|
|
|
date: Fri, 10 Mar 2006 15:11:28 -0800,
group: microsoft.public.platformsdk.internet.server.isapi-dev
back
CustomAuth problems, results from AuthDiag
I am having trouble with authentication using a filter loosely based on the
CustomAuth example. I suspect the problem is valid username, but unknown
domain, but I'm pretty green in this area. Here's my suspect report from
AuthDiag:
<AuthMonRow Number="11" tid="0x7a0" Date="03/10/2006 17:17:35.533"
Name="LogonUserExW" Success="Yes" Error_Number="0"
UserName="glenn.nelson.ctr@metnet.navy.mil" Domain="(null)"
LogonType="Network Cleartext"
time_taken="16 ms"
/>
Here are the gory details:
We have users login to our own SSO server, then CustomAuth parses a cookie,
obtains username (which is their full email address), then looks them up on
our ActiveDirectory (AD) domain controller. If their account is found,
CustomAuth fills in appropriate http header fields and passes request along
the filter chain. The user accounts are members of Domain Users, and it is
possible to login at a domain member console with one of these accounts, so I
know the account is OK.
Nevertheless, if the user requests a web page that requires Basic or
Integrated authentication, and has anonymous disabled, they are always
prompted with browser authentication. They should already be authenticated.
IIS logs don't tell me much - CustomAuth writes the authenticated username
and it is what I expect.
Today I discovered AuthDiag and now wonder how to interpret the results. I
request a page that specifies both Basic or anonymous authentication. The
request first redirects to SSO server, gets user info, comes back to server,
goes into CustomAuth filter and then I see this:
<AuthMonRow Number="9" tid="0x7a0" Date="03/10/2006 17:17:35.377"
Name="OnNewRequest" SiteId="1" Conn="0xf800000040000395"
Req="0xf800000060000396"
Verb="GET"
Url="/ks"
Auth_header_length="0" Auth_header=""
/>
<AuthMonRow Number="10" tid="0x7a0" Date="03/10/2006 17:17:35.377"
Name="LogonUserExW" Success="Yes" Error_Number="0"
UserName="IUSR_MORGANITE" Domain="MORGANITE" LogonType="Network Cleartext"
time_taken="0 ms"
/>
<AuthMonRow Number="11" tid="0x7a0" Date="03/10/2006 17:17:35.533"
Name="LogonUserExW" Success="Yes" Error_Number="0"
UserName="glenn.nelson@mywork.domain.com" Domain="(null)"
LogonType="Network Cleartext"
time_taken="16 ms"
/>
I guess the first instance of LogonUserExW occurs to satisfy the anonymous
access. The second instance I suppose is for Basic auth. I suspect the
problem is Domain="(null)", I hope someone can tell me what to do about this!
A few more entries from AuthDiag and then the browser auth dialog appears, I
login with local Window account and from then on I'm good to go. Here are
additional records. Number 24 appears to be when it finally knows who I am:
<AuthMonRow Number="17" tid="0x7a0" Date="03/10/2006 17:17:54.799"
Conn="0xf800000040000395" Name="Disconnect"
/>
<AuthMonRow Number="18" tid="0x7a0" Date="03/10/2006 17:18:04.190"
Name="OnNewRequest" SiteId="1" Conn="0xf90000004000040c"
Req="0xf90000006000040f"
Verb="GET"
Url="/ks/_catalogs/mock2_style.css"
Auth_header_length="61" Auth_header="NTLM
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=="
/>
<AuthMonRow Number="19" tid="0x7a0" Date="03/10/2006 17:18:04.190"
Name="AcquireCredentialsHandleA" Result="0x0"
Principal="(null)" Package="NTLM"
/>
<AuthMonRow Number="20" tid="0x7a0" Date="03/10/2006 17:18:04.190"
Name="AcceptSecurityContext" Result="0x90312" ContextAttr="0x0"
Package="NTLM" UserName=""
ClientName=""
ServerName=""
time_taken="0 ms"
/>
<AuthMonRow Number="21" tid="0x7a0" Date="03/10/2006 17:18:04.190"
ProcIdentity="ADESVR\STSAcct" ThreadIdentity=""
Name="CreateFileW" File="\\?\C:\WINDOWS\help\iisHelp\common\401-1.htm"
Success="Yes" Error_Number="0" Error=""
time_taken="0 ms"
/>
<AuthMonRow Number="22" tid="0x7a0" Date="03/10/2006 17:18:04.190"
Name="HttpSendHttpResponse"
Req="0xf90000006000040f"
StatusCode="401" Reason="Unauthorized"
/>
<AuthMonRow Number="23" tid="0x7a0" Date="03/10/2006 17:18:04.190"
Name="IoCompletion"
/>
<AuthMonRow Number="24" tid="0x7a0" Date="03/10/2006 17:18:04.190"
Name="OnNewRequest" SiteId="1" Conn="0xf90000004000040c"
Req="0xf900000060000410"
Verb="GET"
Url="/ks/_catalogs/mock2_style.css"
Auth_header_length="237" Auth_header="NTLM
TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAABoAGgBIAAAADgAOAGIAAAAOAA4AcAAAAAAAAACuAAAABYKIogUBKAoAAAAPMQAwAC4AMQAwADAALgAzADQALgAxADAAMwBuAGUAbABzAG8AbgBnAFIASABPAEQASQBVAE0An36dkXgpQo4AAAAAAAAAAAAAAAAAAAAAI8QkUHELWUXnsmhT82dXbMWI0d0tv5q2"
/>
<AuthMonRow Number="25" tid="0x7a0" Date="03/10/2006 17:18:04.205"
Name="AcceptSecurityContext" Result="0x0" ContextAttr="0x0"
Package="NTLM" UserName="MORGANITE\nelsong"
ClientName=""
ServerName=""
time_taken="16 ms"
/>
<AuthMonRow Number="26" tid="0x7a0" Date="03/10/2006 17:18:04.205"
Name="AccessCheck" ClientIdentity="MORGANITE\nelsong"
Success="Yes" SecurityDescriptor="0013EFF8"
/>
Thanks for taking the time to read this!
--
-----
Glenn Nelson in Santa Cruz
date: Fri, 10 Mar 2006 15:11:28 -0800
author: Glenn Nelson
RE: CustomAuth problems, results from AuthDiag
I have more information, but still no solution. BTW, I based my filter on the
older AuthFilter example, not on Custom Auth.
It is NOT an extension, it is only ISAPI filter.
I am requiring authentication to two different targets: a single page and a
SharePoint site. The page has IIS file security
set to integrated. The SharePoint site has anonymous access disallowed, but
I am unable to set "allow authenticated users access" -
it is grayed out and I haven't figured out why - but that is an issue for
another forum.
User accounts are in Active Directory and the principal is the user email
address. The Windows NT username
is auto-genertaed.
Here's what happens with the single page.
1. When my auth filter is disabled, the user is prompted to authenticate and
must give a valid email addr.
Login is successful, and clearly the email addr is looked up in Active
Dir and translated to Windows NT
style <domain>\<username>.
Server variables show this:
AUTH_TYPE=NTLM
AUTH_USER=<Windows NTstyle usermane, not the email addr>
LOGON_USER=<same as AUTH_USER>
REMOTE_USER=<same as AUTH_USER>
HTTP_AUTHORIZATION=<long character string, a session ID?>
2. When my auth filter is enabled, the user is not prompted to authenticate,
because the filter is given user email address.
The filter is also given knowledge of password, so during
SF_NOTIFY_AUTHENTICATION it fills in pszUser
and pszPassword. The page that requires authentication is again
successfully reached, but the server variables
are quite different!
AUTH_TYPE=<empty>
AUTH_USER=<empty>
LOGON_USER=<user email addr>
REMOTE_USER=<empty?>
HTTP_AUTHORIZATION=<empty?>
At this point I'm happy that it works, but with AUTH_TYPE and
HTTP_AUTHORIZATION both empty I'm pretty baffled
as to how it works. If the LOGON_USER is given an email addr that is NOT in
Active Directory, the page cannot be accessed,
so authentication is really occurring.
Now on to SharePoint. Here the case #2 simply fails to allow access in
SharePoint. Instead I receive a login prompt
AFTER auth filter is done. I login as in case #1 and can now access
SharePoint.
What on earth am I doing wrong? Or is case #2 actually the expected
response? Is the problem strictly with SharePoint?
--
-----
Glenn Nelson in Santa Cruz
"Glenn Nelson" wrote:
> I am having trouble with authentication using a filter loosely based on the
> CustomAuth example. I suspect the problem is valid username, but unknown
> domain, but I'm pretty green in this area. Here's my suspect report from
> AuthDiag:
>
> <AuthMonRow Number="11" tid="0x7a0" Date="03/10/2006 17:17:35.533"
> Name="LogonUserExW" Success="Yes" Error_Number="0"
> UserName="glenn.nelson.ctr@metnet.navy.mil" Domain="(null)"
> LogonType="Network Cleartext"
> time_taken="16 ms"
> />
>
> Here are the gory details:
>
> We have users login to our own SSO server, then CustomAuth parses a cookie,
> obtains username (which is their full email address), then looks them up on
> our ActiveDirectory (AD) domain controller. If their account is found,
> CustomAuth fills in appropriate http header fields and passes request along
> the filter chain. The user accounts are members of Domain Users, and it is
> possible to login at a domain member console with one of these accounts, so I
> know the account is OK.
>
> Nevertheless, if the user requests a web page that requires Basic or
> Integrated authentication, and has anonymous disabled, they are always
> prompted with browser authentication. They should already be authenticated.
> IIS logs don't tell me much - CustomAuth writes the authenticated username
> and it is what I expect.
>
> Today I discovered AuthDiag and now wonder how to interpret the results. I
> request a page that specifies both Basic or anonymous authentication. The
> request first redirects to SSO server, gets user info, comes back to server,
> goes into CustomAuth filter and then I see this:
>
> <AuthMonRow Number="9" tid="0x7a0" Date="03/10/2006 17:17:35.377"
> Name="OnNewRequest" SiteId="1" Conn="0xf800000040000395"
> Req="0xf800000060000396"
> Verb="GET"
> Url="/ks"
> Auth_header_length="0" Auth_header=""
> />
>
> <AuthMonRow Number="10" tid="0x7a0" Date="03/10/2006 17:17:35.377"
> Name="LogonUserExW" Success="Yes" Error_Number="0"
> UserName="IUSR_MORGANITE" Domain="MORGANITE" LogonType="Network Cleartext"
> time_taken="0 ms"
> />
>
> <AuthMonRow Number="11" tid="0x7a0" Date="03/10/2006 17:17:35.533"
> Name="LogonUserExW" Success="Yes" Error_Number="0"
> UserName="glenn.nelson@mywork.domain.com" Domain="(null)"
> LogonType="Network Cleartext"
> time_taken="16 ms"
> />
>
> I guess the first instance of LogonUserExW occurs to satisfy the anonymous
> access. The second instance I suppose is for Basic auth. I suspect the
> problem is Domain="(null)", I hope someone can tell me what to do about this!
>
> A few more entries from AuthDiag and then the browser auth dialog appears, I
> login with local Window account and from then on I'm good to go. Here are
> additional records. Number 24 appears to be when it finally knows who I am:
>
> <AuthMonRow Number="17" tid="0x7a0" Date="03/10/2006 17:17:54.799"
> Conn="0xf800000040000395" Name="Disconnect"
> />
>
>
> <AuthMonRow Number="18" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> Name="OnNewRequest" SiteId="1" Conn="0xf90000004000040c"
> Req="0xf90000006000040f"
> Verb="GET"
> Url="/ks/_catalogs/mock2_style.css"
> Auth_header_length="61" Auth_header="NTLM
> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=="
> />
>
> <AuthMonRow Number="19" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> Name="AcquireCredentialsHandleA" Result="0x0"
> Principal="(null)" Package="NTLM"
> />
>
> <AuthMonRow Number="20" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> Name="AcceptSecurityContext" Result="0x90312" ContextAttr="0x0"
> Package="NTLM" UserName=""
> ClientName=""
> ServerName=""
> time_taken="0 ms"
> />
>
> <AuthMonRow Number="21" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> ProcIdentity="ADESVR\STSAcct" ThreadIdentity=""
> Name="CreateFileW" File="\\?\C:\WINDOWS\help\iisHelp\common\401-1.htm"
> Success="Yes" Error_Number="0" Error=""
> time_taken="0 ms"
> />
>
> <AuthMonRow Number="22" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> Name="HttpSendHttpResponse"
> Req="0xf90000006000040f"
> StatusCode="401" Reason="Unauthorized"
> />
>
> <AuthMonRow Number="23" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> Name="IoCompletion"
> />
>
> <AuthMonRow Number="24" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> Name="OnNewRequest" SiteId="1" Conn="0xf90000004000040c"
> Req="0xf900000060000410"
> Verb="GET"
> Url="/ks/_catalogs/mock2_style.css"
> Auth_header_length="237" Auth_header="NTLM
> TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAABoAGgBIAAAADgAOAGIAAAAOAA4AcAAAAAAAAACuAAAABYKIogUBKAoAAAAPMQAwAC4AMQAwADAALgAzADQALgAxADAAMwBuAGUAbABzAG8AbgBnAFIASABPAEQASQBVAE0An36dkXgpQo4AAAAAAAAAAAAAAAAAAAAAI8QkUHELWUXnsmhT82dXbMWI0d0tv5q2"
> />
>
> <AuthMonRow Number="25" tid="0x7a0" Date="03/10/2006 17:18:04.205"
> Name="AcceptSecurityContext" Result="0x0" ContextAttr="0x0"
> Package="NTLM" UserName="MORGANITE\nelsong"
> ClientName=""
> ServerName=""
> time_taken="16 ms"
> />
>
> <AuthMonRow Number="26" tid="0x7a0" Date="03/10/2006 17:18:04.205"
> Name="AccessCheck" ClientIdentity="MORGANITE\nelsong"
> Success="Yes" SecurityDescriptor="0013EFF8"
> />
>
> Thanks for taking the time to read this!
>
> --
> -----
> Glenn Nelson in Santa Cruz
date: Mon, 13 Mar 2006 21:13:57 -0800
author: Glenn Nelson
Re: CustomAuth problems, results from AuthDiag
Hi Glenn,
The non-Sharepoint case is working as expected. The HTTP_AUTHORIZATION
server variable is simply the Authorization header sent by the client.
Since your filter uses a cookie instead of the Authorization header, it
makes sense that this header is empty. The AUTH_TYPE, AUTH_USER and
REMOTE_USER are all derived from the Authorization header, and the fact that
they are empty follows directly from its absense.
I can't help you with the Sharepoint case, since I know nothing about how
Sharepoint works (although I've seen plenty of people reporting issues using
it with various custom authentication schemes.) It might be worth asking
the question on a Sharepoint forum.
Thank you,
-Wade A. Hilmo,
-Microsoft
"Glenn Nelson" wrote in message
news:A574E2FC-7601-4DB5-A55F-873D0714C1D6@microsoft.com...
> I have more information, but still no solution. BTW, I based my filter on
the
> older AuthFilter example, not on Custom Auth.
> It is NOT an extension, it is only ISAPI filter.
> I am requiring authentication to two different targets: a single page and
a
> SharePoint site. The page has IIS file security
> set to integrated. The SharePoint site has anonymous access disallowed,
but
> I am unable to set "allow authenticated users access" -
> it is grayed out and I haven't figured out why - but that is an issue for
> another forum.
>
> User accounts are in Active Directory and the principal is the user email
> address. The Windows NT username
> is auto-genertaed.
>
> Here's what happens with the single page.
> 1. When my auth filter is disabled, the user is prompted to authenticate
and
> must give a valid email addr.
> Login is successful, and clearly the email addr is looked up in Active
> Dir and translated to Windows NT
> style <domain>\<username>.
> Server variables show this:
> AUTH_TYPE=NTLM
> AUTH_USER=<Windows NTstyle usermane, not the email addr>
> LOGON_USER=<same as AUTH_USER>
> REMOTE_USER=<same as AUTH_USER>
> HTTP_AUTHORIZATION=<long character string, a session ID?>
>
> 2. When my auth filter is enabled, the user is not prompted to
authenticate,
> because the filter is given user email address.
> The filter is also given knowledge of password, so during
> SF_NOTIFY_AUTHENTICATION it fills in pszUser
> and pszPassword. The page that requires authentication is again
> successfully reached, but the server variables
> are quite different!
>
> AUTH_TYPE=<empty>
> AUTH_USER=<empty>
> LOGON_USER=<user email addr>
> REMOTE_USER=<empty?>
> HTTP_AUTHORIZATION=<empty?>
>
> At this point I'm happy that it works, but with AUTH_TYPE and
> HTTP_AUTHORIZATION both empty I'm pretty baffled
> as to how it works. If the LOGON_USER is given an email addr that is NOT
in
> Active Directory, the page cannot be accessed,
> so authentication is really occurring.
>
> Now on to SharePoint. Here the case #2 simply fails to allow access in
> SharePoint. Instead I receive a login prompt
> AFTER auth filter is done. I login as in case #1 and can now access
> SharePoint.
>
> What on earth am I doing wrong? Or is case #2 actually the expected
> response? Is the problem strictly with SharePoint?
> --
> -----
> Glenn Nelson in Santa Cruz
>
>
> "Glenn Nelson" wrote:
>
> > I am having trouble with authentication using a filter loosely based on
the
> > CustomAuth example. I suspect the problem is valid username, but unknown
> > domain, but I'm pretty green in this area. Here's my suspect report from
> > AuthDiag:
> >
> > <AuthMonRow Number="11" tid="0x7a0" Date="03/10/2006 17:17:35.533"
> > Name="LogonUserExW" Success="Yes" Error_Number="0"
> > UserName="glenn.nelson.ctr@metnet.navy.mil" Domain="(null)"
> > LogonType="Network Cleartext"
> > time_taken="16 ms"
> > />
> >
> > Here are the gory details:
> >
> > We have users login to our own SSO server, then CustomAuth parses a
cookie,
> > obtains username (which is their full email address), then looks them up
on
> > our ActiveDirectory (AD) domain controller. If their account is found,
> > CustomAuth fills in appropriate http header fields and passes request
along
> > the filter chain. The user accounts are members of Domain Users, and it
is
> > possible to login at a domain member console with one of these accounts,
so I
> > know the account is OK.
> >
> > Nevertheless, if the user requests a web page that requires Basic or
> > Integrated authentication, and has anonymous disabled, they are always
> > prompted with browser authentication. They should already be
authenticated.
> > IIS logs don't tell me much - CustomAuth writes the authenticated
username
> > and it is what I expect.
> >
> > Today I discovered AuthDiag and now wonder how to interpret the results.
I
> > request a page that specifies both Basic or anonymous authentication.
The
> > request first redirects to SSO server, gets user info, comes back to
server,
> > goes into CustomAuth filter and then I see this:
> >
> > <AuthMonRow Number="9" tid="0x7a0" Date="03/10/2006 17:17:35.377"
> > Name="OnNewRequest" SiteId="1" Conn="0xf800000040000395"
> > Req="0xf800000060000396"
> > Verb="GET"
> > Url="/ks"
> > Auth_header_length="0" Auth_header=""
> > />
> >
> > <AuthMonRow Number="10" tid="0x7a0" Date="03/10/2006 17:17:35.377"
> > Name="LogonUserExW" Success="Yes" Error_Number="0"
> > UserName="IUSR_MORGANITE" Domain="MORGANITE" LogonType="Network
Cleartext"
> > time_taken="0 ms"
> > />
> >
> > <AuthMonRow Number="11" tid="0x7a0" Date="03/10/2006 17:17:35.533"
> > Name="LogonUserExW" Success="Yes" Error_Number="0"
> > UserName="glenn.nelson@mywork.domain.com" Domain="(null)"
> > LogonType="Network Cleartext"
> > time_taken="16 ms"
> > />
> >
> > I guess the first instance of LogonUserExW occurs to satisfy the
anonymous
> > access. The second instance I suppose is for Basic auth. I suspect the
> > problem is Domain="(null)", I hope someone can tell me what to do about
this!
> >
> > A few more entries from AuthDiag and then the browser auth dialog
appears, I
> > login with local Window account and from then on I'm good to go. Here
are
> > additional records. Number 24 appears to be when it finally knows who I
am:
> >
> > <AuthMonRow Number="17" tid="0x7a0" Date="03/10/2006 17:17:54.799"
> > Conn="0xf800000040000395" Name="Disconnect"
> > />
> >
> >
> > <AuthMonRow Number="18" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> > Name="OnNewRequest" SiteId="1" Conn="0xf90000004000040c"
> > Req="0xf90000006000040f"
> > Verb="GET"
> > Url="/ks/_catalogs/mock2_style.css"
> > Auth_header_length="61" Auth_header="NTLM
> > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=="
> > />
> >
> > <AuthMonRow Number="19" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> > Name="AcquireCredentialsHandleA" Result="0x0"
> > Principal="(null)" Package="NTLM"
> > />
> >
> > <AuthMonRow Number="20" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> > Name="AcceptSecurityContext" Result="0x90312" ContextAttr="0x0"
> > Package="NTLM" UserName=""
> > ClientName=""
> > ServerName=""
> > time_taken="0 ms"
> > />
> >
> > <AuthMonRow Number="21" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> > ProcIdentity="ADESVR\STSAcct" ThreadIdentity=""
> > Name="CreateFileW" File="\\?\C:\WINDOWS\help\iisHelp\common\401-1.htm"
> > Success="Yes" Error_Number="0" Error=""
> > time_taken="0 ms"
> > />
> >
> > <AuthMonRow Number="22" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> > Name="HttpSendHttpResponse"
> > Req="0xf90000006000040f"
> > StatusCode="401" Reason="Unauthorized"
> > />
> >
> > <AuthMonRow Number="23" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> > Name="IoCompletion"
> > />
> >
> > <AuthMonRow Number="24" tid="0x7a0" Date="03/10/2006 17:18:04.190"
> > Name="OnNewRequest" SiteId="1" Conn="0xf90000004000040c"
> > Req="0xf900000060000410"
> > Verb="GET"
> > Url="/ks/_catalogs/mock2_style.css"
> > Auth_header_length="237" Auth_header="NTLM
> >
TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAABoAGgBIAAAADgAOAGIAAAAOAA4AcAAAAAAAAACu
AAAABYKIogUBKAoAAAAPMQAwAC4AMQAwADAALgAzADQALgAxADAAMwBuAGUAbABzAG8AbgBnAFIA
SABPAEQASQBVAE0An36dkXgpQo4AAAAAAAAAAAAAAAAAAAAAI8QkUHELWUXnsmhT82dXbMWI0d0t
v5q2"
> > />
> >
> > <AuthMonRow Number="25" tid="0x7a0" Date="03/10/2006 17:18:04.205"
> > Name="AcceptSecurityContext" Result="0x0" ContextAttr="0x0"
> > Package="NTLM" UserName="MORGANITE\nelsong"
> > ClientName=""
> > ServerName=""
> > time_taken="16 ms"
> > />
> >
> > <AuthMonRow Number="26" tid="0x7a0" Date="03/10/2006 17:18:04.205"
> > Name="AccessCheck" ClientIdentity="MORGANITE\nelsong"
> > Success="Yes" SecurityDescriptor="0013EFF8"
> > />
> >
> > Thanks for taking the time to read this!
> >
> > --
> > -----
> > Glenn Nelson in Santa Cruz
date: Tue, 14 Mar 2006 08:38:52 -0800
author: Wade A. Hilmo [MS]
Re: CustomAuth problems, results from AuthDiag
Everything you observed is by-design behavior. Sharepoint is not happy
because REMOTE_USER is empty.
Solutions include:
1. ISAPI Filter, server configured with Basic authentication, and
SF_NOTIFY_PREPROC_HEADERS is used to populate REMOTE_USER while
SF_NOTIFY_AUTHENTICATION populates the user token
2. ISAPI Extension, server configured with Anonymous authentication, and
wildcard application mapping uses HSE_REQ_EXEC_URL to set the REMOTE_USER,
AUTH_TYPE, as well as user token
If you are using IIS6, solution #2 is the far simpler and preferred
approach.
If I have some time, I'll write up blog entries with ISAPI sample source
code for both approaches as illustration, but I'm really busy right now.
As for your prior post:
The problem is not with the username. Simple lookup of LogonUserEx() on MSDN
shows that since glenn.nelson.ctr@metnet.navy.mil is a UPN, when it appears
as lpszUsername, lpszDomain must be NULL -- which is exactly what is going
on and thus perfectly correct. The AuthDiag log is also perfectly fine;
first shows CustomAuth remapping anonymous to your specified user account,
then shows the user dialog popping up and you successfully logging in with
NTLM with MORGANITE\nelsong.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Glenn Nelson" wrote in message
news:A574E2FC-7601-4DB5-A55F-873D0714C1D6@microsoft.com...
>I have more information, but still no solution. BTW, I based my filter on
>the
> older AuthFilter example, not on Custom Auth.
> It is NOT an extension, it is only ISAPI filter.
> I am requiring authentication to two different targets: a single page and
> a
> SharePoint site. The page has IIS file security
> set to integrated. The SharePoint site has anonymous access disallowed,
> but
> I am unable to set "allow authenticated users access" -
> it is grayed out and I haven't figured out why - but that is an issue for
> another forum.
>
> User accounts are in Active Directory and the principal is the user email
> address. The Windows NT username
> is auto-genertaed.
>
> Here's what happens with the single page.
> 1. When my auth filter is disabled, the user is prompted to authenticate
> and
> must give a valid email addr.
> Login is successful, and clearly the email addr is looked up in Active
> Dir and translated to Windows NT
> style <domain>\<username>.
> Server variables show this:
> AUTH_TYPE=NTLM
> AUTH_USER=<Windows NTstyle usermane, not the email addr>
> LOGON_USER=<same as AUTH_USER>
> REMOTE_USER=<same as AUTH_USER>
> HTTP_AUTHORIZATION=<long character string, a session ID?>
>
> 2. When my auth filter is enabled, the user is not prompted to
> authenticate,
> because the filter is given user email address.
> The filter is also given knowledge of password, so during
> SF_NOTIFY_AUTHENTICATION it fills in pszUser
> and pszPassword. The page that requires authentication is again
> successfully reached, but the server variables
> are quite different!
>
> AUTH_TYPE=<empty>
> AUTH_USER=<empty>
> LOGON_USER=<user email addr>
> REMOTE_USER=<empty?>
> HTTP_AUTHORIZATION=<empty?>
>
> At this point I'm happy that it works, but with AUTH_TYPE and
> HTTP_AUTHORIZATION both empty I'm pretty baffled
> as to how it works. If the LOGON_USER is given an email addr that is NOT
> in
> Active Directory, the page cannot be accessed,
> so authentication is really occurring.
>
> Now on to SharePoint. Here the case #2 simply fails to allow access in
> SharePoint. Instead I receive a login prompt
> AFTER auth filter is done. I login as in case #1 and can now access
> SharePoint.
>
> What on earth am I doing wrong? Or is case #2 actually the expected
> response? Is the problem strictly with SharePoint?
> --
> -----
> Glenn Nelson in Santa Cruz
>
>
> "Glenn Nelson" wrote:
>
>> I am having trouble with authentication using a filter loosely based on
>> the
>> CustomAuth example. I suspect the problem is valid username, but unknown
>> domain, but I'm pretty green in this area. Here's my suspect report from
>> AuthDiag:
>>
>> <AuthMonRow Number="11" tid="0x7a0" Date="03/10/2006 17:17:35.533"
>> Name="LogonUserExW" Success="Yes" Error_Number="0"
>> UserName="glenn.nelson.ctr@metnet.navy.mil" Domain="(null)"
>> LogonType="Network Cleartext"
>> time_taken="16 ms"
>> />
>>
>> Here are the gory details:
>>
>> We have users login to our own SSO server, then CustomAuth parses a
>> cookie,
>> obtains username (which is their full email address), then looks them up
>> on
>> our ActiveDirectory (AD) domain controller. If their account is found,
>> CustomAuth fills in appropriate http header fields and passes request
>> along
>> the filter chain. The user accounts are members of Domain Users, and it
>> is
>> possible to login at a domain member console with one of these accounts,
>> so I
>> know the account is OK.
>>
>> Nevertheless, if the user requests a web page that requires Basic or
>> Integrated authentication, and has anonymous disabled, they are always
>> prompted with browser authentication. They should already be
>> authenticated.
>> IIS logs don't tell me much - CustomAuth writes the authenticated
>> username
>> and it is what I expect.
>>
>> Today I discovered AuthDiag and now wonder how to interpret the results.
>> I
>> request a page that specifies both Basic or anonymous authentication. The
>> request first redirects to SSO server, gets user info, comes back to
>> server,
>> goes into CustomAuth filter and then I see this:
>>
>> <AuthMonRow Number="9" tid="0x7a0" Date="03/10/2006 17:17:35.377"
>> Name="OnNewRequest" SiteId="1" Conn="0xf800000040000395"
>> Req="0xf800000060000396"
>> Verb="GET"
>> Url="/ks"
>> Auth_header_length="0" Auth_header=""
>> />
>>
>> <AuthMonRow Number="10" tid="0x7a0" Date="03/10/2006 17:17:35.377"
>> Name="LogonUserExW" Success="Yes" Error_Number="0"
>> UserName="IUSR_MORGANITE" Domain="MORGANITE" LogonType="Network
>> Cleartext"
>> time_taken="0 ms"
>> />
>>
>> <AuthMonRow Number="11" tid="0x7a0" Date="03/10/2006 17:17:35.533"
>> Name="LogonUserExW" Success="Yes" Error_Number="0"
>> UserName="glenn.nelson@mywork.domain.com" Domain="(null)"
>> LogonType="Network Cleartext"
>> time_taken="16 ms"
>> />
>>
>> I guess the first instance of LogonUserExW occurs to satisfy the
>> anonymous
>> access. The second instance I suppose is for Basic auth. I suspect the
>> problem is Domain="(null)", I hope someone can tell me what to do about
>> this!
>>
>> A few more entries from AuthDiag and then the browser auth dialog
>> appears, I
>> login with local Window account and from then on I'm good to go. Here are
>> additional records. Number 24 appears to be when it finally knows who I
>> am:
>>
>> <AuthMonRow Number="17" tid="0x7a0" Date="03/10/2006 17:17:54.799"
>> Conn="0xf800000040000395" Name="Disconnect"
>> />
>>
>>
>> <AuthMonRow Number="18" tid="0x7a0" Date="03/10/2006 17:18:04.190"
>> Name="OnNewRequest" SiteId="1" Conn="0xf90000004000040c"
>> Req="0xf90000006000040f"
>> Verb="GET"
>> Url="/ks/_catalogs/mock2_style.css"
>> Auth_header_length="61" Auth_header="NTLM
>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw=="
>> />
>>
>> <AuthMonRow Number="19" tid="0x7a0" Date="03/10/2006 17:18:04.190"
>> Name="AcquireCredentialsHandleA" Result="0x0"
>> Principal="(null)" Package="NTLM"
>> />
>>
>> <AuthMonRow Number="20" tid="0x7a0" Date="03/10/2006 17:18:04.190"
>> Name="AcceptSecurityContext" Result="0x90312" ContextAttr="0x0"
>> Package="NTLM" UserName=""
>> ClientName=""
>> ServerName=""
>> time_taken="0 ms"
>> />
>>
>> <AuthMonRow Number="21" tid="0x7a0" Date="03/10/2006 17:18:04.190"
>> ProcIdentity="ADESVR\STSAcct" ThreadIdentity=""
>> Name="CreateFileW" File="\\?\C:\WINDOWS\help\iisHelp\common\401-1.htm"
>> Success="Yes" Error_Number="0" Error=""
>> time_taken="0 ms"
>> />
>>
>> <AuthMonRow Number="22" tid="0x7a0" Date="03/10/2006 17:18:04.190"
>> Name="HttpSendHttpResponse"
>> Req="0xf90000006000040f"
>> StatusCode="401" Reason="Unauthorized"
>> />
>>
>> <AuthMonRow Number="23" tid="0x7a0" Date="03/10/2006 17:18:04.190"
>> Name="IoCompletion"
>> />
>>
>> <AuthMonRow Number="24" tid="0x7a0" Date="03/10/2006 17:18:04.190"
>> Name="OnNewRequest" SiteId="1" Conn="0xf90000004000040c"
>> Req="0xf900000060000410"
>> Verb="GET"
>> Url="/ks/_catalogs/mock2_style.css"
>> Auth_header_length="237" Auth_header="NTLM
>> TlRMTVNTUAADAAAAGAAYAH4AAAAYABgAlgAAABoAGgBIAAAADgAOAGIAAAAOAA4AcAAAAAAAAACuAAAABYKIogUBKAoAAAAPMQAwAC4AMQAwADAALgAzADQALgAxADAAMwBuAGUAbABzAG8AbgBnAFIASABPAEQASQBVAE0An36dkXgpQo4AAAAAAAAAAAAAAAAAAAAAI8QkUHELWUXnsmhT82dXbMWI0d0tv5q2"
>> />
>>
>> <AuthMonRow Number="25" tid="0x7a0" Date="03/10/2006 17:18:04.205"
>> Name="AcceptSecurityContext" Result="0x0" ContextAttr="0x0"
>> Package="NTLM" UserName="MORGANITE\nelsong"
>> ClientName=""
>> ServerName=""
>> time_taken="16 ms"
>> />
>>
>> <AuthMonRow Number="26" tid="0x7a0" Date="03/10/2006 17:18:04.205"
>> Name="AccessCheck" ClientIdentity="MORGANITE\nelsong"
>> Success="Yes" SecurityDescriptor="0013EFF8"
>> />
>>
>> Thanks for taking the time to read this!
>>
>> --
>> -----
>> Glenn Nelson in Santa Cruz
date: Wed, 15 Mar 2006 03:20:01 -0800
author: David Wang [Msft]
|
|
