Turning on Basic Authentication on a Windows NT/Windows 2000 machine running IIS exposes NT account credentials to the internet in plain text. This plugin for IIS provides a mapping between usernames/passwords supplied to users, and 'real' NT usernames/passwords.


Providing password protected access to parts of a website can be done in two main ways.

a.) Provide an HTML form page for customers to provide credentials, and then check on each protected page to see if they logged in OK. This has the disadvantage that you need to include code to check on each page (i.e. each page must be dynamic) and it cannot protect 'static' content (such as images/plain HTML files, etc)

b.) Turn on Basic Authentication. This will make your browser display a dialog asking for a username/password when entering into a protected area of the website. All content (static and otherwise) is protected, and based on the username/password will be subject to NTFS file system protection. This has the disadvantage that passwords are sent unencrypted across the network - and even worse - if sniffed these credentials could be used to log on to your server (accounts have the 'Log On Locally' right). Additionally I occasionally see brute force attempts to log in this way in my web logs, indicating that people are actually trying this!

WebAuth was written to remove the need to use real NT usernames/passwords for Basic Authentication (the credentials are still not encrypted, but the result of captured passwords will not lead to system compromise)

WebAuth functions as an IIS ISAPI filter which intercepts Basic Authentication attempts and maps the username/password supplied by your browser (if correct that is!) to a predefined set of NT credentials. Additionally a COM interface is supplied for manipluating and creating new accounts. The COM interface can be scripted from VBScipt/ASP pages to allow you to create a webpage for password administration / allow your users to change their own password.

WebAuth is written in C++ (ISAPI filter) and Visual Basic (COM interfaces)



WebAuth will be made available for download soon.