Re: How to access Windows IIS User Info with Perl

From: BigNin (page.nix_at_gmail.com)
Date: 03/30/05 

Date: 29 Mar 2005 17:31:25 -0800

Big and Blue wrote:
> BigNin wrote:
> >
> > In our IT department's infinite wisdom, they have moved us to a
Windows
> > 2003 server running IIS. I've made the modifications to my script
so
> > that it runs, but the IIS server is configured for Windows
> > Authentication.
>
> You think MS Windows would allow any choice?

I'm certainly not an IIS expert, in fact, I've only played around with
it now for 2 days, but I did notice under the security options that it
allowed for Basic Authentication, Windows Authentication (or whatever
they called it), and one or two other options. It looks like our
administrators are not giving us any options though. We must use the
Windows based one.

>
> > The IT department states that this allows users to
> > login into the network when they first turn on their PC and then
the
> > users don't have to enter any additional usernames or passwords to
> > authenticate with IIS and my script.
>
> So they login, walk away and anyone else walking past has full
access
> to all Web sites as them. Odd why some people see single sign-on as
secure...

You're preaching to the choir here. We've been through this before.
It is the general opinion here that all users are supposed to lock
their workstations when they leave them and in fact the machines lock
themselves after 15 min of inactivity. Albeit flawed, this is the best
option available to us for a few reasons. For starters, most users
tell their browser to remember their username and password anyway, so
it wouldn't matter if they logged out of the application. But more
importantly, the data viewed through this application is data that can
be obtained via a printed report that many people receive. This means
that if I really wanted to steal the information, I just need to walk
up to someone's desk when they aren't there and grab the report, so
security in the case of this application is more for logging of who is
reading what and when and not so much a matter of keeping someone out.

> Can you get the login id? If you can, then you shoudl be abel to
query
> ActiveDirectory using the Net::LDAP modules to look up group
membership.
> But until you get the login id then you can't do anything. I suppose
its
> too much to expect IIS to set an environment variable? (That is part
of
> the CGI standard, but no idea whether MS adhere to any standards
here).

Thanks. I'll do some testing and look into grabbing the id. I'm
hoping that the REMOTE_USER variable is indeed available. I'm
unfamiliar with the Net::LDAP modules, so I'll have to read up on those
and see how they work. Do you know if they are part of a standard
ActiveState Perl install? If not, I'll have to get the admins to
install it.

>
> > de.Password =
> > Configuration.ConfigurationSettings.AppSettings("Pass")
>
> The Web server allows you to read users MS passwords???
>

It looks that way from the code, but I sure hope not. The ASP code
that I included was emailed to me from one of the admins and I haven't
tested it. It wasn't intended for me to necessarily run it... more as
a guideline to help me figure out how I would accomplish the same thing
in perl.