OK, I must be missing something really simple somewhere…
I am trying to setup a server with a main site and a mini-site that handles user registration. I need client certificate authentication ONLY for the main site, but for the mini-site I want to allow anonymous and Username and password authentication. Both sites to be accessed over SSL
I have created Internet Site docs for both and set the home URLs.
My problem is that if I authenticate to the mini-site (with name and password), I can then browse to the main site. I would like to deny access to the main site for users authenticated with name and password.
The main site is in the domino data directory with the mini-site in a subdirectory.
Each site has it’s own IP address.
It’s got to be a realm, rule or redirection setting, but I’m stumped.
Thanks in advance,
Mike.
Subject: Internet Sites and Authentication options
Mike, verify the acl of the database you do not want anonymous to get to. set anonymous to no access. then only authenticated users will be able to get to that database.
also on the internet sites documents do you have the correct settings for anonymous?
Subject: Site to site security
OK, forget anonymous - that doesn’t really matter.
How do I specify that users coming in on the mini-site URL (minisite.mainsite.mycompany.com, hosted in D:\domino\data\minisite\minisite.nsf) cannot browse to databases in the main site (mainsite.mycompany.com hosted in D:\domino\data\mainsite.nsf)?
The mini-site has to use name and password for authentication. This will serve the necessary databases for requesting and picking up an Internet certificate.
I then want the user to be able to use the main site but authenticate using ONLY their digital certificate.
I know I could write an agent to strip out the password and stop them that way, but that entails it’s own problems in our circumstances. And besides, surely I don’t have to.
Surely I can have two sites on one server, using one address book, with different authentication options and no inter-site security issues…?
Would it help if the main site db was in a subdirectory?
Cheers,
Mike.
Subject: RE: Site to site security
First it really depends on how you are doing your authenication. Do you have session authenication or do you allow the username/password dialog box? There important thing to remember here is that the authenication is based upon subdomain.domain.com. For example -note domino.com is just an example domain, if I have session authenication for mail.domino.com when I move to www.domino.com I do not have the same privileges which I had for the mail.domino.com. How did I do it? I created an internet site for mail.domino.com and specified it would be session authenication. I created another internet site document and allow it not have session based authenication. I do know that when you authenicate with domino it goes to every directory on the server.
So using your logic can I suggest you to have 2 documents for minisite.mycompany.com and mainsite.mycompany.com. I think the more subdomains you user makes not difference since itis bound against mainsite.mycompany.com which is not different when you compare the 2 you were using.
HTH – Cheers – Email in profile.