Re: How can I set "remote_user" in ISAPI filter/Extension?

From: lqqchen (lqqchen2002_at_hotmail.com)
Date: 07/29/03 

Date: Tue, 29 Jul 2003 10:36:25 +0800

Hi David,

  I have checked the new feature of IIS 6 Extension. According to me, the
extension is only able to read the server variable. If we want to change
"remote_user", we still have to get the correct username/pass first and then
use addHeader to do it.

   Could you pls give some sample code to show me how to write to server
variable in an Extension?

   Thanks and regards.

lqqchen

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:#ARu03OVDHA.2508@TK2MSFTNGP12.phx.gbl...
> Please post future ISAPI questions to:
> microsoft.public.platformsdk.internet.server.isapi-dev
>
> 1. No. Server Variables are read-only entities representative of the
> request.
> 2. Yes. If IIS uses the Authorization header to populate REMOTE_USER, why
> would IIS want to parse the Authorization header for anonymous auth?
> 3. No. You can use SF_NOTIFY_AUTHENTICATION to provide the
username/password
> for IIS to use as impersonation token. But this event only has relevance
> with Basic or Anonymous authentication (i.e. you can't make it work with
> Integrated or anything else).
>
> I constructed this scenario, which seems to do what's needed:
> 1. Configure IIS to be Basic Auth only
> 2. Clients make Anonymous request
> 3. Filter sets Authorization: header in PreprocHeaders event to be Base64
> encoding of desired username/password to appear in AUTH_USER,
AUTH_PASSWORD,
> and REMOTE_USER. This does not need to be a valid username/password at
all.
> 4. Filter sets a valid username/password in Authentication event. This
> username is reflected in LOGON_USER server variable.
>
> Clients are making anonymous requests only. Conceivably, if the client is
> doing custom authentication, it can pass username/password info in the
> URL/Headers, which the filter can set in the Authorization: header
> appropriately. The impersonation token is all controlled by the
> username/password set in Authentication event (so you can do custom
> username/ACL mapping here as well).
>
>
> That said, HSE_REQ_EXEC_URL on IIS6 makes this entire process trivially
easy
> as it can directly modify impersonation token, REMOTE_USER (and all *_USER
> variables), as well as AUTH_TYPE reported by server variables along with
> rewrite the entire request (or optionally pass along original values).
i.e.
> it's possible with one function call to just change REMOTE_USER server
> variable of a request without changing/needing anything else.
>
> --
> //David
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "lqqchen" <lqqchen2002@hotmail.com> wrote in message
> news:OBuuZ%23NVDHA.532@TK2MSFTNGP09.phx.gbl...
> Dear All,
>
> Our application need to modify the "remote_user" in an ISAPI
> filter/Extension for IIS.
>
> Our findings are:
>
> 1. IIS doesn't allow any modification on the "remote_user" field
> directly.
> 2. We learned from newsgroup discussions that by setting
> HTTP_AUTHORIZATION header before the Authentication Event, IIS will
process
> this header and set the user id into "remote_user" field if successfully
> authenticated.
> 3. We found that for no. 2 to work we also need to set the security of
> the page being accessed to use Basic Authentication, otherwise IIS will
> ignore the HTTP_AUTHORIZATION header.
> 4. We also found that the HTTP_AUTHORIZATION header has to be set to
> BASE64 encoding of "(userid:password)", which means that the ISAPI filter
> must supply the correct Domain password for the user, otherwise IIS will
> challenge browser again for correct id and password.
>
> What we want know?
> 1. Is there a way to directly set "remote_user" field.
> 2. Is it required to set the security of the page to "Basic
Authentication"
> for IIS to process the HTTP_AUTHORIZATION header.
> 3. Is it required to supply the correct domain password for the IIS to
> process the HTTP_AUTHORIZATION header and set the "remote_user".
>
> Any comments are welcome. Thanks in advance.
>
> lqqchen
>
>
>
>

Relevant Pages

  • Re: How can I set "remote_user" in ISAPI filter/Extension?
    ... HSE_REQ_EXEC_URL (ISAPI Extension functionality) is able to change the ... - ISAPI Filter requires Basic authentication configured, ... I have checked the new feature of IIS 6 Extension. ... No. Server Variables are read-only entities representative of the ...
    (microsoft.public.inetserver.iis.security)
  • Re: adding a new site results in iis error 401.1
    ... it means that the username/password you configured in IIS for the ... The reason you can get a 401.1 for anonymous access is this -- when you ... In general, the other authentication methods are pretty fast, unless your ...
    (microsoft.public.inetserver.iis)
  • Re: How can I set "remote_user" in ISAPI filter/Extension?
    ... I will firstly do some test with IIS ... > would IIS want to parse the Authorization header for anonymous auth? ... Filter sets a valid username/password in Authentication event. ...
    (microsoft.public.inetserver.iis.security)
  • Re: How can I set "remote_user" in ISAPI filter/Extension?
    ... No. Server Variables are read-only entities representative of the ... would IIS want to parse the Authorization header for anonymous auth? ... Clients make Anonymous request ...
    (microsoft.public.inetserver.iis.security)
  • RE: Users Browser Not Seing Server Variables
    ... in IIS logging and check the log when he sees this. ... User's Browser Not Seing Server Variables ... | Object reference not set to an instance of an object. ... | Privacy Settings set to Medium ...
    (microsoft.public.dotnet.framework.aspnet)