Request.ServerVariables(AUTH_USER)

[Mike Z]

I've noticed on my company's intranet that the
Request.ServerVariables(AUTH_USER) command will not return a value unless
the requesting web page's permission has been restricted first. Otherwise
there is no need for no authentication and the value remains null.

I would like to be able to take advantage of that variable request in an
application, but I don't want to have to keep updating the permission list
for the web page as employees come and go.

Is there a way to restrict the page to members of the organization all at
once, so that I can then be able to retrieve the individual user's name with
the request?

[Chris In Madison]

I believe that in order for this to work, you'll need to turn of Anonymous
Authentication to your site in IIS (at least that's the way it works for the
LOGON_USER variable). Hopefully, after that, IIS should have access to that
information (hopefully!).

Best regards,
Chris

[Mike Z]

Thanks for replying. Below shows who is listed in the Properties/Security
tab of a standard unsecured file:

Administrators (Acme\Administrators)
Everyone
Internet Guest Account (Acme\IUSR_D323R511)
Internet Guest Account (Acme\IUSR_913R511)
My Name (MyName at Acme dot Com)
NWSERVICES Admins (Acme\NWSERVICES Admins)
NWSERVICES Authors (Acme\NWSERVICES Authors)
NWSERVICES Browsers (Acme\NWSERVICES Browsers)
SYSTEM

Acme represents the company name and My Name represents me. Does one of
those control Anonymous Authentication, or is it something that has to be
configured on the web server for the entire site?

Typically when I secure a file or folder, I remove the "Everyone" and guest
accounts (IUSR), so that I end up with this:

Administrators (Acme\Administrators)
My Name (MyName at Acme dot Com)
NWSERVICES Admins (Acme\NWSERVICES Admins)
NWSERVICES Authors (Acme\NWSERVICES Authors)
NWSERVICES Browsers (Acme\NWSERVICES Browsers)
SYSTEM
And then the user names of allowed employees

Thanks for anymore answers regarding this.

[Lionstone]

I believe giving permission to the "Authenticated Users" group will do as
you need.
Double check me, though:
[url]http://www.microsoft.com/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.mspx[/url]

"Mike Z" <mikeyz@rocktmail.com> wrote in message
news:d4o7jt$lsj$1@forums.macromedia.com...

> Thanks for replying. Below shows who is listed in the Properties/Security
> tab of a standard unsecured file:
>
> Administrators (Acme\Administrators)
> Everyone
> Internet Guest Account (Acme\IUSR_D323R511)
> Internet Guest Account (Acme\IUSR_913R511)
> My Name (MyName at Acme dot Com)
> NWSERVICES Admins (Acme\NWSERVICES Admins)
> NWSERVICES Authors (Acme\NWSERVICES Authors)
> NWSERVICES Browsers (Acme\NWSERVICES Browsers)
> SYSTEM
>
> Acme represents the company name and My Name represents me. Does one of
> those control Anonymous Authentication, or is it something that has to be
> configured on the web server for the entire site?
>
> Typically when I secure a file or folder, I remove the "Everyone" and
> guest accounts (IUSR), so that I end up with this:
>
> Administrators (Acme\Administrators)
> My Name (MyName at Acme dot Com)
> NWSERVICES Admins (Acme\NWSERVICES Admins)
> NWSERVICES Authors (Acme\NWSERVICES Authors)
> NWSERVICES Browsers (Acme\NWSERVICES Browsers)
> SYSTEM
> And then the user names of allowed employees
>
> Thanks for anymore answers regarding this.
>

[Chris In Madison]

That's half of the equation. You've got the user/group access rights to the
folders of the web site, and that's good. The next part is to tell IIS to
use those permissions.

Go to your IIS console and right click the web site in question and choose
Properties. Go to the Directory Security tab, then click the Edit button
under Anonymous access and authentication control. Uncheck the Anonymous
access checkbox then select an authentication method below it. If your
visitors are using IE/Win only, you can use the Integrated Windows
Authentication option. I believe that's the one that the AUTH_USER variable
uses. If you're using other browsers and/or operating systems, you'll
probably want to use Basic Authentication and the LOGON_USER variable (I
believe that's the one).

Keep in mind that Basic Authentication sends credentials in plain text.
Windows Authentication is encrypted as I recall.

I think that should cover it, but it's been a long time since I did this
kind of thing.

Best regards,
Chris

[Mike Z]

Thanks to both of you for the help, I've decided to keep it simple and not
authenticate users for this application. I was concerned about people
deleting entries, but I figured out that the application will be write-only
now so I won't have to protect the entries.

I did not get around to trying the suggestion of removing anonymous
authentication on the server, but I will keep it in mind if I want to force
authentication for the intranet users.