Re: Where is the user impersonation token stored?

From: Gery D. Dorazio (gdorazio_at_enque.net)
Date: 10/10/05

Next message: Dominick Baier [DevelopMentor]: "Re: Where is the user impersonation token stored?"
Previous message: Dominick Baier [DevelopMentor]: "Re: .Net client and SSL mutual authentication : 403 Forbidden, client certificate not sent"
In reply to: Dominick Baier [DevelopMentor]: "Re: Where is the user impersonation token stored?"
Next in thread: Dominick Baier [DevelopMentor]: "Re: Where is the user impersonation token stored?"
Reply: Dominick Baier [DevelopMentor]: "Re: Where is the user impersonation token stored?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 10 Oct 2005 15:36:36 -0400

Hi Dominick,

Thanks for the feedback. Can you explain a little more with respect to IIS?

Here is the scenareo that has me stumped and really the reason for the post:

1) User requests a restricted page and the Windows popup dialog appears so
the user logs in and is authenticated. Then the page is served up.
2) The user then clicks on another secured page link and is directed to that
page...no popup since he is already authenticated.

Here is a question that may hit the core of the problem:

How does IIS handle authenticated Windows accounts during client-server
requests to a web server?

Here is my thinking as to what happens and the source of my confusion:

When an HTTP request is finished and the response is sent back to the client
the worker thread is finished and recycled...at least that's how I
understand it. Along with this understanding the server then would have no
knowledge whether the user is logged in....eg http is stateless. Then for
subsequent requests IIS would have to log them in automatically for each
request since they already logged in once. But what happens on the next
request? Where does IIS (or some ISAPI authentication filter/extension) get
the information to re-logon the user? Translated....where is this:
ctx.WorkerRequest.GetUserToken() getting its user token from?...is it stored
in a header, an encrypted cookie passed back and forth between client and
server?...all this is only in regards to Windows authentication and not
ASP.NET forms authentication since I know that is encrypted in a forms
cookie...

Thanks and hope this is clear,

Thanks,
Gery

-- 
Gery D. Dorazio
Development Engineer
EnQue Corporation
www.EnQue.com
www.ImagingHardware.com
"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> 
wrote in message news:42565460104b138c79b9ca7e77d13@news.microsoft.com...
> Hello Gery,
>
> 1) The outcome os IIS authentication is stored in a blob called ISAP 
> Extension Control Block - the ASPNET_ISAPI extension passes the token to 
> ASP.NET (via WorkerRequest). This token is availabe in ASP.NET 2.0 using 
> the Request.LogonUserIdentity
>
> 2) There is some caching involved in IIS - but ASP.NET grabs the 
> impersonation token on each request from IIS to populate Context.User.
>
> HTH
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> When a user visits a web site and is authenticated through the popup
>> dialog box (Windows authentication) he enters his username and
>> password. Evidently this creates the users impersonation token that is
>> used on subsequent requests to secured web pages. On subsequent
>> requests the WindowsAuthenticationModule is what authenticates on each
>> request. The code that does this looks like this:
>>
>> WindowsIdentity wi = new
>> WindowsIdentity(ctx.WorkerRequest.GetUserToken(),
>> text2, WindowsAccountType.Normal, true);
>> Context.User = new WindowsPrincipal(wi);
>> The questions are:
>> 1. Where did the initial Windows authentication put the user
>> impersonation
>> token?
>> 2. Where is the user impersonation token stored as the user makes web
>> page
>> requests(or is it generated on each request and if so how?)?
>> Thanks,
>> Gery
>> EnQue Corporation
>> www.EnQue.com
>> www.ImagingHardware.com
>
>

Next message: Dominick Baier [DevelopMentor]: "Re: Where is the user impersonation token stored?"
Previous message: Dominick Baier [DevelopMentor]: "Re: .Net client and SSL mutual authentication : 403 Forbidden, client certificate not sent"
In reply to: Dominick Baier [DevelopMentor]: "Re: Where is the user impersonation token stored?"
Next in thread: Dominick Baier [DevelopMentor]: "Re: Where is the user impersonation token stored?"
Reply: Dominick Baier [DevelopMentor]: "Re: Where is the user impersonation token stored?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Windows Authentication method on IIS6
... The microsoft.public.windows.server.* groups deal with Windows 2003 ... The microsoft.public.inetserver.* groups deal with IIS ... > the authentication button, ... You can configure either one or multiple realm names on a server running IIS ...
(microsoft.public.win2000.security)
Re: How to access Windows IIS User Info with Perl
... but the IIS server is configured for Windows ... allowed for Basic Authentication, Windows Authentication (or whatever ... Do you know if they are part of a standard ...
(comp.lang.perl.misc)
Windows Authentication with IIS on separate machines
... Yes, setting Basic Authentication in IIS works, but the ... >in SQL server but doesn't work if user account was ... >imported from a Windows account. ...
(microsoft.public.sqlserver.security)
Re: EAP-TLS with windows CE
... The AP was sending out an Identity Request every second, ... request to the identification server. ... When the server asks the Windows CE device to identify itself, ... I could easily steal your authentication information. ...
(microsoft.public.windowsce.platbuilder)
Re: IIS 5.0 Windows Authenticion/NT Challenge Response
... The first response looks like it was for a request made to a vdir that has ... anonymous authentication enabled on IIS. ... you could have anonymous authentication enabled. ...
(microsoft.public.inetserver.iis.security)