Re: Where is the user impersonation token stored?

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 10/11/05 

Date: Tue, 11 Oct 2005 12:01:53 +1000

Credentials are in the Authorization: header sent from client -> server.
(unless you are using Passport authentication which is cookie based, or
using client certificates etc).

Again, using the HTTP Fiddler tool mentioned earlier will help you look at
these things.

Cheers
Ken

"Gery D. Dorazio" <gdorazio@enque.net> wrote in message
news:umvmgwfzFHA.2932@TK2MSFTNGP10.phx.gbl...
: Hi Dominick,
:
: Do you know what the header is that contains the authentication
information
: as I think that is what I am looking for? The ISAPI authorization filter I
: am looking at calls the ServerSupportFuntion with the HSE_REQ_EXEC_URL
: request with another parameter that contains the impersonation token...The
: docs don't say what header(s) get set that contain this information.
:
: The ISAPI authentication filter (CustomAuth from IIS 6 resource kit) is
for
: using a web page to do Windows authentication so that the IE dialog is no
: longer used.
:
: Thanks,
: Gery
:
: --
: Gery D. Dorazio
: Development Engineer
:
: EnQue Corporation
: www.EnQue.com
: www.ImagingHardware.com
:
: "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
: wrote in message news:425654601063cc8c79c1f74e7fcdd@news.microsoft.com...
: > Hello Gery,
: >
: > first of all the browser never tries to authenticate if he doesn't need
: > to - when you hit a page where you don't have anonymous access - IIS
: > bounces back a 401 to the client along with the possible authentication
: > methods.
: >
: > From that point on the browser sends the authentication information as a
: > header to the server on each request.
: >
: > download www.fiddlertool.com and try the different authentication
settings
: > in IIS - you can see the headers flowing back and forth. A good testpage
: > to test the various settings can be found here:
: >
http://www.leastprivilege.com/UpdatedShowContextsAndRequestLogonUserIdentity.aspx
: >
: > ---------------------------------------
: > Dominick Baier - DevelopMentor
: > http://www.leastprivilege.com
: >
: >> Hi Dominick,
: >>
: >> Thanks for the feedback. Can you explain a little more with respect to
: >> IIS?
: >>
: >> Here is the scenareo that has me stumped and really the reason for the
: >> post:
: >>
: >> 1) User requests a restricted page and the Windows popup dialog
: >> appears so
: >> the user logs in and is authenticated. Then the page is served up.
: >> 2) The user then clicks on another secured page link and is directed
: >> to that
: >> page...no popup since he is already authenticated.
: >> Here is a question that may hit the core of the problem:
: >>
: >> How does IIS handle authenticated Windows accounts during
: >> client-server requests to a web server?
: >>
: >> Here is my thinking as to what happens and the source of my confusion:
: >>
: >> When an HTTP request is finished and the response is sent back to the
: >> client the worker thread is finished and recycled...at least that's
: >> how I understand it. Along with this understanding the server then
: >> would have no knowledge whether the user is logged in....eg http is
: >> stateless. Then for subsequent requests IIS would have to log them in
: >> automatically for each request since they already logged in once. But
: >> what happens on the next request? Where does IIS (or some ISAPI
: >> authentication filter/extension) get the information to re-logon the
: >> user? Translated....where is this: ctx.WorkerRequest.GetUserToken()
: >> getting its user token from?...is it stored in a header, an encrypted
: >> cookie passed back and forth between client and server?...all this is
: >> only in regards to Windows authentication and not ASP.NET forms
: >> authentication since I know that is encrypted in a forms cookie...
: >>
: >> Thanks and hope this is clear,
: >>
: >> Thanks,
: >> Gery
: >> EnQue Corporation
: >> www.EnQue.com
: >> www.ImagingHardware.com
: >> "Dominick Baier [DevelopMentor]"
: >> <dbaier@pleasepleasenospamdevelop.com> wrote in message
: >> news:42565460104b138c79b9ca7e77d13@news.microsoft.com...
: >>
: >>> Hello Gery,
: >>>
: >>> 1) The outcome os IIS authentication is stored in a blob called ISAP
: >>> Extension Control Block - the ASPNET_ISAPI extension passes the token
: >>> to ASP.NET (via WorkerRequest). This token is availabe in ASP.NET 2.0
: >>> using the Request.LogonUserIdentity
: >>>
: >>> 2) There is some caching involved in IIS - but ASP.NET grabs the
: >>> impersonation token on each request from IIS to populate
: >>> Context.User.
: >>>
: >>> HTH
: >>> ---------------------------------------
: >>> Dominick Baier - DevelopMentor
: >>> http://www.leastprivilege.com
: >>>> When a user visits a web site and is authenticated through the popup
: >>>> dialog box (Windows authentication) he enters his username and
: >>>> password. Evidently this creates the users impersonation token that
: >>>> is used on subsequent requests to secured web pages. On subsequent
: >>>> requests the WindowsAuthenticationModule is what authenticates on
: >>>> each request. The code that does this looks like this:
: >>>>
: >>>> WindowsIdentity wi = new
: >>>> WindowsIdentity(ctx.WorkerRequest.GetUserToken(),
: >>>> text2, WindowsAccountType.Normal, true);
: >>>> Context.User = new WindowsPrincipal(wi);
: >>>> The questions are:
: >>>> 1. Where did the initial Windows authentication put the user
: >>>> impersonation
: >>>> token?
: >>>> 2. Where is the user impersonation token stored as the user makes
: >>>> web
: >>>> page
: >>>> requests(or is it generated on each request and if so how?)?
: >>>> Thanks,
: >>>> Gery
: >>>> EnQue Corporation
: >>>> www.EnQue.com
: >>>> www.ImagingHardware.com
: >
: >
:
:

Relevant Pages

  • [REVS] NTLM HTTP Authentication is Insecure By Design
    ... in front of a web server, and that proxy server shares a single TCP ... These are attacks that make use of non-RFC HTTP requests (HTTP Request ... the authentication is associated with the ...
    (Securiteam)
  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: EAP-TLS with windows CE
    ... The AP was sending out an Identity Request every second, ... request to the identification server. ... When the server asks the Windows CE device to identify itself, ... I could easily steal your authentication information. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: SSPI Kerberos for delegation
    ... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
    (comp.protocols.kerberos)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)