ISAPI Filter and authenticated users
Gwerder@discussions.microsoft.com Martin Gwerder
I am currently working on a proof of concept for an authenticating ISAPI
filter on IIS6. Here is what it does:
- It identifies the user based on the certificate and maps an AD account to
that identity (Yes -- I know that this is possible on IIS6 without coding
*but not* spaning across multiple forests)
My question is:
- How do I "tell" IIS what user it should use as authenticated users?
More concrete is there a callback function or structure passed along which
might be used in ISAPI Filter (or ISAPI extension).
I have no basic auth and therefore I am unable to identify the user with a
username/password tuple (as in _HTTP_FILTER_AUTHENT required). Is there a way
to "tell" the IIS (and the application using the passed on credentials) to
use a specific AD account (which might be one of a trusted forest and not the
current forest itself) without having the credentials itself.
Hopefully this question is is not too stupid as I am a newbie in terms of
ISAPI API programming.
Any sugestions, solutions hints about technical documentation (yes ... I am
willing to read complex documents) no matter how vage or concrete are highly
apreciated.
David Wang
In general, it is not easy to "tell" IIS6 (and earlier) to use a
specific user account with a given request. It is not how it was
designed. IIS7 (and later) is completely different and very
fundamentally easy to set the user token to use with a given request
(of course, you are responsible for obtaining that user token).
There are a few well-known configuration and ISAPI Filter/Extension
combinations to make IIS6 use specific user tokens on a per-request
basis. I don't think any of the strategies are publicly documented by
Microsoft in complex (or even simple) details.
What you want to do is not possible within an ISAPI Filter since it is
not possible for it to tell IIS what AD account to use without having
the credentials.
Requiring Client Certificate plus Wildcard Application Mapping would
allow you to have certificate info inside the Wildcard Application
Mapping before executing the request and using HSE_REQ_EXEC_URL,
control the user token of the request -- but you will have to find a
way to get your desired cross-forest user token without having the
credentials.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Martin Gwerder
Thanks a lot for your reply. It is therefore exactly as I feared and
anything else would have been a surprise for me (impersonating an account
without its explicit credentials could be missused -- As allways security has
proofen to be unhady :-D ).
However - Merry Chhristmas, a happy new year and Thanks again
Martin
kansao
> Hi Everybody
>
> I am currently working on a proof of concept for an authenticating ISAPI
> filter on IIS6. Here is what it does:
>
> - It identifies the user based on the certificate and maps an AD account to
> that identity (Yes -- I know that this is possible on IIS6 without coding
> *but not* spaning across multiple forests)
>
> My question is:
>
users?
>
> More concrete is there a callback function or structure passed along which
> might be used in ISAPI Filter (or ISAPI extension).
>
> I have no basic auth and therefore I am unable to identify the user with a
> username/password tuple (as in _HTTP_FILTER_AUTHENT required). Is there a way
> credentials) to
> use a specific AD account (which might be one of a trusted forest and not the
> current forest itself) without having the credentials itself.
>
> Hopefully this question is is not too stupid as I am a newbie in terms of
> ISAPI API programming.
>
> Any sugestions, solutions hints about technical documentation (yes ... I am
> willing to read complex documents) no matter how vage or concrete are highly
> apreciated.
>
certificate before allowing the SSL connection with IIS 6.0
I have created the ISAPI filter but I don't know how to get the user
certificate
info (I have been googling without results). Could you help me?
thanks!!