The AuthenticateUser function ensures that the user is already authenticated. Note that this implies that Basic Authentication or NTLM Authentication is enabled on the IIS server. AuthenticateUser determines this by checking whether the AUTH_TYPE server variable of the Active Server Pages Request object contains the string "basic" or the string "NTLM".
This function should be called at the beginning of an .asp file, before any command that may cause text to be sent to the browser.
The following cases cause text to be sent to the browser and will cause the AuthenticateUser function to fail if they occur before the AuthenticateUser function call:
If authentication fails, the following commands are executed:
'Hold information coming from the server and do not send it to the browser until after Response.End
Response.Buffer = TRUE
'Say "Access denied"
Response.Status = ("401 Unauthorized")
'Failed to authenticate user. Send responses and stop executing the script
Response.End
This file sets the access status with the Response.Status command, so that if the user is not already authenticated, this function returns error 401 (Access denied) and prompts the user for credentials.
If the user is not authenticated, script execution stops and the browser request is not fulfilled. The user is notified that access is denied in the current unauthenticated state.
Active Server Pages and IIS handle the next attempt at authentication and impersonation, if necessary. After a user is authenticated, this script runs in the user's security context. That is, it runs on the server as the user. This means that the script has access to exactly those network resources that the user can access.