Re: Where is the user impersonation token stored?

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 10/11/05 

Date: Mon, 10 Oct 2005 17:05:58 -0700

Hello Gery,

first of all the browser never tries to authenticate if he doesn't need to
- when you hit a page where you don't have anonymous access - IIS bounces
back a 401 to the client along with the possible authentication methods.

>From that point on the browser sends the authentication information as a
header to the server on each request.

download www.fiddlertool.com and try the different authentication settings
in IIS - you can see the headers flowing back and forth. A good testpage
to test the various settings can be found here:
http://www.leastprivilege.com/UpdatedShowContextsAndRequestLogonUserIdentity.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Dominick,
>
> Thanks for the feedback. Can you explain a little more with respect to
> IIS?
>
> Here is the scenareo that has me stumped and really the reason for the
> post:
>
> 1) User requests a restricted page and the Windows popup dialog
> appears so
> the user logs in and is authenticated. Then the page is served up.
> 2) The user then clicks on another secured page link and is directed
> to that
> page...no popup since he is already authenticated.
> Here is a question that may hit the core of the problem:
>
> How does IIS handle authenticated Windows accounts during
> client-server requests to a web server?
>
> Here is my thinking as to what happens and the source of my confusion:
>
> When an HTTP request is finished and the response is sent back to the
> client the worker thread is finished and recycled...at least that's
> how I understand it. Along with this understanding the server then
> would have no knowledge whether the user is logged in....eg http is
> stateless. Then for subsequent requests IIS would have to log them in
> automatically for each request since they already logged in once. But
> what happens on the next request? Where does IIS (or some ISAPI
> authentication filter/extension) get the information to re-logon the
> user? Translated....where is this: ctx.WorkerRequest.GetUserToken()
> getting its user token from?...is it stored in a header, an encrypted
> cookie passed back and forth between client and server?...all this is
> only in regards to Windows authentication and not ASP.NET forms
> authentication since I know that is encrypted in a forms cookie...
>
> Thanks and hope this is clear,
>
> Thanks,
> Gery
> EnQue Corporation
> www.EnQue.com
> www.ImagingHardware.com
> "Dominick Baier [DevelopMentor]"
> <dbaier@pleasepleasenospamdevelop.com> wrote in message
> news:42565460104b138c79b9ca7e77d13@news.microsoft.com...
>
>> Hello Gery,
>>
>> 1) The outcome os IIS authentication is stored in a blob called ISAP
>> Extension Control Block - the ASPNET_ISAPI extension passes the token
>> to ASP.NET (via WorkerRequest). This token is availabe in ASP.NET 2.0
>> using the Request.LogonUserIdentity
>>
>> 2) There is some caching involved in IIS - but ASP.NET grabs the
>> impersonation token on each request from IIS to populate
>> Context.User.
>>
>> HTH
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> When a user visits a web site and is authenticated through the popup
>>> dialog box (Windows authentication) he enters his username and
>>> password. Evidently this creates the users impersonation token that
>>> is used on subsequent requests to secured web pages. On subsequent
>>> requests the WindowsAuthenticationModule is what authenticates on
>>> each request. The code that does this looks like this:
>>>
>>> WindowsIdentity wi = new
>>> WindowsIdentity(ctx.WorkerRequest.GetUserToken(),
>>> text2, WindowsAccountType.Normal, true);
>>> Context.User = new WindowsPrincipal(wi);
>>> The questions are:
>>> 1. Where did the initial Windows authentication put the user
>>> impersonation
>>> token?
>>> 2. Where is the user impersonation token stored as the user makes
>>> web
>>> page
>>> requests(or is it generated on each request and if so how?)?
>>> Thanks,
>>> Gery
>>> EnQue Corporation
>>> www.EnQue.com
>>> www.ImagingHardware.com

Relevant Pages

  • Re: BASIC authentication Issues with IE - Part II - Solved but WHY?
    ... it does not know the difference between a request from IE or from ... some other HTTP client. ... Some other authentication schemes are more ... IIS can sometimes remember the token for a particular set of credentials so ...
    (microsoft.public.inetserver.iis.security)
  • Re: Where is the user impersonation token stored?
    ... Can you explain a little more with respect to IIS? ... User requests a restricted page and the Windows popup dialog appears so ... When an HTTP request is finished and the response is sent back to the client ... Where does IIS (or some ISAPI authentication filter/extension) get ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: HELP PLEASE The request failed with HTTP status 401: Access Denied.
    ... Web Security: Part 2: Introducing the Web Application Manager, Client ... Authentication Options, and Process Isolation ... It introduces the Web Application Manager in IIS that ... logon session, which is dangerous. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IIS 5.0 Windows Authenticion/NT Challenge Response
    ... The first response looks like it was for a request made to a vdir that has ... anonymous authentication enabled on IIS. ... you could have anonymous authentication enabled. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Where is the user impersonation token stored?
    ... It looks like this is an IIS question now. ... > bounces back a 401 to the client along with the possible authentication ... > header to the server on each request. ... >> 1) User requests a restricted page and the Windows popup dialog ...
    (microsoft.public.dotnet.framework.aspnet.security)