Re: How does IIS handle user impersonation token?
From: Gery D. Dorazio (gdorazio_at_enque.net)
Date: 10/11/05
- Next message: Chris Adams \(IIS\): "[Reminder] Come participate in the IIS Webcast Series...Today!"
- Previous message: Miha Pihler [MVP]: "Re: problem with IIS"
- In reply to: Ken Schaefer: "Re: How does IIS handle user impersonation token?"
- Next in thread: Rashad Rivera: "Re: How does IIS handle user impersonation token?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Oct 2005 13:56:46 -0400
Thanks Ken...this helps a great deal.
I also took your advice from the post on the aspnet.security newsgroup and
installed fiddler. I ran it on both an online SharePoint machine and my
development SharePoint server and can see the NTLM sequencing that you
describe here. It's quite interesting how this works and it makes sense when
I close the browser after being logged onto SharePoint....I have to logon
again. Also, I can see the browser respond to 401s for every visit to the
site (for authorization required pages)...showing the 'automatic' NTLM
authorization sequence for each request.
Thanks for your help in this matter.
Gery
-- Gery D. Dorazio Development Engineer EnQue Corporation www.EnQue.com www.ImagingHardware.com "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message news:uMaSspgzFHA.2424@TK2MSFTNGP12.phx.gbl... > "Gery D. Dorazio" <gdorazio@enque.net> wrote in message > news:egkTIhgzFHA.3892@TK2MSFTNGP12.phx.gbl... > :I am using a custom authentication ISAPI filter/extension in conjunction > : with using an html form page to authenticate users. As part of this > process > : I am trying to understand how IIS handles authentication on subsequent > round > : trips to the server. Specifically, how does IIS handle the user > : impersonation token? Does it put it into a header or cookie for each > request > : after login? > > IIS doesn't put the user token anywhere (headers or cookie it sends to the > client). > > If you are using something like Forms Authentication (with ASP.NET), then > "yes", cookies are used, but that's a function of ASP.NET not IIS. > LIkewise, > Password authentication uses cookies too, but that's part of the Passport > infrastructure. > > For HTTP based authentication mechanisms (Basic, Digest, NTLM, Kerberos), > the client sends the credentials to IIS using the Authorization: header as > part of each request to the server. The server does not send any > authentication information to the client (all the server does is challenge > the client if the client attempts to make an anonymous request, and as > part > of the challenge lists the acceptable authentication mechanisms via the > use > of WWW-Authenticate: headers). > > Hope that helps. > > Cheers > Ken > > > > > > : > : I am trying to understand this so that I can properly initialize the > : impersonation token into the right place so that IIS can continue doing > its > : authentication. > : > : Any helpful good reads on this would be appreciated. > : > : Thanks, > : Gery > : > : -- > : Gery D. Dorazio > : Development Engineer > : > : EnQue Corporation > : www.EnQue.com > : www.ImagingHardware.com > : > : > >
- Next message: Chris Adams \(IIS\): "[Reminder] Come participate in the IIS Webcast Series...Today!"
- Previous message: Miha Pihler [MVP]: "Re: problem with IIS"
- In reply to: Ken Schaefer: "Re: How does IIS handle user impersonation token?"
- Next in thread: Rashad Rivera: "Re: How does IIS handle user impersonation token?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
