| Groups | Blog | Home |
iis security : How can I set "remote_user" in ISAPI filter/Extension?
microsoft.public.platformsdk.internet.server.isapi-dev 1. No. Server Variables are read-only entities representative of the request. 2. Yes. If IIS uses the Authorization header to populate REMOTE_USER, why would IIS want to parse the Authorization header for anonymous auth? 3. No. You can use SF_NOTIFY_AUTHENTICATION to provide the username/password for IIS to use as impersonation token. But this event only has relevance with Basic or Anonymous authentication (i.e. you can't make it work with Integrated or anything else). I constructed this scenario, which seems to do what's needed: 1. Configure IIS to be Basic Auth only 2. Clients make Anonymous request 3. Filter sets Authorization: header in PreprocHeaders event to be Base64 encoding of desired username/password to appear in AUTH_USER, AUTH_PASSWORD, and REMOTE_USER. This does not need to be a valid username/password at all. 4. Filter sets a valid username/password in Authentication event. This username is reflected in LOGON_USER server variable. Clients are making anonymous requests only. Conceivably, if the client is doing custom authentication, it can pass username/password info in the URL/Headers, which the filter can set in the Authorization: header appropriately. The impersonation token is all controlled by the username/password set in Authentication event (so you can do custom username/ACL mapping here as well). That said, HSE_REQ_EXEC_URL on IIS6 makes this entire process trivially easy as it can directly modify impersonation token, REMOTE_USER (and all *_USER variables), as well as AUTH_TYPE reported by server variables along with rewrite the entire request (or optionally pass along original values). i.e. it's possible with one function call to just change REMOTE_USER server variable of a request without changing/needing anything else. -- //David This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "lqqchen" <lqqchen2002@hotmail.com> wrote in message Dear All,news:OBuuZ%23NVDHA.532@TK2MSFTNGP09.phx.gbl... Our application need to modify the "remote_user" in an ISAPI filter/Extension for IIS. Our findings are: 1. IIS doesn't allow any modification on the "remote_user" field directly. 2. We learned from newsgroup discussions that by setting HTTP_AUTHORIZATION header before the Authentication Event, IIS will process this header and set the user id into "remote_user" field if successfully authenticated. 3. We found that for no. 2 to work we also need to set the security of the page being accessed to use Basic Authentication, otherwise IIS will ignore the HTTP_AUTHORIZATION header. 4. We also found that the HTTP_AUTHORIZATION header has to be set to BASE64 encoding of "(userid:password)", which means that the ISAPI filter must supply the correct Domain password for the user, otherwise IIS will challenge browser again for correct id and password. What we want know? 1. Is there a way to directly set "remote_user" field. 2. Is it required to set the security of the page to "Basic Authentication" for IIS to process the HTTP_AUTHORIZATION header. 3. Is it required to supply the correct domain password for the IIS to process the HTTP_AUTHORIZATION header and set the "remote_user". Any comments are welcome. Thanks in advance. lqqchen
Dear All,
Our application need to modify the "remote_user" in an ISAPI filter/Extension for IIS. Our findings are: 1. IIS doesn't allow any modification on the "remote_user" field directly. 2. We learned from newsgroup discussions that by setting HTTP_AUTHORIZATION header before the Authentication Event, IIS will process this header and set the user id into "remote_user" field if successfully authenticated. 3. We found that for no. 2 to work we also need to set the security of the page being accessed to use Basic Authentication, otherwise IIS will ignore the HTTP_AUTHORIZATION header. 4. We also found that the HTTP_AUTHORIZATION header has to be set to BASE64 encoding of "(userid:password)", which means that the ISAPI filter must supply the correct Domain password for the user, otherwise IIS will challenge browser again for correct id and password. What we want know? 1. Is there a way to directly set "remote_user" field. 2. Is it required to set the security of the page to "Basic Authentication" for IIS to process the HTTP_AUTHORIZATION header. 3. Is it required to supply the correct domain password for the IIS to process the HTTP_AUTHORIZATION header and set the "remote_user". Any comments are welcome. Thanks in advance. lqqchen
Hi David,
Thank you very much for your answer. I will firstly do some test with IIS 6 Extension "HSE_REQ_EXEC_URL " as you suggested and come back to you later. Kind regards! lqqchen [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:#ARu03OVDHA.2508@TK2MSFTNGP12.phx.gbl... > Please post future ISAPI questions to: > microsoft.public.platformsdk.internet.server.isapi-dev > > 1. No. Server Variables are read-only entities representative of the > request. > 2. Yes. If IIS uses the Authorization header to populate REMOTE_USER, why > would IIS want to parse the Authorization header for anonymous auth? > 3. No. You can use SF_NOTIFY_AUTHENTICATION to provide the username/password > for IIS to use as impersonation token. But this event only has relevance > with Basic or Anonymous authentication (i.e. you can't make it work with > Integrated or anything else). > > I constructed this scenario, which seems to do what's needed: > 1. Configure IIS to be Basic Auth only > 2. Clients make Anonymous request > 3. Filter sets Authorization: header in PreprocHeaders event to be Base64 > encoding of desired username/password to appear in AUTH_USER, AUTH_PASSWORD, > and REMOTE_USER. This does not need to be a valid username/password at all. > 4. Filter sets a valid username/password in Authentication event. This > username is reflected in LOGON_USER server variable. > > Clients are making anonymous requests only. Conceivably, if the client is > doing custom authentication, it can pass username/password info in the > URL/Headers, which the filter can set in the Authorization: header > appropriately. The impersonation token is all controlled by the > username/password set in Authentication event (so you can do custom > username/ACL mapping here as well). > > > That said, HSE_REQ_EXEC_URL on IIS6 makes this entire process trivially easy > as it can directly modify impersonation token, REMOTE_USER (and all *_USER > variables), as well as AUTH_TYPE reported by server variables along with > rewrite the entire request (or optionally pass along original values). i.e. > it's possible with one function call to just change REMOTE_USER server > variable of a request without changing/needing anything else. > > -- > //David > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "lqqchen" <lqqchen2002@hotmail.com> wrote in message > news:OBuuZ%23NVDHA.532@TK2MSFTNGP09.phx.gbl... > Dear All, > > Our application need to modify the "remote_user" in an ISAPI > filter/Extension for IIS. > > Our findings are: > > 1. IIS doesn't allow any modification on the "remote_user" field > directly. > 2. We learned from newsgroup discussions that by setting > HTTP_AUTHORIZATION header before the Authentication Event, IIS will process > this header and set the user id into "remote_user" field if successfully > authenticated. > 3. We found that for no. 2 to work we also need to set the security of > the page being accessed to use Basic Authentication, otherwise IIS will > ignore the HTTP_AUTHORIZATION header. > 4. We also found that the HTTP_AUTHORIZATION header has to be set to > BASE64 encoding of "(userid:password)", which means that the ISAPI filter > must supply the correct Domain password for the user, otherwise IIS will > challenge browser again for correct id and password. > > What we want know? > 1. Is there a way to directly set "remote_user" field. > 2. Is it required to set the security of the page to "Basic Authentication" > for IIS to process the HTTP_AUTHORIZATION header. > 3. Is it required to supply the correct domain password for the IIS to > process the HTTP_AUTHORIZATION header and set the "remote_user". > > Any comments are welcome. Thanks in advance. > > lqqchen > > > >
HSE_REQ_EXEC_URL (ISAPI Extension functionality) is able to change the
server variables as I had said earlier. Read MSDN documentation and also the ISAPI Extensions sample code from the IIS SDK. http://www.microsoft.com/msdownload/platformsdk/sdkupdate/default.htm 1. You'd set HSE_EXEC_URL_USER_INFO.pszCustomUserName = "MYUSERNAME" HSE_EXEC_URL_USER_INFO.pszCustomAuthType = ""; HSE_EXEC_URL_USER_INFO.hImpersonationToken = NULL; //Inherit the token that was authenticated with, whether anonymous or Basic/NTLM authenticated! 2. Call HSE_REQ_EXEC_URL with all parameters of HSE_EXEC_URL_INFO to be NULL, except HSE_EXEC_URL_INFO.pUserInfo = HSE_EXEC_URL_INFO If you do not use an ISAPI Extension, then the only way to do it with an ISAPI Filter is what I had described earlier as well. It requires SetHeader to modify Authorization: header (DO NOT USE AddHeader for this task, as you need to REPLACE any existing headers, not add an additional one), and it also requires the correct username/password of an user for use as impersonation token. This route requires: 1. SetHeader("Authorization:", "BASE64-encoding-of-MYUSERNAME:PASSWORD") in SF_NOTIFY_PREPROC_HEADERS 2. Setting pAuth->pszUser and pAuth->pszPassword with username/password of a real user in SF_NOTIFY_AUTHENTICATION to obtain an impersonation token Both of these methods result in "MYUSERNAME" retrieved from REMOTE_USER. - HSE_REQ_EXEC_URL can work with any authentication configuration, but the user must first authenticate if the vdir requires it. i.e. if the vdir is NTLM, the remote user must authenticate via NTLM before you can change REMOTE_USER. If the vdir is anonymous, the remote user doesn't need to authenticate and you can change REMOTE_USER freely. - ISAPI Filter requires Basic authentication configured, but the user does not need to authenticate at all (you can set the username/password). i.e. With the vdir Basic auth'd, the remote user can make an anonymous request to the resource and have REMOTE_USER change -- //David This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "lqqchen" <lqqchen2002@hotmail.com> wrote in message Hi David,news:upGHjrXVDHA.612@TK2MSFTNGP10.phx.gbl... I have checked the new feature of IIS 6 Extension. According to me, the extension is only able to read the server variable. If we want to change "remote_user", we still have to get the correct username/pass first and then use addHeader to do it. Could you pls give some sample code to show me how to write to server variable in an Extension? Thanks and regards. lqqchen [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:#ARu03OVDHA.2508@TK2MSFTNGP12.phx.gbl... > Please post future ISAPI questions to: > microsoft.public.platformsdk.internet.server.isapi-dev > > 1. No. Server Variables are read-only entities representative of the > request. > 2. Yes. If IIS uses the Authorization header to populate REMOTE_USER, why > would IIS want to parse the Authorization header for anonymous auth? > 3. No. You can use SF_NOTIFY_AUTHENTICATION to provide the username/password > for IIS to use as impersonation token. But this event only has relevance > with Basic or Anonymous authentication (i.e. you can't make it work with > Integrated or anything else). > > I constructed this scenario, which seems to do what's needed: > 1. Configure IIS to be Basic Auth only > 2. Clients make Anonymous request > 3. Filter sets Authorization: header in PreprocHeaders event to be Base64 > encoding of desired username/password to appear in AUTH_USER, AUTH_PASSWORD, > and REMOTE_USER. This does not need to be a valid username/password at all. > 4. Filter sets a valid username/password in Authentication event. This > username is reflected in LOGON_USER server variable. > > Clients are making anonymous requests only. Conceivably, if the client is > doing custom authentication, it can pass username/password info in the > URL/Headers, which the filter can set in the Authorization: header > appropriately. The impersonation token is all controlled by the > username/password set in Authentication event (so you can do custom > username/ACL mapping here as well). > > > That said, HSE_REQ_EXEC_URL on IIS6 makes this entire process trivially easy > as it can directly modify impersonation token, REMOTE_USER (and all *_USER > variables), as well as AUTH_TYPE reported by server variables along with > rewrite the entire request (or optionally pass along original values). i.e. > it's possible with one function call to just change REMOTE_USER server > variable of a request without changing/needing anything else. > > -- > //David > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "lqqchen" <lqqchen2002@hotmail.com> wrote in message > news:OBuuZ%23NVDHA.532@TK2MSFTNGP09.phx.gbl... > Dear All, > > Our application need to modify the "remote_user" in an ISAPI > filter/Extension for IIS. > > Our findings are: > > 1. IIS doesn't allow any modification on the "remote_user" field > directly. > 2. We learned from newsgroup discussions that by setting > HTTP_AUTHORIZATION header before the Authentication Event, IIS will process > this header and set the user id into "remote_user" field if successfully > authenticated. > 3. We found that for no. 2 to work we also need to set the security of > the page being accessed to use Basic Authentication, otherwise IIS will > ignore the HTTP_AUTHORIZATION header. > 4. We also found that the HTTP_AUTHORIZATION header has to be set to > BASE64 encoding of "(userid:password)", which means that the ISAPI filter > must supply the correct Domain password for the user, otherwise IIS will > challenge browser again for correct id and password. > > What we want know? > 1. Is there a way to directly set "remote_user" field. > 2. Is it required to set the security of the page to "Basic Authentication" > for IIS to process the HTTP_AUTHORIZATION header. > 3. Is it required to supply the correct domain password for the IIS to > process the HTTP_AUTHORIZATION header and set the "remote_user". > > Any comments are welcome. Thanks in advance. > > lqqchen > > > >
Hi David,
I have checked the new feature of IIS 6 Extension. According to me, the extension is only able to read the server variable. If we want to change "remote_user", we still have to get the correct username/pass first and then use addHeader to do it. Could you pls give some sample code to show me how to write to server variable in an Extension? Thanks and regards. lqqchen [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:#ARu03OVDHA.2508@TK2MSFTNGP12.phx.gbl... > Please post future ISAPI questions to: > microsoft.public.platformsdk.internet.server.isapi-dev > > 1. No. Server Variables are read-only entities representative of the > request. > 2. Yes. If IIS uses the Authorization header to populate REMOTE_USER, why > would IIS want to parse the Authorization header for anonymous auth? > 3. No. You can use SF_NOTIFY_AUTHENTICATION to provide the username/password > for IIS to use as impersonation token. But this event only has relevance > with Basic or Anonymous authentication (i.e. you can't make it work with > Integrated or anything else). > > I constructed this scenario, which seems to do what's needed: > 1. Configure IIS to be Basic Auth only > 2. Clients make Anonymous request > 3. Filter sets Authorization: header in PreprocHeaders event to be Base64 > encoding of desired username/password to appear in AUTH_USER, AUTH_PASSWORD, > and REMOTE_USER. This does not need to be a valid username/password at all. > 4. Filter sets a valid username/password in Authentication event. This > username is reflected in LOGON_USER server variable. > > Clients are making anonymous requests only. Conceivably, if the client is > doing custom authentication, it can pass username/password info in the > URL/Headers, which the filter can set in the Authorization: header > appropriately. The impersonation token is all controlled by the > username/password set in Authentication event (so you can do custom > username/ACL mapping here as well). > > > That said, HSE_REQ_EXEC_URL on IIS6 makes this entire process trivially easy > as it can directly modify impersonation token, REMOTE_USER (and all *_USER > variables), as well as AUTH_TYPE reported by server variables along with > rewrite the entire request (or optionally pass along original values). i.e. > it's possible with one function call to just change REMOTE_USER server > variable of a request without changing/needing anything else. > > -- > //David > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "lqqchen" <lqqchen2002@hotmail.com> wrote in message > news:OBuuZ%23NVDHA.532@TK2MSFTNGP09.phx.gbl... > Dear All, > > Our application need to modify the "remote_user" in an ISAPI > filter/Extension for IIS. > > Our findings are: > > 1. IIS doesn't allow any modification on the "remote_user" field > directly. > 2. We learned from newsgroup discussions that by setting > HTTP_AUTHORIZATION header before the Authentication Event, IIS will process > this header and set the user id into "remote_user" field if successfully > authenticated. > 3. We found that for no. 2 to work we also need to set the security of > the page being accessed to use Basic Authentication, otherwise IIS will > ignore the HTTP_AUTHORIZATION header. > 4. We also found that the HTTP_AUTHORIZATION header has to be set to > BASE64 encoding of "(userid:password)", which means that the ISAPI filter > must supply the correct Domain password for the user, otherwise IIS will > challenge browser again for correct id and password. > > What we want know? > 1. Is there a way to directly set "remote_user" field. > 2. Is it required to set the security of the page to "Basic Authentication" > for IIS to process the HTTP_AUTHORIZATION header. > 3. Is it required to supply the correct domain password for the IIS to > process the HTTP_AUTHORIZATION header and set the "remote_user". > > Any comments are welcome. Thanks in advance. > > lqqchen > > > >
Hi David,
Your answer is very helpful. Thank you very much! lqqchen [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:e7r1BvYVDHA.1896@TK2MSFTNGP12.phx.gbl... > HSE_REQ_EXEC_URL (ISAPI Extension functionality) is able to change the > server variables as I had said earlier. Read MSDN documentation and also > the ISAPI Extensions sample code from the IIS SDK. > http://www.microsoft.com/msdownload/platformsdk/sdkupdate/default.htm > 1. You'd set > HSE_EXEC_URL_USER_INFO.pszCustomUserName = "MYUSERNAME" > HSE_EXEC_URL_USER_INFO.pszCustomAuthType = ""; > HSE_EXEC_URL_USER_INFO.hImpersonationToken = NULL; //Inherit the token that > was authenticated with, whether anonymous or Basic/NTLM authenticated! > 2. Call HSE_REQ_EXEC_URL with all parameters of HSE_EXEC_URL_INFO to be > NULL, except HSE_EXEC_URL_INFO.pUserInfo = HSE_EXEC_URL_INFO > > > If you do not use an ISAPI Extension, then the only way to do it with an > ISAPI Filter is what I had described earlier as well. It requires SetHeader > to modify Authorization: header (DO NOT USE AddHeader for this task, as you > need to REPLACE any existing headers, not add an additional one), and it > also requires the correct username/password of an user for use as > impersonation token. This route requires: > 1. SetHeader("Authorization:", "BASE64-encoding-of-MYUSERNAME:PASSWORD") in > SF_NOTIFY_PREPROC_HEADERS > 2. Setting pAuth->pszUser and pAuth->pszPassword with username/password of a > real user in SF_NOTIFY_AUTHENTICATION to obtain an impersonation token > > > Both of these methods result in "MYUSERNAME" retrieved from REMOTE_USER. > > - HSE_REQ_EXEC_URL can work with any authentication configuration, but the > user must first authenticate if the vdir requires it. i.e. if the vdir is > NTLM, the remote user must authenticate via NTLM before you can change > REMOTE_USER. If the vdir is anonymous, the remote user doesn't need to > authenticate and you can change REMOTE_USER freely. > > - ISAPI Filter requires Basic authentication configured, but the user does > not need to authenticate at all (you can set the username/password). i.e. > With the vdir Basic auth'd, the remote user can make an anonymous request to > the resource and have REMOTE_USER change > > -- > //David > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "lqqchen" <lqqchen2002@hotmail.com> wrote in message > news:upGHjrXVDHA.612@TK2MSFTNGP10.phx.gbl... > Hi David, > > I have checked the new feature of IIS 6 Extension. According to me, the > extension is only able to read the server variable. If we want to change > "remote_user", we still have to get the correct username/pass first and then > use addHeader to do it. > > Could you pls give some sample code to show me how to write to server > variable in an Extension? > > Thanks and regards. > > lqqchen > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > news:#ARu03OVDHA.2508@TK2MSFTNGP12.phx.gbl... > > Please post future ISAPI questions to: > > microsoft.public.platformsdk.internet.server.isapi-dev > > > > 1. No. Server Variables are read-only entities representative of the > > request. > > 2. Yes. If IIS uses the Authorization header to populate REMOTE_USER, why > > would IIS want to parse the Authorization header for anonymous auth? > > 3. No. You can use SF_NOTIFY_AUTHENTICATION to provide the > username/password > > for IIS to use as impersonation token. But this event only has relevance > > with Basic or Anonymous authentication (i.e. you can't make it work with > > Integrated or anything else). > > > > I constructed this scenario, which seems to do what's needed: > > 1. Configure IIS to be Basic Auth only > > 2. Clients make Anonymous request > > 3. Filter sets Authorization: header in PreprocHeaders event to be Base64 > > encoding of desired username/password to appear in AUTH_USER, > AUTH_PASSWORD, > > and REMOTE_USER. This does not need to be a valid username/password at > all. > > 4. Filter sets a valid username/password in Authentication event. This > > username is reflected in LOGON_USER server variable. > > > > Clients are making anonymous requests only. Conceivably, if the client is > > doing custom authentication, it can pass username/password info in the > > URL/Headers, which the filter can set in the Authorization: header > > appropriately. The impersonation token is all controlled by the > > username/password set in Authentication event (so you can do custom > > username/ACL mapping here as well). > > > > > > That said, HSE_REQ_EXEC_URL on IIS6 makes this entire process trivially > easy > > as it can directly modify impersonation token, REMOTE_USER (and all *_USER > > variables), as well as AUTH_TYPE reported by server variables along with > > rewrite the entire request (or optionally pass along original values). > i.e. > > it's possible with one function call to just change REMOTE_USER server > > variable of a request without changing/needing anything else. > > > > -- > > //David > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "lqqchen" <lqqchen2002@hotmail.com> wrote in message > > news:OBuuZ%23NVDHA.532@TK2MSFTNGP09.phx.gbl... > > Dear All, > > > > Our application need to modify the "remote_user" in an ISAPI > > filter/Extension for IIS. > > > > Our findings are: > > > > 1. IIS doesn't allow any modification on the "remote_user" field > > directly. > > 2. We learned from newsgroup discussions that by setting > > HTTP_AUTHORIZATION header before the Authentication Event, IIS will > process > > this header and set the user id into "remote_user" field if successfully > > authenticated. > > 3. We found that for no. 2 to work we also need to set the security of > > the page being accessed to use Basic Authentication, otherwise IIS will > > ignore the HTTP_AUTHORIZATION header. > > 4. We also found that the HTTP_AUTHORIZATION header has to be set to > > BASE64 encoding of "(userid:password)", which means that the ISAPI filter > > must supply the correct Domain password for the user, otherwise IIS will > > challenge browser again for correct id and password. > > > > What we want know? > > 1. Is there a way to directly set "remote_user" field. > > 2. Is it required to set the security of the page to "Basic > Authentication" > > for IIS to process the HTTP_AUTHORIZATION header. > > 3. Is it required to supply the correct domain password for the IIS to > > process the HTTP_AUTHORIZATION header and set the "remote_user". > > > > Any comments are welcome. Thanks in advance. > > > > lqqchen > > > > > > > > > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |