Show Changes Show Changes
Edit Edit
Print Print
Recent Changes Recent Changes
Subscriptions Subscriptions
Lost and Found Lost and Found
Find References Find References
Rename Rename
Administration Page Administration Page
Search

History

9/12/2007 5:57:17 PM
-10.10.192.22
List all versions List all versions

RSS feed for the TestJwd namespace

Related Topics

Access Control
.
Summary
Information on configuring restricted access to FlexWiki content.

Using Windows Authentication

As described in AuthenticationOptions, Windows Authentication is great for Intranet applications where all users have accounts that are known to the web server. Usually these will be domain accounts but they can also be machine accounts.

Even in an Internet setting, Windows Authentication wins as the quick and secure way to control access to FlexWiki content.

The steps are:

  1. Make web.config changes to select Windows authentication, deny anonymous users, and impersonate identity.
  2. Configure IIS to disable "Anonymous access".
  3. Change the ACLs on the files and folders under the namespace root that you want restricted.

Step 1: web.config changes.

 <configuration>
    <system.web> 
       <authentication mode="Windows" />
        <authorization> 
           <deny users="?"/>
        </authorization>
        <identity impersonate="true" />

Step 2: IIS changes.

Its important to disable anonymous access on the root of the FlexWiki web site. It may be tempting to only restrict access on specific folders and files under the WikiBases folder, but that leads to eratic behavior.

The content is accessed by application file read and write operations, not by IIS directly. Authentication may not be triggered by these file operations wich means users won't have access to the pages you expect them to or will be able to read but not edit.

Step 3: Change ACLs.

Set the Security properties (ACLs) on the files and folders under the namespace root to reflect your desired access policy.

Open the file or folder Properties dialog and click Advanced on the Security tab.

Uncheck the "Inherit from parent..." check box.

Click Remove to remove all the existing ACL entries.

Click OK to committ the changes.

Click Yes to the "You have denied everyone..." warning.

And make sure to add the users and groups you want to allow access.

For read only access give them Read & Execute, List Folder Contents, and Read.

For write access as well, also check Write.

Notes on the limitations of Windows Authentication.

The biggest limitation is that it will not work for all internet users. To work, you must be using IE 5.x or later, you must not be located behind a proxy and firewall (a shared cable modem connection seems to work fine), and you must have a way of providing user accounts to all users.

It's unfortunate but the login dialog doesn't support changing passwords.

Another problem is that if you switch to storing your wiki in a SQL database that the windows authentication won't work anymore.

Note
This may help with changing passwords: 327134 HOW TO: Use the Change Password Feature in Outlook Web Access -- RayDixon [31-Aug-04]
Question
Is there a way to have the users authenticated automatically (for an intranet scenario) so they don't have to enter thier domain username and password, because they already entered this when they logged into windows.
Answer
When I connected to my FlexWiki test installation with IE 6 on Windows XP SP2, I did not supply any credentials. The browser was configured to automatically pass on my Windows logon credentials. With Firefox 1.0.6, I did have to enter my credentials. -- JimmySieben [17-Aug-05]
Question
Is there a way to have users's attribution automatically set to their Windows login name and not bother with the IP?
Answer
That is the behavior I am getting with IE 6 on Windows XP SP2 and Firefox 1.0.6, with FlexWiki 1.8.0.1677 running on Windows Server 2003 with IIS (6?) installed.
Note
Firefox 1.0 and up can do Windows authentication, but they don't do pass-through, so you have to type in your username and password. Question: How do you define PassThrough?
Answer
Firefox will allow PassThrough authentication, if you specify it in the browser settings. Open FF > Type in the url "about:config" > Dbl click on: "network.negotiate-auth.trusted-uris" > Type in the name of the wiki-server to trust. Ta-da! No more pw prompts in firefox! -- AaronSachs 20070507
Question
I've configured all and I'm getting an error "Access is denied". With other auth methods works well
Answer
If you have installed on a Domain Controller server of a Windows 2000 group, there's a bug with the impersonation: BUG: IWAM Account Is Not Granted the Impersonate Privilege for ASP.NET 1.1 on a Windows 2000 Domain Controller with SP4 -- Christian Echetto [10-Jan-06]
Question
I tried using the authentication feature in FlexWiki to authenticate users on an intranet. When I tried restricting write access for a particular account, i found out that the restricted account can still edit FlexWiki pages? Can anyone give me any idea on how to restrict editing access for an account? Thanks
Note
I had to make sure that the local ASPNET account, in addition to the user accounts, was allowed RX access to the wiki directories for restrictions to work. Environment: Windows XP SP2, Fx 1.5.0.7, IISLockdown installed -- TripKirkpatrick [26-Sep-06]

Not logged in. Log in

The wiki for all things Objective Design Solutions

This is FlexWiki, an open source wiki engine.

This site supports the new NoFollow anti-spam initiative.
Change Style

Recent Topics