how do I create my own login.aspx and use NTFS groups at the same time?

[Flip]

I have asked this on one of the IIS newsgroups and it was suggested I come
here for some advice.

I want to be able to put my pictures on my own server/website behind NTFS
security (using Win2k3Server users, groups, permissions and all that good
stuff), as well as have my own login.aspx. Is this possible? I've been
reading around and I can find all kinds of information which unfortunately
doesn't help me much. :< Has anyone tried this before, I would love to know
how to do this.

Thanks.

 

[Scott M.]

Simply add authorized users to an IIS virtual directory and remove accounts
that shouldn't have access (the Everyone account, for example).

The next time anyone attempts to access this folder

 

[Flip]

Simply add authorized users to an IIS virtual directory and remove

accounts that shouldn't have access (the Everyone account, for example).

That will bring up the windows/IE login window correct? If I have setup my
own custom login.aspx and put it into web.config, will that one get used
instead?

 

[Norman Yuan]

Where the user access your website from? The Windows Integrated security
only good for users of LAN, for them, you do not need a loggin page, because
they have been authenticated when they logged into their computer. Simply
configure the web.config to "<authentication mode="Windows" /> " and
"<identity impersonate="true" />".

If you are talking user accessing your website from the Internet, you cannot
use Win NT security. In this case, you design a logging form and use
"<authentication mode="Form" />". With form authentication, you design your
own way of authentication. Once the user passes the authentication, you
apply appropriate authorization to user to access your website. By default,
whether the user is authenticated or anonimours, he will use
ServerName\ASPNET user account to access your website. (very limited access
permission by default setting). If you want the users have different
authorization, you need to look at "impersonate".

 

[Flip]

Howdy Norman. Thank you for your reply.

Where the user access your website from? The Windows Integrated security

They are coming in from the internet, so as you said I can't use the Windows
security. :< I guess I was hoping to be able to do that. :<

authorization, you need to look at "impersonate".

Do you happen to have any urls that have examples of this? Everywhere I
look they talk about securing aspx but not html, htm, jpeg, jpg, css, etc.
Do I have to have those extensions go through the ASPX dll? If I do require
this, do I HAVE to map all those extensions manually on both my develoment
workstation and my production server? Seems a bit extreme that MS is
forcing people to do this? Maybe I'm missing something, I'm still learning.

Thank you for your time! :> I appreciate it! :>

 

[Norman Yuan]

As I mentioned in my previous reply, you need first to understand the
difference between authentication and authorization. Logging is basically
authentication. The authorization is decided by the IIS/ASP.NET
configuration. A user being passed through authentication may still not be
able to access some (or any at all) resources in the website, depending what
user account the authenticated user is assigned (ASPNET, IUser_MachineName,
Domain\UserName...). I do not have some links on this topic at hand right
now. Simply search .NET framework's documents or MSDN would give your some
solutions. And any ASP.NET book should have a portion dedicated to this
topic.

 

[Scott M.]

If you are talking user accessing your website from the Internet, you

cannot
use Win NT security.

Sure you can. If you create an IIS virtual directory with the desired
accounts given permission to access the folder, then anyone attempting to
access anything in that folder with automatically receive a Windows Login
dialog box. Only those supplying the correct credentials will be allowed
into the folder.

 

[Scott M.]

The users will get a Windows login dialog box.

That will bring up the windows/IE login window correct? If I have setup
my own custom login.aspx and put it into web.config, will that one get
used instead?