Re: How can I set "remote_user" in ISAPI filter/Extension?

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 07/29/03 

Date: Mon, 28 Jul 2003 21:21:24 -0700

HSE_REQ_EXEC_URL (ISAPI Extension functionality) is able to change the
server variables as I had said earlier. Read MSDN documentation and also
the ISAPI Extensions sample code from the IIS SDK.
 http://www.microsoft.com/msdownload/platformsdk/sdkupdate/default.htm
1. You'd set
HSE_EXEC_URL_USER_INFO.pszCustomUserName = "MYUSERNAME"
HSE_EXEC_URL_USER_INFO.pszCustomAuthType = "";
HSE_EXEC_URL_USER_INFO.hImpersonationToken = NULL; //Inherit the token that
was authenticated with, whether anonymous or Basic/NTLM authenticated!
2. Call HSE_REQ_EXEC_URL with all parameters of HSE_EXEC_URL_INFO to be
NULL, except HSE_EXEC_URL_INFO.pUserInfo = HSE_EXEC_URL_INFO

If you do not use an ISAPI Extension, then the only way to do it with an
ISAPI Filter is what I had described earlier as well. It requires SetHeader
to modify Authorization: header (DO NOT USE AddHeader for this task, as you
need to REPLACE any existing headers, not add an additional one), and it
also requires the correct username/password of an user for use as
impersonation token. This route requires:
1. SetHeader("Authorization:", "BASE64-encoding-of-MYUSERNAME:PASSWORD") in
SF_NOTIFY_PREPROC_HEADERS
2. Setting pAuth->pszUser and pAuth->pszPassword with username/password of a
real user in SF_NOTIFY_AUTHENTICATION to obtain an impersonation token

Both of these methods result in "MYUSERNAME" retrieved from REMOTE_USER.

- HSE_REQ_EXEC_URL can work with any authentication configuration, but the
user must first authenticate if the vdir requires it. i.e. if the vdir is
NTLM, the remote user must authenticate via NTLM before you can change
REMOTE_USER. If the vdir is anonymous, the remote user doesn't need to
authenticate and you can change REMOTE_USER freely.

- ISAPI Filter requires Basic authentication configured, but the user does
not need to authenticate at all (you can set the username/password). i.e.
With the vdir Basic auth'd, the remote user can make an anonymous request to
the resource and have REMOTE_USER change 

-- 
//David
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"lqqchen" <lqqchen2002@hotmail.com> wrote in message
news:upGHjrXVDHA.612@TK2MSFTNGP10.phx.gbl...
Hi David,
  I have checked the new feature of IIS 6 Extension. According to me, the
extension is only able to read the server variable. If we want to change
"remote_user", we still have to get the correct username/pass first and then
use addHeader to do it.
   Could you pls give some sample code to show me how to write to server
variable in an Extension?
   Thanks and regards.
lqqchen
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:#ARu03OVDHA.2508@TK2MSFTNGP12.phx.gbl...
> Please post future ISAPI questions to:
> microsoft.public.platformsdk.internet.server.isapi-dev
>
> 1. No. Server Variables are read-only entities representative of the
> request.
> 2. Yes. If IIS uses the Authorization header to populate REMOTE_USER, why
> would IIS want to parse the Authorization header for anonymous auth?
> 3. No. You can use SF_NOTIFY_AUTHENTICATION to provide the
username/password
> for IIS to use as impersonation token.  But this event only has relevance
> with Basic or Anonymous authentication (i.e. you can't make it work with
> Integrated or anything else).
>
> I constructed this scenario, which seems to do what's needed:
> 1. Configure IIS to be Basic Auth only
> 2. Clients make Anonymous request
> 3. Filter sets Authorization: header in PreprocHeaders event to be Base64
> encoding of desired username/password to appear in AUTH_USER,
AUTH_PASSWORD,
> and REMOTE_USER.  This does not need to be a valid username/password at
all.
> 4. Filter sets a valid username/password in Authentication event.  This
> username is reflected in LOGON_USER server variable.
>
> Clients are making anonymous requests only.  Conceivably, if the client is
> doing custom authentication, it can pass username/password info in the
> URL/Headers, which the filter can set in the Authorization: header
> appropriately.  The impersonation token is all controlled by the
> username/password set in Authentication event (so you can do custom
> username/ACL mapping here as well).
>
>
> That said, HSE_REQ_EXEC_URL on IIS6 makes this entire process trivially
easy
> as it can directly modify impersonation token, REMOTE_USER (and all *_USER
> variables), as well as AUTH_TYPE reported by server variables along with
> rewrite the entire request (or optionally pass along original values).
i.e.
> it's possible with one function call to just change REMOTE_USER server
> variable of a request without changing/needing anything else.
>
> --
> //David
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "lqqchen" <lqqchen2002@hotmail.com> wrote in message
> news:OBuuZ%23NVDHA.532@TK2MSFTNGP09.phx.gbl...
> Dear All,
>
>    Our application need to modify the "remote_user" in an ISAPI
> filter/Extension for IIS.
>
>    Our findings are:
>
>     1. IIS doesn't allow any modification on the "remote_user" field
> directly.
>     2. We learned from newsgroup discussions that by setting
> HTTP_AUTHORIZATION header before the Authentication Event, IIS will
process
> this header and set the user id into "remote_user" field if successfully
> authenticated.
>     3. We found that for no. 2 to work we also need to set the security of
> the page being accessed to use Basic Authentication, otherwise IIS will
> ignore the HTTP_AUTHORIZATION header.
>     4. We also found that the HTTP_AUTHORIZATION header has to be set to
> BASE64 encoding of "(userid:password)", which means that the ISAPI filter
> must supply the correct Domain password for the user, otherwise IIS will
> challenge browser again for correct id and password.
>
> What we want know?
> 1. Is there a way to directly set "remote_user" field.
> 2. Is it required to set the security of the page to "Basic
Authentication"
> for IIS to process the HTTP_AUTHORIZATION header.
> 3. Is it required to supply the correct domain password for the IIS to
> process the HTTP_AUTHORIZATION header and set the "remote_user".
>
>   Any comments are welcome.  Thanks in advance.
>
> lqqchen
>
>
>
>

Relevant Pages

  • Re: How can I set "remote_user" in ISAPI filter/Extension?
    ... I have checked the new feature of IIS 6 Extension. ... No. Server Variables are read-only entities representative of the ... Filter sets a valid username/password in Authentication event. ...
    (microsoft.public.inetserver.iis.security)
  • Re: HELP PLEASE The request failed with HTTP status 401: Access Denied.
    ... Web Security: Part 2: Introducing the Web Application Manager, Client ... Authentication Options, and Process Isolation ... It introduces the Web Application Manager in IIS that ... logon session, which is dangerous. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Can no longer access ActiveSync
    ... OMA and Exchange/Exchange-OMA virtual directory. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ... issue may be caused by the Exchange attribute of original user account. ...
    (microsoft.public.exchange.admin)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... I didn't realise the Web Sites folder in IIS manager threw up a global ... sure that Basic Authentication is allowed to function on your server. ... ACCOUNTNAME, this is the account that I am trying to grant access to: ... Account: COMPUTERNAME\ACCOUNTNAME Access type: FULL ...
    (microsoft.public.inetserver.iis.security)
  • Re: SBS2k3 and activesync over the air
    ... the Exchweb virtual directory. ... ONLY 'Basic authentication' is selected ... please restart your IIS service and test your issue again. ... Regarding ActiveSync issue, support code 0x85010014 means error HTTP 500. ...
    (microsoft.public.windows.server.sbs)