Re: custom page for user credentials?

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 07/08/03 

Date: Tue, 8 Jul 2003 00:16:52 -0700

You can do custom authentication on IIS, which typically means to use a
custom HTML page to enter username/password, transmit it in some fashion,
and do the verification on IIS. This can certainly be done on Windows 2000
and greater.

I do not understand why if you use SSPI to authenticate, you cannot allow
IIS impersonation. Ultimately, you MUST give at least one impersonation
identity to IIS, and then map all other authenticated users to this
identity. If you do not allow IIS to impersonate, you will end up rewriting
the equivalent of Windows Integrated Authentication everywhere.

If you have IIS6, there's sample code in the IIS6 SDK that does custom
authentication called CustomAuth. It only requires Anonymous access from
IIS, but it is able to use LogonUser to change the user IIS impersonates for
a given request. It should be trivial for you to modify it to use SSPI to
authenticate users and then use some other designated identity for IIS
impersonation.

http://www.microsoft.com/msdownload/platformsdk/sdkupdate/default.htm

The code doesn't work on W2K/WXP, but similar ideas can be implemented. 

-- 
//David
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Sven Erik Matzen" <sven.matzen@ppepro.com> wrote in message
news:O6SuPIFRDHA.3192@tk2msftngp13.phx.gbl...
Hi there,
I want to use SSPI at the server side to authenticate user logins. I already
have routines to do this, but currently I need to transmit the user name,
domain and password over the net to make it work. It's not a big problem in
my situation (encrypted password, HTTPS and switched LAN) but I want to make
it better. My needs:
- custom page for entering login credentials (changes from client to client)
- support for IE6 greater
- support for Windows 2000 and greater
- no impersonation of IIS
Is there a way to make this work? Can I generate a JScript to tell IE to use
specific credentials for a server-login?
Sven

Relevant Pages

  • Re: HELP PLEASE The request failed with HTTP status 401: Access Denied.
    ... Web Security: Part 2: Introducing the Web Application Manager, Client ... Authentication Options, and Process Isolation ... It introduces the Web Application Manager in IIS that ... logon session, which is dangerous. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: impersonating a user
    ... > authentication is what determines the context of the thread. ... > applications, IIS will read the HTTP, and when anonymous is selected IIS ... > Local System account (which is the default account for Services that are ... > impersonation and authentication very clearly. ...
    (microsoft.public.inetserver.iis.security)
  • Re: 401 Unauthorized trying to read SPList Attachment - owssrv.dll
    ... Client-side impersonation isn't one of them. ... NOTHING on the server unless you negotiate HTTP authentication of some sort. ... be called by the first which actually opens the attachment. ... Unauthorized error from IIS on http://localhost/_vti_bin/owssrv.dll. ...
    (microsoft.public.inetserver.iis.security)
  • RE: Can no longer access ActiveSync
    ... OMA and Exchange/Exchange-OMA virtual directory. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ... issue may be caused by the Exchange attribute of original user account. ...
    (microsoft.public.exchange.admin)
  • Re: IIS impersonation problems
    ... Are you using Basic or Integrated Windows Authentication? ... then IIS never has the user's password - so it can't ... permissions to logon to remote resources. ... Is there a maximum number of hops impersonation can make? ...
    (microsoft.public.inetserver.iis.security)