Parker Software Ltd Homepage
Forum Home Forum Home > IISTools > IISPassword > General
  New Posts New Posts RSS Feed: Several IISPassword Issues
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Several IISPassword Issues

 Post Reply Post Reply Page  12>
Author
Message
jbruce View Drop Down
New User
New User


Joined: 01 May 2008
Posts: 10
Post Options Post Options   Quote jbruce Quote  Post ReplyReply Direct Link To This Post Topic: Several IISPassword Issues
    Posted: 01 May 2008 at 4:22pm

I am currently evaluating IISPassword. We are moving our site from Linux to Windows and we currently use ".htaccess" files. I am trying to determine whether using IISPassword is better/easier than using Windows accounts.

I can make IISPassword work in a more basic case, but not for the way we currently have our site architected. I wanted to mention these issues to see if you were aware of them and whether you had any suggestions.

To set the stage, I use the following File System structure for our site:
<root_path>\to_be_protected\<many_subfolders>\
<root_path>\htdocs\

The IIS root is set to "<root_path>\htdocs\". I then create a "Virtual Directory" under the root, called "protected" which points to "<root_path>\protected_folders\". So, accessing:
<website>/to_be_protected/<some_folder>
correctly accesses some desired folder.

Problem #1: When I open the IISPassword tab, I don't see any "Virtual Directories".

I tried simply placing ".htaccess" and ".htpasswd" files in the desired folder, but it
didn't prevent access to the folder. I was able to obtain the folder contents without any request for a password.

Problem #2: Junctions
Since it appeared as if "Virtual Directories" may not be supported, I created an NT "junction" in the "htdocs" folder named "protected" which
points to "<root_path>\to_be_protected\". The junction *does* appear in the IISPassword tab, and although I could create the ".ht*" files,
it didn't work. I was let in without authentication.

Problem #3: Errors
In working with IISPassword, I noticed that any errors that occur on protected folders display an IISPassword-specific error page. I would rather have the IIS default error page or my own custom page. If we allowed the IISPassword error page to be seen, it alerts customers/hackers that we are using IISPassword and seems like it could invite problems (say at some point there are known exploits to IISPassword).

So, is it possible to have different error pages?

Back to Top
Daniel View Drop Down
Admin Group
Admin Group
Avatar
Technical Director

Joined: 19 Dec 2006
Location: Stoke-on-Trent
Posts: 881
Post Options Post Options   Quote Daniel Quote  Post ReplyReply Direct Link To This Post Posted: 02 May 2008 at 12:01pm
Hi,

1 - IISPassword does work on virtual directories - just copy the .htaccess and .htpasswd files into that folder. 

2. Since you have the same problem here, it sounds like IISPassword isn't working for you at all - have you checked IISPassword Permission Issues

3. I think you can at the moment just modify the html documents in C:\Program Files\IISPassword\ErrorDoc  (we will probably make the old IIS ones the default for standard / enterprise customers in the future).




Daniel Tallentire
Support
Parker Software
Back to Top
jbruce View Drop Down
New User
New User


Joined: 01 May 2008
Posts: 10
Post Options Post Options   Quote jbruce Quote  Post ReplyReply Direct Link To This Post Posted: 02 May 2008 at 8:39pm

1. Should you *see* the VirtualDirectory folders in the IISPassword tab? I'm assuming the answer is "no". As I said, I tried simply copying the ".htaccess" and ".htpasswd" files to a folder under a VirtualDirectory and it did NOT work. The same ".htaccess" and ".htpasswd" files in a folder that is NOT a VirtualDirectory worked just fine. Any ideas?

2. IISPassword *is* working for me somewhat. Any *real* folder that I create and add ".htaccess" and ".htpasswd" files to are protected correctly. Are you saying that you have tried NTFS junctions and they work fine for you? I will review the "Permission Issues" link you suggested and report my findings.
 
3. I modified the "C:\Program Files\IISPassword\ErrorDoc\401.htm" file, restarted IIS, re-accessed a page, forced a 401 to occur, but the modified page did not show. It looks the same as it did originally. Any ideas?
 
FWIW, this is installed on Windows Server 2003.
 
- J
Back to Top
jbruce View Drop Down
New User
New User


Joined: 01 May 2008
Posts: 10
Post Options Post Options   Quote jbruce Quote  Post ReplyReply Direct Link To This Post Posted: 02 May 2008 at 9:18pm
I followed the recommendations from the link and added explicit permissions for "IUSR_xxx" as well as "Network Service". Everything started working (VirtualDirectories and junctions)! I removed those explicit permissions and it continued to work!
 
I have no idea what it was. I tried to get it back to the "broken" state, but can't seem to do it. I guess it doesn't matter, but I would have liked to have figured out the difference which might help you fix something (if something is indeed wrong).
 
So:
- Can you confirm that VirtualDirectories do NOT appear in the IISPassword tab?
- The modified error docs still aren't working for me. Can you confirm that those files are indeed being used?
 
- J
Back to Top
Daniel View Drop Down
Admin Group
Admin Group
Avatar
Technical Director

Joined: 19 Dec 2006
Location: Stoke-on-Trent
Posts: 881
Post Options Post Options   Quote Daniel Quote  Post ReplyReply Direct Link To This Post Posted: 05 May 2008 at 2:14pm
Hi J,

I confirm that IISPassword doesn't currently enumerate the virtual directories under a site - this is something we plan to implement, but it requires the use of a different method to what is used now  (it will require reading from the Metabase for the set up virtual directories, and adding these to the tree).

I'm not sure why removing those permissions didn't prevent it from working again - it may be that the IIS would need a reset to release the files.

The modded error docs should work - I'd suggest running IISReset from the command line after changing them though, as I think they are loaded at filter loadup time for efficiency.
I'll check into this for you.
Daniel Tallentire
Support
Parker Software
Back to Top
jbruce View Drop Down
New User
New User


Joined: 01 May 2008
Posts: 10
Post Options Post Options   Quote jbruce Quote  Post ReplyReply Direct Link To This Post Posted: 05 May 2008 at 3:45pm

Thank you for your prompt responses.

I have tried both restarting IIS and restarting the entire server and I still don't see my modified "401.htm" file. If there is anything else I must do to "clear" the old one, let me know. I'm stumped.

I have also been trying hard to repro the issue that allowed me access to my folder and I just can't seem to make it happen. I feel like I have the permissions settings back as they were originally, but the problem simply won't occur. At this point, I guess I'll have to assume that it was a transient issue. I'll keep my eye out, but probably won't continue to try and repro.
 
One more thing I realized we used to do on our Linux/Apache server. We used a module called "AuthCookie" which basically allowed you to set a cookie that would give you access to an ".htaccess"-protected folder. For the "admin" part of our site, rather than require admins to type the user/password combo, once you were logged in (again, as an "administrator"), you could view the ".htaccess"-protected folders. I accomplished this by setting a cookie with the user/password info prior to navigating to the folder (all via PHP, btw). Do you have support for anything like that? Since I don't see any mention of it, I'm guessing there isn't. I would like to add that as a "Feature Request". My admins are not going to be happy if they have to enter "user/password" combos to access the protected folders.
 
Thanks again for all your help.
 
- J
 
 
Back to Top
Daniel View Drop Down
Admin Group
Admin Group
Avatar
Technical Director

Joined: 19 Dec 2006
Location: Stoke-on-Trent
Posts: 881
Post Options Post Options   Quote Daniel Quote  Post ReplyReply Direct Link To This Post Posted: 06 May 2008 at 12:45pm
Hi,

I'll take a look at this... they should be being scanned, but it may be that they have been compiled into the program on the last installer..

We don't advertise any support for this, although it is technically possible for you to write a header in advance with the encrypted username and password;  i'll see what we can do on showing a php library or something for duplicating this encryption.
Daniel Tallentire
Support
Parker Software
Back to Top
jbruce View Drop Down
New User
New User


Joined: 01 May 2008
Posts: 10
Post Options Post Options   Quote jbruce Quote  Post ReplyReply Direct Link To This Post Posted: 06 May 2008 at 10:18pm

As far as the error docs, hopefully I'm just missing something...

I'm not exactly sure what you mean about "writing a header in advance". Does that mean that a user would go to a URL like "proxy.php?user=someuser&password=somepassword" which would write out a special header and redirect the browser to the protected folder?
 
In our Apache environment, the "proxy.php" would set a cookie and the authentication module would attempt to authenticate using the cookie data. If authentication failed, then the "basic authentication dialog" would appear.
 
If you have a PHP sample, that would be great. We anxiously await your help. Thanks again.
 
- J
Back to Top
Daniel View Drop Down
Admin Group
Admin Group
Avatar
Technical Director

Joined: 19 Dec 2006
Location: Stoke-on-Trent
Posts: 881
Post Options Post Options   Quote Daniel Quote  Post ReplyReply Direct Link To This Post Posted: 07 May 2008 at 10:14am
Hi J,

What I mean is that you will make IISPassword think that the login prompt has already been done, by pre-authing with the session info, then passing this through, without the popup box.

I'll have a look at doing this over the next few days.
Daniel Tallentire
Support
Parker Software
Back to Top
Daniel View Drop Down
Admin Group
Admin Group
Avatar
Technical Director

Joined: 19 Dec 2006
Location: Stoke-on-Trent
Posts: 881
Post Options Post Options   Quote Daniel Quote  Post ReplyReply Direct Link To This Post Posted: 09 May 2008 at 9:54am
Hi,

The problem with the html documents not replacing has been fixed in the latest version.
Daniel Tallentire
Support
Parker Software
Back to Top
 Post Reply Post Reply Page  12>

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.156 seconds.
These are the forums for Parker Software, developers of Live Chat Software: WhosOn and Email Automation Software: Email2DB.