Re: How can I set "remote_user" in ISAPI filter/Extension?
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: Mon, 28 Jul 2003 02:50:41 -0700
Please post future ISAPI questions to:
1. No. Server Variables are read-only entities representative of the
2. Yes. If IIS uses the Authorization header to populate REMOTE_USER, why
would IIS want to parse the Authorization header for anonymous auth?
3. No. You can use SF_NOTIFY_AUTHENTICATION to provide the username/password
for IIS to use as impersonation token. But this event only has relevance
with Basic or Anonymous authentication (i.e. you can't make it work with
Integrated or anything else).
I constructed this scenario, which seems to do what's needed:
1. Configure IIS to be Basic Auth only
2. Clients make Anonymous request
3. Filter sets Authorization: header in PreprocHeaders event to be Base64
encoding of desired username/password to appear in AUTH_USER, AUTH_PASSWORD,
and REMOTE_USER. This does not need to be a valid username/password at all.
4. Filter sets a valid username/password in Authentication event. This
username is reflected in LOGON_USER server variable.
Clients are making anonymous requests only. Conceivably, if the client is
doing custom authentication, it can pass username/password info in the
URL/Headers, which the filter can set in the Authorization: header
appropriately. The impersonation token is all controlled by the
username/password set in Authentication event (so you can do custom
username/ACL mapping here as well).
That said, HSE_REQ_EXEC_URL on IIS6 makes this entire process trivially easy
as it can directly modify impersonation token, REMOTE_USER (and all *_USER
variables), as well as AUTH_TYPE reported by server variables along with
rewrite the entire request (or optionally pass along original values). i.e.
it's possible with one function call to just change REMOTE_USER server
variable of a request without changing/needing anything else.
-- //David This posting is provided "AS IS" with no warranties, and confers no rights. // "lqqchen" <email@example.com> wrote in message news:OBuuZ%23NVDHA.532@TK2MSFTNGP09.phx.gbl... Dear All, Our application need to modify the "remote_user" in an ISAPI filter/Extension for IIS. Our findings are: 1. IIS doesn't allow any modification on the "remote_user" field directly. 2. We learned from newsgroup discussions that by setting HTTP_AUTHORIZATION header before the Authentication Event, IIS will process this header and set the user id into "remote_user" field if successfully authenticated. 3. We found that for no. 2 to work we also need to set the security of the page being accessed to use Basic Authentication, otherwise IIS will ignore the HTTP_AUTHORIZATION header. 4. We also found that the HTTP_AUTHORIZATION header has to be set to BASE64 encoding of "(userid:password)", which means that the ISAPI filter must supply the correct Domain password for the user, otherwise IIS will challenge browser again for correct id and password. What we want know? 1. Is there a way to directly set "remote_user" field. 2. Is it required to set the security of the page to "Basic Authentication" for IIS to process the HTTP_AUTHORIZATION header. 3. Is it required to supply the correct domain password for the IIS to process the HTTP_AUTHORIZATION header and set the "remote_user". Any comments are welcome. Thanks in advance. lqqchen