> the check passes, generate the page, else redirect to the login. However,
> I'd prefer to not have to modify every page.
> Assuming that setup will work, how will an ASP .NET form based
> authentication manage access to .pdf files and static .html files?
> At this point, please don't send any code. I'd just appreciate a response
> as to whether this is possible and it if it is, what's the best approach
> to make it happen.
> Thanks kindly,
> -Joe
>
On Tue, 05 Apr 2005 10:11:12 -0500, Joe Rigley
<jcrigley@.spartanmotors.com> wrote:

> Hi,
> I'd appreciate some advise... I've been assigned the task of creating
> form
> based authentication via SQL Server for a section of our corporate web
> site.
> I know classic ASP quite well, but the ASP .NET world is very different.
> And from what I've read, ASP .NET has some great functionality built
> into it
> for form based authentication. What I'd like to know is how to make this
> work.
> Currently, our corporate web server is IIS 5.0 on a Win2K Pro Server in
> our
> DMZ. (We are upgrading to IIS 6 / Win2003 Pro Server next month.) I
> need
> to manage access to a handful of subfolders in the website. The
> subfolders
> contain .html, .asp, and .pdf files.
> Will IIS 5.0 support ASP .Net's built in methods for the integrated form
> based authentication approach? (The .Net Framework, ver 1.1, is
> installed).
> Obviously, I could go the classic ASP approach and place code in the top
> of
> each page to do some kind of check for authentication. If the check
> passes, generate the page, else redirect to the login. However, I'd
> prefer
> to not have to modify every page.
> Assuming that setup will work, how will an ASP .NET form based
> authentication manage access to .pdf files and static .html files?
> At this point, please don't send any code. I'd just appreciate a
> response
> as to whether this is possible and it if it is, what's the best approach
> to
> make it happen.
> Thanks kindly,
> -Joe
>
I'd recommend reading up on Forms Authentication; it does exactly what you
would want to do in ASP. It sets a cookie on the user's system to say
whether they are logged in or not; if not they are sent to the login
page. In addition, you may want to check out the concept 'impersonation'
if it's something that may be useful here (intranet application?).
As far as non-aspnet files, as mentioned, IIS by default will be the one
to determine permissions on the folder, files, etc. When a request comes
in for an aspx file, IIS looks up aspx in the ISAPI dll mappings in MMC,
and passes it to the aspnet ISAPI dll (which in essence passes it to the
aspnet worker process). However, if it's not a .NET-type of file such as
html, pdf, etc. IIS will do whatever is setup in the MMC for ISAPI dll
mappings. Which as we know html and pdf are just served up to the user.
You can map the aspnet ISAPI dll to these other file extensions in IIS,
and then Forms Authentication can also protect them. Note there was talk
there may be performance hits and/or maybe corruption problems by doing
this (aspnet handling non-aspnet files), though I've never actually heard
of major problems with it.
Craig Deelsnyder
Microsoft MVP - ASP/ASP.NET
Hi Joe,
Good thinking. I think you will do well with ASP.Net. That said, however, if
you don't have any experience with ASP.Net, you should think about how long
you have to write your app. Just learining ASP.Net could take you several
months, or perhaps longer. It's huge.
If you have plenty of time, by all means, jump in! The water's great!
HTH,
Kevin Spencer
Microsoft MVP
.Net Developer
What You S Is What You Get.
"Joe Rigley" <jcrigley@.spartanmotors.com> wrote in message
news:unlXnGfOFHA.2604@.TK2MSFTNGP10.phx.gbl...
> Hi,
> I'd appreciate some advise... I've been assigned the task of creating
> form based authentication via SQL Server for a section of our corporate
> web site. I know classic ASP quite well, but the ASP .NET world is very
> different. And from what I've read, ASP .NET has some great functionality
> built into it for form based authentication. What I'd like to know is how
> to make this work.
> Currently, our corporate web server is IIS 5.0 on a Win2K Pro Server in
> our DMZ. (We are upgrading to IIS 6 / Win2003 Pro Server next month.) I
> need to manage access to a handful of subfolders in the website. The
> subfolders contain .html, .asp, and .pdf files.
> Will IIS 5.0 support ASP .Net's built in methods for the integrated form
> based authentication approach? (The .Net Framework, ver 1.1, is
> installed). Obviously, I could go the classic ASP approach and place code
> in the top of each page to do some kind of check for authentication. If
> the check passes, generate the page, else redirect to the login. However,
> I'd prefer to not have to modify every page.
> Assuming that setup will work, how will an ASP .NET form based
> authentication manage access to .pdf files and static .html files?
> At this point, please don't send any code. I'd just appreciate a response
> as to whether this is possible and it if it is, what's the best approach
> to make it happen.
> Thanks kindly,
> -Joe
>
Craig,
Thanks for the great information. You mentioned Impersonation. How would
that help me?
-Joe
"Craig Deelsnyder" <cdeelsny@.no_spam_4_meyahoo.com> wrote in message
news:op.sorovfme75dg5d@.deelscwxp2.na.corp.born.com...
> On Tue, 05 Apr 2005 10:11:12 -0500, Joe Rigley
> <jcrigley@.spartanmotors.com> wrote:
>
> I'd recommend reading up on Forms Authentication; it does exactly what you
> would want to do in ASP. It sets a cookie on the user's system to say
> whether they are logged in or not; if not they are sent to the login
> page. In addition, you may want to check out the concept 'impersonation'
> if it's something that may be useful here (intranet application?).
> As far as non-aspnet files, as mentioned, IIS by default will be the one
> to determine permissions on the folder, files, etc. When a request comes
> in for an aspx file, IIS looks up aspx in the ISAPI dll mappings in MMC,
> and passes it to the aspnet ISAPI dll (which in essence passes it to the
> aspnet worker process). However, if it's not a .NET-type of file such as
> html, pdf, etc. IIS will do whatever is setup in the MMC for ISAPI dll
> mappings. Which as we know html and pdf are just served up to the user.
> You can map the aspnet ISAPI dll to these other file extensions in IIS,
> and then Forms Authentication can also protect them. Note there was talk
> there may be performance hits and/or maybe corruption problems by doing
> this (aspnet handling non-aspnet files), though I've never actually heard
> of major problems with it.
> --
> Craig Deelsnyder
> Microsoft MVP - ASP/ASP.NET
On Tue, 05 Apr 2005 14:46:35 -0500, Joe Rigley
<jcrigley@.spartanmotors.com> wrote:

> Craig,
> Thanks for the great information. You mentioned Impersonation. How
> would
> that help me?
> -Joe
>
Ah, I got a little carried away, you pry won't need it for what you
described, but it is helpful to know about in case you need some forms of
resource access control:
http://msdn.microsoft.com/library/d...personation.asp
http://msdn.microsoft.com/library/d...personation.asp
basically it's a way to have aspnet use the credentials of the current
user, making it easier to do things such as access files, etc. Don't
think you need it, but useful to know for future reference
Craig Deelsnyder
Microsoft MVP - ASP/ASP.NET