IIS access
I'm currently doing a CIW course and have reached the Server Administration module (It's confusing the hell out of me). The course manual is vague and the tutor support hopeless. Ive googled as much as i can and still no answers.
My confusion concerns Authentication for an entire site Vs Authentication for particular users. I'll tell you what (I think) I know.
I understand that to choose the Authentication method for an entire site, you use the "directory security" tab, accessed by selecting the properties option of the "default web site" in ISM (IIS5). Here you may choose, for example, "Basic Authentication".
I guess my first question must be: When a user enters their username and password, what information does IIS use to check this information against, and where is it stored on the server machine?
My second question concerns restricting access to specific pages on a site. This is what my course manual says for the procedure:
1. Select "Properties" on the file called PRIVATE.
2. Click the "Security" tab.
3. In the box that appears, Remove "EVERYONE".
4. Select "SYSTEM".
5. Select the relevant user and click "add".
The example in the course manual then just jumps to another paragraph for the rest of the procedure (I have no idea what happens directly after point 5 above). It goes on to say:
In IIS, open the properties for the default web site.
Click the "directory security" tab and enable "basic authentication".
It is this last step that is confusing me. How is enabling basic authentication having any effect on the PRIVATE file? Isn't enabling basic authentication simply restricting access for the whole site? If "Anonymous Access" where chosen, the PRIVATE folder would still be restricted, wouldn't it?
Please give me a clue on this one. Its been 2 days now and my little brain is really starting to hurt.
Thanks in Advance.
Stuart
JeevesBond posted this at 19:54 — 6th February 2007.
He has: 3,956 posts
Joined: Jun 2002
Why are they teaching you IIS?! That's going to be little practical use when most of the world uses Apache. Are they teaching you how to use Apache at all?
This would depend upon the type of authentication. If you've opted to have integrated authentication IIS will look to the local machines users and groups, there's also basic authentication. I don't know where IIS will look for that, it will probably store it in the registry or some configuration file. Do you need to know where IIS stores it?
I assume you need to switch on this 'Basic authentication' to be able to restrict access at all. I would also assume that this doesn't do anything unless you add a password to the whole site. Or maybe if you've got this 'Anonymous Access' set then yes, anyone can access the site and access to the Private folder will be restricted. This happens because a 'deny access' overrides/is more important than a 'grant access'.
a Padded Cell our articles site!
StuPeas posted this at 21:07 — 6th February 2007.
They have: 36 posts
Joined: Oct 2004
Yes, Apache will be taught as well. My point is: Why would the course manual include the step to "enable basic authentication" as part of the procedure thats restrict access to the Private folder. Surely it doesnt matter whether ananymous access or basic authentication is enabled, access to the private folder would still be restricted, wouldnt it?
Im trying to establish whether or not the people who wrote the course material actualy have a clue what the hell they are talking about, or wether i am totaly missing something.
Thanks for the responce, sorry i took so long to answer (Im trying to make the switch to Linux and its a bit of a learning curve).
JeevesBond posted this at 21:57 — 6th February 2007.
He has: 3,956 posts
Joined: Jun 2002
Oh, fair enough then. You may well need to use IIS at some point.
No, you wouldn't be able to restrict access to the folder (I don't think). The type of security has to be setup before you can set passwords.
What are you having trouble with? Also, what distro are you using? Probably the easiest is Ubuntu, then just grab a copy of EasyUbuntu to watch DVDs, view WMV files and all that other non-Free stuff.
If you're doing something complicated it can be difficult, the missus has switched with little problems. Although I'm always around to support her.
a Padded Cell our articles site!
StuPeas posted this at 11:50 — 7th February 2007.
They have: 36 posts
Joined: Oct 2004
I dont think you would have to enable basic authentication. The PRIVATE file has been restricted anyway hasnt it ? If basic authentication is enabled, then anyone who wants to view the other pages on the site has to have a password. What would happen for the people ALLOWED to view the PRIVATE folder, would they have to authenticate themselves for the entire site first by sending a username and password, and then enter another username and password to view the PRIVATE folder?
oh, hang on..I think i see what you are saying. Because they have already authenticated for the entire site, then they are automaticaly entitled to view the PRIVATE folder.
Doesnt this seem like alot of trouble to go to (Enabling authentication for the entire site just to make sure ONE FOLDER is restricted)?
Surely there must be a way that the site can have anonymous access but then present a username and password box when someone tries to access the PRIVATE folder. That way, only the password information for the PRIVATE folder need be stored on the server machine (any other password=no access)
Im using Mandriva 2007, and my problem is trying to make samba see my win98 shares (it can see the machine, just not the shares, and it sees both my other winXP machine AND its shares, so no probs with XP)
Thanx
Stuart
JeevesBond posted this at 21:48 — 7th February 2007.
He has: 3,956 posts
Joined: Jun 2002
Really?! That seems a little odd. I would have thought that enabling Basic Authentication would mean: 'I want to enable the Basic Authentication method', not: 'I want to enable the Basic Authentication method and restrict access to the whole site'.
To my mind just enabling Basic Authentication shouldn't actually restrict anything, just tell IIS that when you restrict access (by right-clicking on the folder, going into properties etc.) it should use Basic Authentication to validate that user.
The only time access to the whole site would be restricted is if you set the permissions of the root folder to anything other than 'EVERYONE'.
To be honest though am taking stabs in the dark here as I don't have a Windows machine anymore and it's been a while since I used IIS!
In Apache you simply plonk a file in the folder you want to restrict named: .htaccess it would look something like:
AuthName "TWF secret research labs and penguin testing facility"AuthType Basic
AuthUserFile /path/to/httpdocs/.htpasswd/passwordfile
Require valid-user
Had to include this, it seems to work exactly the way you want.
The only complicated bit is that you have to create a secret username/password file, it's seperate so you can put it somewhere nasty hackers can't access it.
This is also how I'd expect IIS to work. Just enabling Basic Authentication (or AuthType Basic in Apache) doesn't make it ask for a password. I could put that declaration in a .htaccess file in the root directory for instance, it wouldn't make the root directory password protected.
Ouch, I can remember having lots of trouble making Windows 98 see other Windows 98 machines. The networking on that OS is awful!
When I had problems (a long time ago) with two Win98 machines I remember having to give them static IP addresses, dynamic just didn't work.
Other than that, you could join the #samba channel on irc.freenode.net and ask them there. I checked and apparently Samba should work with Win98.
a Padded Cell our articles site!
JeevesBond posted this at 22:58 — 7th February 2007.
He has: 3,956 posts
Joined: Jun 2002
A bloke in #samba just tried this out for me on a Win98 machine of his. Apparently the problem is Win98 won't accept a connection on port 443, so you need to use port 139. So, open up a terminal and put in the following (changing the username etc.):
mount -t smbfs -p 139 -o username=jeeves //testpc/jeeves /tmp/jeeves'He described the syntax for this as being:
mount -t {filesystem type (in our case smbfs)} -o {options (in our case...a username. A password can be added here too)} -p {port 139} //{the computer name}/{the share name} /The/Path/where/you/want/to/mount/the/win98/share'Hopefully this makes sense. It was a guy called 'rtcg' I spoke to in IRC, if he's there when you need help you'll be in luck!
EDIT:
Apparently, rtcg is in ##Samba3+LDAP (note the extra '#'). Might be an idea to find him in there before trying #samba.
a Padded Cell our articles site!
StuPeas posted this at 00:14 — 8th February 2007.
They have: 36 posts
Joined: Oct 2004
Cheers Jeeves, i'll try that port as soon as i get the chance (By the way its not 2 win98 machines, its a dual boot linux/xp machine that cant see the shares on a win98 machine. It can however see the actual machine, just not any of the shared folders on it.
As for IIS, My course manual neglected to say that the option to set authentication was also avialable to individual folders inside root. I was under the impression that this option was only available for the whole site (Thats about 3hours of my life typing i'll never get back). No wonder the company is called Skill sTrain. Thanx matey.
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.