David
Sat Feb 17 06:27:18 CST 2007
Well, the complicating factor depends on Radius's security integration
since it's the one introducing non-AD users.
Windows naturally secures with AD user principals up/down the whole
Windows stack. Custom authentication protocol and user identity system
is responsible for integrating. It will likely no longer look as neat/
integrated nor as easy.
Depending on the number of external users, I would simply give those
users AD accounts as well, just with a Group membership identifying
them as "Extranet" so that you can continue to ACL appropriately.
In other words, you want to stay within AD to take advantage of the
built-in Security system of Windows. When you introduce users outside
of AD, it will simply complicate the situation since either you or the
provider of the non-AD users become responsible for providing the code
for security integration.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Feb 17, 4:01 am, sthom...@phmining.com
<sthomasophmining...@discussions.microsoft.com> wrote:
> OK, I understand that, but here is a complicating factor. We will have users
> within the company defined to AD, but we will also have users outside the
> company accessing the site. We planned to authenticate both using IAS against
> one of our Radius servers. In this case, the external users would not be
> defined to AD...how do we go about securing the site in this case?
> ---scott
>
>
>
> "David Wang" wrote:
> > You're confusing authentication (who are you) with authorization (what
> > are you allowed to do).
>
> > If you want to set things up such that only a small group of people
> > can get at the website, then you need to:
> > 1. Authenticate EVERYONE so you know who is accessing your website
> > 2. Then Authorize only the small group of people to have access to
> > your website's contents
>
> > Think about it this way -- there is no way that you can authenticate
> > only the users you want, because that is a Catch-22 -- you don't know
> > the user's identity until AFTER Authentication, so you can't constrain
> > authentication to only certain users.
>
> > In your case, you simply need to enable Authentication, disable
> > Anonymous access, and ACL the resources using Windows-level security
> > in NTFS to only give read access to the small group of people (who all
> > have Windows user accounts).
>
> > Otherwise, you are certainly free to write your own authentication and
> > authorization scheme, but none will be as easily integrated nor secure
> > than what Windows already provides.
>
> > //David
> >
http://w3-4u.blogspot.com
> >
http://blogs.msdn.com/David.Wang
> > //
>
> > On Feb 16, 12:11 pm, sthom...@phmining.com
> > <sthomasophmining...@discussions.microsoft.com> wrote:
> > > I'm new to IIS. I've read a book on admin'ing IIS, and I've played around
> > > with a test server. My question is this: how do you set up authentication so
> > > that only a small group of people can get at your website? Do you have to
> > > rely solely on Windows-level security? It seems to me that anybody who can
> > > authenticate to the server is allowed into the site, which in my case means
> > > everyone in the domain. ???
> > > ---scott- Hide quoted text -
>
> - Show quoted text -