"Gery D. Dorazio" <gdorazio@enque.net> wrote in message
news:egkTIhgzFHA.3892@TK2MSFTNGP12.phx.gbl...

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:uMaSspgzFHA.2424@TK2MSFTNGP12.phx.gbl...
> "Gery D. Dorazio" <gdorazio@enque.net> wrote in message
> news:egkTIhgzFHA.3892@TK2MSFTNGP12.phx.gbl...
> :I am using a custom authentication ISAPI filter/extension in conjunction
> : with using an html form page to authenticate users. As part of this
> process
> : I am trying to understand how IIS handles authentication on subsequent
> round
> : trips to the server. Specifically, how does IIS handle the user
> : impersonation token? Does it put it into a header or cookie for each
> request
> : after login?
>
> IIS doesn't put the user token anywhere (headers or cookie it sends to the
> client).
>
> If you are using something like Forms Authentication (with ASP.NET), then
> "yes", cookies are used, but that's a function of ASP.NET not IIS.
> LIkewise,
> Password authentication uses cookies too, but that's part of the Passport
> infrastructure.
>
> For HTTP based authentication mechanisms (Basic, Digest, NTLM, Kerberos),
> the client sends the credentials to IIS using the Authorization: header as
> part of each request to the server. The server does not send any
> authentication information to the client (all the server does is challenge
> the client if the client attempts to make an anonymous request, and as
> part
> of the challenge lists the acceptable authentication mechanisms via the
> use
> of WWW-Authenticate: headers).
>
> Hope that helps.
>
> Cheers
> Ken
>
>
>
>
>
> :
> : I am trying to understand this so that I can properly initialize the
> : impersonation token into the right place so that IIS can continue doing
> its
> : authentication.
> :
> : Any helpful good reads on this would be appreciated.
> :
> : Thanks,
> : Gery
> :
> : --
> : Gery D. Dorazio
> : Development Engineer
> :
> : EnQue Corporation
> : www.EnQue.com
> : www.ImagingHardware.com
> :
> :
>
>

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:uMaSspgzFHA.2424@TK2MSFTNGP12.phx.gbl...
> "Gery D. Dorazio" <gdorazio@enque.net> wrote in message
> news:egkTIhgzFHA.3892@TK2MSFTNGP12.phx.gbl...
> :I am using a custom authentication ISAPI filter/extension in conjunction
> : with using an html form page to authenticate users. As part of this
> process
> : I am trying to understand how IIS handles authentication on subsequent
> round
> : trips to the server. Specifically, how does IIS handle the user
> : impersonation token? Does it put it into a header or cookie for each
> request
> : after login?
>
> IIS doesn't put the user token anywhere (headers or cookie it sends to the
> client).
>
> If you are using something like Forms Authentication (with ASP.NET), then
> "yes", cookies are used, but that's a function of ASP.NET not IIS.
> LIkewise,
> Password authentication uses cookies too, but that's part of the Passport
> infrastructure.
>
> For HTTP based authentication mechanisms (Basic, Digest, NTLM, Kerberos),
> the client sends the credentials to IIS using the Authorization: header as
> part of each request to the server. The server does not send any
> authentication information to the client (all the server does is challenge
> the client if the client attempts to make an anonymous request, and as
> part
> of the challenge lists the acceptable authentication mechanisms via the
> use
> of WWW-Authenticate: headers).
>
> Hope that helps.
>
> Cheers
> Ken
>
>
>
>
>
> :
> : I am trying to understand this so that I can properly initialize the
> : impersonation token into the right place so that IIS can continue doing
> its
> : authentication.
> :
> : Any helpful good reads on this would be appreciated.
> :
> : Thanks,
> : Gery
> :
> : --
> : Gery D. Dorazio
> : Development Engineer
> :
> : EnQue Corporation
> : www.EnQue.com
> : www.ImagingHardware.com
> :
> :
>
>