Re: How can I set "remote_user" in ISAPI filter/Extension?
From: lqqchen (lqqchen2002_at_hotmail.com)
Date: Tue, 29 Jul 2003 10:36:25 +0800
I have checked the new feature of IIS 6 Extension. According to me, the
extension is only able to read the server variable. If we want to change
"remote_user", we still have to get the correct username/pass first and then
use addHeader to do it.
Could you pls give some sample code to show me how to write to server
variable in an Extension?
Thanks and regards.
"David Wang [Msft]" <firstname.lastname@example.org> wrote in message
> Please post future ISAPI questions to:
> 1. No. Server Variables are read-only entities representative of the
> 2. Yes. If IIS uses the Authorization header to populate REMOTE_USER, why
> would IIS want to parse the Authorization header for anonymous auth?
> 3. No. You can use SF_NOTIFY_AUTHENTICATION to provide the
> for IIS to use as impersonation token. But this event only has relevance
> with Basic or Anonymous authentication (i.e. you can't make it work with
> Integrated or anything else).
> I constructed this scenario, which seems to do what's needed:
> 1. Configure IIS to be Basic Auth only
> 2. Clients make Anonymous request
> 3. Filter sets Authorization: header in PreprocHeaders event to be Base64
> encoding of desired username/password to appear in AUTH_USER,
> and REMOTE_USER. This does not need to be a valid username/password at
> 4. Filter sets a valid username/password in Authentication event. This
> username is reflected in LOGON_USER server variable.
> Clients are making anonymous requests only. Conceivably, if the client is
> doing custom authentication, it can pass username/password info in the
> URL/Headers, which the filter can set in the Authorization: header
> appropriately. The impersonation token is all controlled by the
> username/password set in Authentication event (so you can do custom
> username/ACL mapping here as well).
> That said, HSE_REQ_EXEC_URL on IIS6 makes this entire process trivially
> as it can directly modify impersonation token, REMOTE_USER (and all *_USER
> variables), as well as AUTH_TYPE reported by server variables along with
> rewrite the entire request (or optionally pass along original values).
> it's possible with one function call to just change REMOTE_USER server
> variable of a request without changing/needing anything else.
> This posting is provided "AS IS" with no warranties, and confers no
> "lqqchen" <email@example.com> wrote in message
> Dear All,
> Our application need to modify the "remote_user" in an ISAPI
> filter/Extension for IIS.
> Our findings are:
> 1. IIS doesn't allow any modification on the "remote_user" field
> 2. We learned from newsgroup discussions that by setting
> HTTP_AUTHORIZATION header before the Authentication Event, IIS will
> this header and set the user id into "remote_user" field if successfully
> 3. We found that for no. 2 to work we also need to set the security of
> the page being accessed to use Basic Authentication, otherwise IIS will
> ignore the HTTP_AUTHORIZATION header.
> 4. We also found that the HTTP_AUTHORIZATION header has to be set to
> BASE64 encoding of "(userid:password)", which means that the ISAPI filter
> must supply the correct Domain password for the user, otherwise IIS will
> challenge browser again for correct id and password.
> What we want know?
> 1. Is there a way to directly set "remote_user" field.
> 2. Is it required to set the security of the page to "Basic
> for IIS to process the HTTP_AUTHORIZATION header.
> 3. Is it required to supply the correct domain password for the IIS to
> process the HTTP_AUTHORIZATION header and set the "remote_user".
> Any comments are welcome. Thanks in advance.