RE: Q254787
From: McLOL (McLOL@online.microsoft.com)
Date: 08/15/02
- Next message: Pearl: "Broken Cookies"
- Previous message: Cas Irvin [MS]: "RE: NT-CHAP over the Internet"
- In reply to: KP: "Q254787"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: McLOL@online.microsoft.com (McLOL) Date: Wed, 14 Aug 2002 22:34:15 GMT
The article you're referring to is being updated to a newer format. Here is
the text from the article:
----------------------------------------------------------------------------
---
The information in this article applies to:
- Microsoft Internet Information Server version 4.0
- Microsoft Internet Information Services version 5.0
- Microsoft Internet Information Services version 5.1
----------------------------------------------------------------------------
---
IN THIS TASK
------------
- SUMMARY
- Authentication Schemes
- Writing an ISAPI Filter
- REFERENCES
SUMMARY
=======
This step-by-step article describes how to write an Internet Server API
(ISAPI)
filter that allows you to specify the authentication method for a user
based on
the user's Internet Protocol (IP) address.
For example, in Internet Information Server (IIS), you can use the Windows
NT
Challenge/Response authentication for clients who come from an internal
corporate network and, at the same time, allow clients from the Internet to
be
authenticated through Basic authentication.
Authentication Schemes
----------------------
This article addresses the authentication method in the context of IIS,
which
supports Windows NT Challenge/Response and Basic authentication. IIS 5.0
and 5.1
also allow Digest authentication and replaces Windows NT Challenge/Response
authentication with Integrated Windows authentication. The corresponding
HTTP
WWW-Authenticate header authentication schemes are as follows:
+---------------------------------------------------------------------------
-------+
| Authentication | Scheme
|
+---------------------------------------------------------------------------
-------+
| Basic | Basic
|
+---------------------------------------------------------------------------
-------+
| Windows NT Challenge/Response | NTLM |
+---------------------------------------------------------------------------
-------+
| Digest | Digest
|
+---------------------------------------------------------------------------
-------+
| Integrated Windows | Negotiate, NTLM |
+---------------------------------------------------------------------------
-------+
Writing an ISAPI Filter
-----------------------
To write an ISAPI filter that allows you to specify the authentication
method for
a user based on the user's IP address, perform the following steps:
1. In IIS enable both Basic and NTLM authentication on the server.
2. Build an ISAPI filter to register the SF_NOTIFY_PREPROC_HEADERS and
SF_NOTIFY_SEND_RESPONSE notifications.
a. On the SF_NOTIFY_PREPROC_HEADERS notification, the filter retrieves
the
value of REMOTE_ADDR or REMOTE_HOST by using the GetServerVariable
function and determines whether the user's IP address is on the
internal
network based on the value of the server variable. The filter simply
sets
"pfc->pFilterContext = (LPVOID)fInternalUser" to communicate the
information to the send response notification handler.
b. On the SF_NOTIFY_SEND_RESPONSE notification, the filter uses the
pfc->pFilterContext value to determine which WWW-Authenticate headers
it needs to remove with the SetHeaders method if the status code is
401.
Make sure that you only do this for 401 responses with code similar
to:
if ((HTTP_FILTER_PREPROC_HEADERS *)pvNotification->HttpStatus != 401)
return SF_STATUS_REQ_NEXT_NOTIFICATION;
3. After you determine that this is a 401 response, you can manipulate the
WWW-Authenticate header as illustrated in the following code segment:
if (pfc->pFilterContext)
RemoveBasic;
else
RemoveNTLM;
NOTE: You must enable the specified authentication scheme on the server as
stated
at the beginning of the article. For example, merely adding the
"WWW-Authenticate: NTLM" header does not cause an NTLM authentication
handshake
if you do not enable Windows NT Challenge/Response authentication.
NOTE: You cannot specifically remove or change built-in IIS authentication
protocols on the SF_NOTIFY_ACCESS_DENIED event. As a result, you cannot
dynamically choose the authentication scheme with an access denied
notification
handler.
REFERENCES
==========
For additional informationon ISAPI filter DLLs, click the article numbers
below
to view the articles in the Microsoft Knowledge Base:
Q150312 HOWTO: Install an ISAPI Filter Dynamic-Link Library
Q183480 HOW TO: Debug ISAPI DLLs Under IIS 4.0 and IIS 5.0
=======================================================
Paul McLennaghan
Microsoft Developer Support
Internet Information Server
***********************
>>Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.<<
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
© 2002 Microsoft Corporation. All rights reserved.
***********************
--------------------
| Content-Class: urn:content-classes:message
| From: "KP" <kamal.panchal@am.sony.com>
| Sender: "KP" <kamal.panchal@am.sony.com>
| Subject: Q254787
| Date: Wed, 14 Aug 2002 06:41:03 -0700
| Lines: 7
| Message-ID: <257d01c24398$3b986bd0$3bef2ecf@TKMSFTNGXA10>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcJDmDuYnHYXiOODRAawv3m97qCbJQ==
| Newsgroups: microsoft.public.inetserver.iis.security
| Path: cpmsftngxa06
| Xref: cpmsftngxa06 microsoft.public.inetserver.iis.security:9354
| NNTP-Posting-Host: TKMSFTNGXA10 10.201.226.38
| X-Tomcat-NG: microsoft.public.inetserver.iis.security
|
| HOWTO: Dynamically Choose Authentication Scheme Using
| ISAPI Filter in IIS
| http://support.microsoft.com/support/kb/articles/Q254/7/87.
| asp
|
| Can't find this Article on Microsoft Site. Can anyone help
| me with it?
|
- Next message: Pearl: "Broken Cookies"
- Previous message: Cas Irvin [MS]: "RE: NT-CHAP over the Internet"
- In reply to: KP: "Q254787"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
