Re: How can I set "remote_user" in ISAPI filter/Extension?

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 07/28/03

  • Next message: Jonathan Maltz [MS-MVP]: "Re: Disabling Port 135"
    Date: Mon, 28 Jul 2003 02:50:41 -0700
    
    

    Please post future ISAPI questions to:
    microsoft.public.platformsdk.internet.server.isapi-dev

    1. No. Server Variables are read-only entities representative of the
    request.
    2. Yes. If IIS uses the Authorization header to populate REMOTE_USER, why
    would IIS want to parse the Authorization header for anonymous auth?
    3. No. You can use SF_NOTIFY_AUTHENTICATION to provide the username/password
    for IIS to use as impersonation token. But this event only has relevance
    with Basic or Anonymous authentication (i.e. you can't make it work with
    Integrated or anything else).

    I constructed this scenario, which seems to do what's needed:
    1. Configure IIS to be Basic Auth only
    2. Clients make Anonymous request
    3. Filter sets Authorization: header in PreprocHeaders event to be Base64
    encoding of desired username/password to appear in AUTH_USER, AUTH_PASSWORD,
    and REMOTE_USER. This does not need to be a valid username/password at all.
    4. Filter sets a valid username/password in Authentication event. This
    username is reflected in LOGON_USER server variable.

    Clients are making anonymous requests only. Conceivably, if the client is
    doing custom authentication, it can pass username/password info in the
    URL/Headers, which the filter can set in the Authorization: header
    appropriately. The impersonation token is all controlled by the
    username/password set in Authentication event (so you can do custom
    username/ACL mapping here as well).

    That said, HSE_REQ_EXEC_URL on IIS6 makes this entire process trivially easy
    as it can directly modify impersonation token, REMOTE_USER (and all *_USER
    variables), as well as AUTH_TYPE reported by server variables along with
    rewrite the entire request (or optionally pass along original values). i.e.
    it's possible with one function call to just change REMOTE_USER server
    variable of a request without changing/needing anything else.

    -- 
    //David
    This posting is provided "AS IS" with no warranties, and confers no rights.
    //
    "lqqchen" <lqqchen2002@hotmail.com> wrote in message
    news:OBuuZ%23NVDHA.532@TK2MSFTNGP09.phx.gbl...
    Dear All,
       Our application need to modify the "remote_user" in an ISAPI
    filter/Extension for IIS.
       Our findings are:
        1. IIS doesn't allow any modification on the "remote_user" field
    directly.
        2. We learned from newsgroup discussions that by setting
    HTTP_AUTHORIZATION header before the Authentication Event, IIS will process
    this header and set the user id into "remote_user" field if successfully
    authenticated.
        3. We found that for no. 2 to work we also need to set the security of
    the page being accessed to use Basic Authentication, otherwise IIS will
    ignore the HTTP_AUTHORIZATION header.
        4. We also found that the HTTP_AUTHORIZATION header has to be set to
    BASE64 encoding of "(userid:password)", which means that the ISAPI filter
    must supply the correct Domain password for the user, otherwise IIS will
    challenge browser again for correct id and password.
    What we want know?
    1. Is there a way to directly set "remote_user" field.
    2. Is it required to set the security of the page to "Basic Authentication"
    for IIS to process the HTTP_AUTHORIZATION header.
    3. Is it required to supply the correct domain password for the IIS to
    process the HTTP_AUTHORIZATION header and set the "remote_user".
      Any comments are welcome.  Thanks in advance.
    lqqchen
    

  • Next message: Jonathan Maltz [MS-MVP]: "Re: Disabling Port 135"