complex problem (IIS login)

From: Ginrai (Ginrai@hotmail.com)
Date: 01/21/03 

From: "Ginrai" <Ginrai@hotmail.com>
Date: Tue, 21 Jan 2003 15:05:06 +0800

Dear all,

I am now facing a complex question. I have a central authorization
service(CAS) program setup on one UNIX server.
The goal is to achieve single sign-on. When user login the CAS, the goal is
that they can go to IIS web site with
automatically logon (IIS set to use standard NT challenge and response).

But the fact is that the central authorization service is run on unix
platform, so the only thing we can know the user authorization is success or
not is just to check the result pass back from central authorization
service(CAS).

The CAS will also place a cookie after logon CAS.

Thus the problem become after IIS checked the user is authenticated (either
from ticket or cookie which consists user's
login ID), IIS should login account of this user without entering password.

(ISAPI filter alone cannot acheive the desired result because although it
can customerize authorization but it is only a *filter* and at the end it
still needs to hardcode/read from text file a username or password to login
NT(not truely single sign on because two sets of password needed, one for
CAS and one for NT, anonymous login also cannot because it cannot restrict
user's resource). One mapping file of CAS account and NT account is allowed.

I heard from other saying that I need to write a new authorization module to
NT system, but
              (1) it is a nightmare to me!
              (2) even I successfully changed NT authorization system but if
I cannot sure IIS run NT's module without overwriting.

This is really a complex problem to me and any advise is welcome.

Thank you in advance.

Best Regards,
Ginrai