Question

I am trying to get my head round setting up authentication for Twiki using IIS 5.0 on NT. I have (finally!) got everything working with RCS etc. and now want to force people to log on so I can track changes. I am currently using anonymous access on IIS so that I can log people in using "nobody" so that users have correct permissions.

Have looked through the Twiki site, and can't find what changes I need to make anywhere. Have read through the stuff on .htaccess, but can't figure out how to map it to IIS. .

• TWiki version: TWiki20010901.zip
• Web server: IIS 5
• Server OS: NT
• Web browser:
• Client OS:

-- DavidHay - 30 Nov 2001

Update: I am restricted to NOT being able to create accounts on the NT server to be able to use Basic Authentication. I want to use the accounts automatically added to .htpasswd. Is this possible? Also, what should $doRememberRemoteUser value be?

Answer

I'm still working through some IIS authentication issues myself, but I can tell you this much: .htpasswd will do nothing if you are using IIS. TWiki out of the box should add users to the htpasswd file, even with IIS, but this won't help you.

TWiki thinks the user is whatever the webserver has passed it as the REMOTE_USER environment variable. IIS gets all of its user information from the underlying NT user databases, never from a file like htpasswd. And it gets its permission information about which files and directories require authenticated access using the underlying NT ACLs, never from files like htaccess.

So if you can't add users to the NT user database (either on the server or in the server's domain, if it has one), then you won't be able to add users to your TWiki.

I think the user authentication methods could be modified or extended via a plug-in so that the REMOTE_USER is ignored, and users are identified using cookies (with a login page to check the password per session), like most web sites use. That way the TWiki could maintain its own database of users completely independently of the web server.

It looks like some work has been done on this. Check out UserCookiePlugin and UserCookiePluginDev. See also NoIntranetUserLogon for some other related discussions.

Also, $doRememberRemoteUser won't be of any help here either. If set, then TWiki will remember a user's authenticated ID even when viewing an unauthenticated page. It does that by associating the username with the client's IP address when the user successfully authenticates. This way, even if the browser doesn't send the username when viewing a page that doesn't require authentication, the TWiki can still show the user his correct username.

But it requires the user to authenticate first, which will still be controlled by the NT OS user database. So setting it either way won't do you any good.

-- TWikiGuest - 10 Dec 2001