iis security: Are you talking about Basic authentication or Windows authentication?

#2 does not work in general because IIS executes requests with the
impersonated token that it authenticated with. Custom code that sets the
impersonate token is unspecified and can fail at any time.
#3 is not recommended because it exposes user credentials on the client.

When using Basic authentication, the browser determines when to pass the
user credentials around (so it is doing the "caching").

When using Windows authentication, the actual TCP connection is
authenticated. If intermediate proxies between the browser and server
multiplexes connections or the server is configured to not allow HTTP
KeepAlive, random results can happen.

CustomAuth in the IIS portion of the Platform SDK should be a nearly perfect
sample code for your situation, as it illustrates how to use an HTML form to
retrieve username/password (optionally over SSL), which it then performs an
AD-compatible LogonUser call and changes the impersonation IIS uses for the
remainder of that request.

http://www.microsoft.com/msdownload/platformsdk/sdkupdate/default.htm

It does have one reported issue that I'm aware of -- passwords containing
spaces fail -- but you've got the source code so you can fix it.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
Hello,

I have a problem with basic windows authentication in IIS6. As a developer
I'm requested to implement windows authentication on my web application
(asp.net), but to avoid the browser login window. I have all the users in
Active Directory and this is not an intranet system. I've tried a few
techniques to achieve my goal:

1. ISAPI filter is the most flexible option, but I'm looking for something
simpler.
2. Impersonation fails in maintaining the credentials between different
requests. I can impersonate to the user using the token return by the logon
function, but when redirecting to the next page, the user credentials are
not kept.
3. I tried using http://username:passowrd@server/site/page.ext. This works
fine (secured only when implementing SSL) but Microsoft is dropping this
method, and IE6 does not support it in its new versions (support can be
activated by a key in the registry but I have no access to the clients
stations).

After I logon to AD using the user credentials entered in my custom asp.net
login form, I have the user's token. The only missing part is how to pass
this token to the browser token cache.

Does anyone have any suggestion?

Thanks!

Diego.

Hello,

I have a problem with basic windows authentication in IIS6. As a developer
I'm requested to implement windows authentication on my web application
(asp.net), but to avoid the browser login window. I have all the users in
Active Directory and this is not an intranet system. I've tried a few
techniques to achieve my goal:

1. ISAPI filter is the most flexible option, but I'm looking for something
simpler.
2. Impersonation fails in maintaining the credentials between different
requests. I can impersonate to the user using the token return by the logon
function, but when redirecting to the next page, the user credentials are
not kept.
3. I tried using http://username:passowrd@server/site/page.ext. This works
fine (secured only when implementing SSL) but Microsoft is dropping this
method, and IE6 does not support it in its new versions (support can be
activated by a key in the registry but I have no access to the clients
stations).

After I logon to AD using the user credentials entered in my custom asp.net
login form, I have the user's token. The only missing part is how to pass
this token to the browser token cache.

Does anyone have any suggestion?

Thanks!

Diego.

Hi,

Check out "CustomAuth" that comes with IIS 6.0 Resource tools.

Here are some additional information
********************************************
CustomAuth (CustomAuth.dll and CustomAuth.ini)
Use CustomAuth as a Web client authentication alternative to Basic, NTLM,
and other IIS authentication methods. With CustomAuth, you can create a
custom logon form for collecting user credentials, or you can use or modify
the logon form that is included with the tool. As an ISAPI filter that must
also be installed as a wildcard application map, CustomAuth runs at the
beginning of every request, regardless of the extension of the requested
file. Because CustomAuth allows users to log off after they complete a
session, it is a good solution for a public kiosk.
********************************************

IIS Resource Kit is a free download. You can transfer it from here:

IIS 6.0 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en

Mike

[quoted text, click to view]