Re: ISAPI Authentication
From: Wade A. Hilmo [MS] (wadeh_at_microsoft.com)
Date: 12/12/03
- Next message: Andrew Davis [MS]: "RE: HTTP Trace command vulnerability"
- Previous message: Wade A. Hilmo [MS]: "Re: IIS Isolation Mode"
- In reply to: Kevin: "ISAPI Authentication"
- Next in thread: Kevin: "Re: ISAPI Authentication"
- Reply: Kevin: "Re: ISAPI Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Dec 2003 15:30:02 -0800
Hi Kevin,
There are lots of ways to implement authentication filters on ISAPI. The
"common" way is to write a filter that registers for the
SF_NOTIFY_AUTHENTICATION event. When the event fires, you are given the
username and password from the client (they are blank in the case of an
anonymous request.) Your filter can then change them to whatever username
and password you like (or blank to use the anonymous user account - the IUSR
account.) When your filter then returns SF_STATUS_REQ_NEXT_NOTIFICATION,
any other authentication filters will get a chance to do the same thing.
After all of the authentication filters have had a chance at it, then IIS
will use the filter supplied credentials to get the user token. Note that
IIS does not ship with any authentication filters installed.
It is important to understand that the authentication notification will only
fire for anonymous or basic authenticated requests, so any password from the
client will be sent in the clear. Acutally, unless you have code running on
the client to somehow encrypt or hash the user's password, it's impossible
to prevent it from being sent in the clear at least once. You should
consider this when you say that you will not use SSL, even for an intranet.
Other filter authentication schemes typically use a login form on the server
and a cookie to get the client to resubmit authentication information. The
typical logic for such a filter is more complex than I can go into in this
reply.
If you'd like more information about this (or any other) ISAPI issue, please
feel free to post to microsoft.public.platformsdk.internet.server.isapi-dev,
which exists for this purpose.
Thank you,
-Wade A. Hilmo,
-Microsoft
"Kevin" <anonymous@discussions.microsoft.com> wrote in message
news:1243c01c3c029$db795560$a601280a@phx.gbl...
> I'm considering writing an ISAPI filter to handle
> authentication.
>
> Will it completely replace the configured windows
> authentication or will it serve as an extra
> authentication step before the windows authentication?
> The documentation says that I can return
> SF_STATUS_REQ_NEXT_NOTIFICATION but only says that it
> will cause the next filter to be called and says nothing
> about what will happen if IIS is configured to Basic,
> Digest, etc.
>
> Also, is this considered a secure form of authentication
> when compared to other options? I am going to use the
> filter to compare against userids and passwords in a
> database. (The passwords won't be stored as plain
> text.) From what I have read, I already know to watch
> out for buffer overruns. It will run on an intranet and
> we don't plan on using SSL.
- Next message: Andrew Davis [MS]: "RE: HTTP Trace command vulnerability"
- Previous message: Wade A. Hilmo [MS]: "Re: IIS Isolation Mode"
- In reply to: Kevin: "ISAPI Authentication"
- Next in thread: Kevin: "Re: ISAPI Authentication"
- Reply: Kevin: "Re: ISAPI Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
