Security

Mixed Windows Authentication in IIS 8.5 (ASP.Net)

Update:

Actually, this not works. It looks OK because of the cache of client. There is no way to do this as I know.


Original:

 

I got a case recently to build a site in IIS 8.5:

  • When the visitor is logged on to the desktop with domain account, use this account for this website.
  • When the visitor is not using domain account, do not pop up a login window asking for domain account, redirecting to a version for anonymous instead.

I thought it’s simple in IIS setting but I was wrong. The anonymous cannot work parallelly with Windows authentication.

After some digging in Google, I started my test:

  1. Deploy the site by using anonymous authentication.
  2. Select the login page for detecting domain user and change that page to Windows authentication instead of anonymous model.
  3. Add a custom page for this page on error 401. Model is set to “Execute a URL on this site”.

It works good but…

When the login page opened, it should contain a Url as parameter for returning back to the original page. So I have to deal it in the customized 401 page. I turned that page to an ashx with the command context.Response.Redirect. The URL for returning can be cut from context.Request.RawUrl.

After that, it went wrong. Form the same server which has the IIS installed, it still works well. But when I try this page on another computer, it will always redirect to the anonymous version page no matter it’s from the desktop logged with domain account or not. I’m sure that the site is added as Intranet zone and automatically logon is set in this zone.

Checked by network monitor, the browser will not get the 401 response in this scenario. As the ashx file request, only the 302 code is returned. That’s the reason why the browser won’t be notified to logon with the current user.

The solution is: if you want to use ashx with redirect function as a customized 401 page still, do not use context.Response.Redirect. Instead, try to do that with an HTML function with the 401 code in HTTP response.

context.Response.Status = "401 Unauthorized";
context.Response.StatusCode = 401;
context.Response.ContentType = "text/html";
context.Response.Write(@"<html>
<head>
<title>Redirecting</title>
<meta http-equiv=""refresh"" content=""0; url=" + redirectUrl + @""" />
");

It works like a charm.

I guess (yes, guess) when the browser get a 401 response first time, it will retry to the previous submitting/navigation with the domain account for login. If it’s failed again, it will pop up a login window after the html page is displayed. So as I required in HTML code, after it navigate to another page, the browser has no chance to display the login window. That’s the deal.

All I’m sure is it really works well. Hope it useful to you.

请关注QQ软件最终用户许可协议中的相关章节

3.9.1 一般而言,腾讯公司基于下列原因需要使用到用户的信息资源:(1)执行软件验证服务;(2)执行软件升级服务;(3)提高用户的使用安全性并提供客户支持;(4)因用户使用腾讯QQ特定功能或因用户要求腾讯或合作单位提供特定服务时,腾讯或合作单位则需要把用户的信息提供给与此相关联的第三方;(5)将各种非个人隐私数据用于商业目的,包括但不限于向第三方提供增值服务、广告、定位广告、营销、联合注册其它服务、促销或其它任何活动(统称为“商业活动”);(6)执行腾讯的《隐私保护声明》,用户可访问腾讯网站查阅该声明;(7)其他有利于用户和腾讯利益的

文字摘录自QQ2010 SP2安装界面。

Virus remove manually (00333.cn)

There is a virus appeared recently which set your homepage of IE to 00333.cn frequently.

Now I provide a way to get you out of the trap. (Windows XP/2003/2003 R2/Vista/2008/7/2008 R2)

1 Navigate to the system32 folder of your windows system.
2 Get all files in that folder which like “mshtml??.dll”. You may find several files.
3 Check these files one by one. You can just submit file to?virustotal to check. Remember the file name which contains a virus.
4 Kill explorer.exe process by using Task Manager or some other tool.
5 Unregister that virus by running command: “regsvr32.dll /u mshtmlXX.dll” (without quote mark, and the file name is the same as the found one in step 3.)
6 Delete mshtmlXX.dll. If you cannot delete it (access denied), you can move that file into another folder (like the root of the driver which contains your operation system).
7 Restart computer.
8 Delete the file from your target folder if you cannot delete it in step 6.

Good luck.

BTW:
By the register information of 00333.cn (provided by www.miibeian.gov.cn), the owner of that site named Liu Yan (zh: 柳严). The register number is Shanghai-ICP-Reg-09032544(zh: ICP备09032544号).
This virus is coded by VB and activated by the context menu of explorer.exe. I dunno how my computer was infected.