|
|
|
date: Tue, 6 May 2008 08:53:02 -0700 (PDT),
group: microsoft.public.platformsdk.internet.server.isapi-dev
back
Do I have to write ISAPI Filter?
I have a website (W1), running on IIS6, containing ASP 1.0 files,
having "Integrated Authentication", and an another website (W2) having
"Formbased Authentication". I would like to redirect from W1 to W2,
bypassing authentication, only when the URL contains few selected ASP
pages.
Example: http://w1.com/g1.asp --> Show "Integrated Authentication"
dialog and then load g1.asp located on
w1.com
http://w1.com/g2.asp --> Should not show "Integrated
Authentication" dialog and redirected it to
w2.com.
Authentication of W1 should get completely bypassed.
I am not an expect in IIS, did good amount of reading and based on
that I may have to write 'ISAPI Filter'.
Because I have ASP 1.0 files, I can not use C# classes, and I do not
mind writing C++.
Please let me know whether there are other solutions...
Thanks
Ramesh
date: Tue, 6 May 2008 08:53:02 -0700 (PDT)
author: unknown
Re: Do I have to write ISAPI Filter?
On May 6, 8:53 am, "asnowf...@gmail.com" wrote:
> I have a website (W1), running on IIS6, containing ASP 1.0 files,
> having "Integrated Authentication", and an another website (W2) having
> "Formbased Authentication". I would like to redirect from W1 to W2,
> bypassing authentication, only when the URL contains few selected ASP
> pages.
>
> Example:http://w1.com/g1.asp --> Show "Integrated Authentication"
> dialog and then load g1.asp located on
> w1.com
> http://w1.com/g2.asp --> Should not show "Integrated
> Authentication" dialog and redirected it to
> w2.com.
> Authentication of W1 should get completely bypassed.
>
> I am not an expect in IIS, did good amount of reading and based on
> that I may have to write 'ISAPI Filter'.
> Because I have ASP 1.0 files, I can not use C# classes, and I do not
> mind writing C.
>
> Please let me know whether there are other solutions...
>
> Thanks
> Ramesh
It is not advised to just jump into ISAPI Filter or whatever
implementation platform without fully understanding what you are
trying to write.
You need to first define this custom "authentication protocol" and
then based on the protocol sequence, determine the proper
implementation technology. At this point, ISAPI Filter, C#, ASP, etc
are irrelevant to the discussion. All of them are technologies that
can solve problems like yours, but none of them magically help you do
anything.
At this point, it is not clear to me HOW W1 is supposed to show proof
of user authentication to W2 and why W2 should even trust proof of
authentication from W1. There is no such thing as "bypass
authentication" -- if you want to selectively bypass authentication,
then you might as well turn off authentication. And since Integrated
Authentication never passes the user's password to the website, it is
not clear how you can legitimately do "Forms based authentication" --
proof of authentication tend to not transfer across different
authentication protocols like Forms Auth and Integrated Auth without
establishment of trust.
I'm not saying this sort of thing is impossible to accomplish.
However, you have to work out the details because you're assuming lots
of trust between entities that have no real reason to trust each
other. Security cares about these details, and if you want to assemble
your own proprietary authentication sequence, you must know,
understand, and work with these details.
Otherwise, you must reuse existing solutions (either from Microsoft or
others) and not proprietary ones.
Of course, you can do all of this in an insecure manner by using less
secure protocols that allow passwords to be passed around, but that's
the usual security issue surrounding any authentication protocol,
proprietary or standard.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
date: Tue, 6 May 2008 13:50:48 -0700 (PDT)
author: David Wang
Re: Do I have to write ISAPI Filter?
> At this point, it is not clear to me HOW W1 is supposed to show proof
> of user authentication to W2 and why W2 should even trust proof of
> authentication from W1. There is no such thing as "bypass
> authentication" -- if you want to selectively bypass authentication,
> then you might as well turn off authentication. And since Integrated
W2 has a custom membership provider and is using LDAP server for
authentication, and I as you know W1 is using "Windows Integrated
Authentication."
Before redirecting the web request to W2, I do not want W1 to show any
login dialog box. W2 is already protected with FormBasedAuthentication
so that will show *custom* log-in dialog to recieive u/p, and this
user/password would used for look against LDAP server.
To summarize, both sites W1 and W2 are secure, and we do not want W1
to show Windows log-in dialog, and custom log-in dialog of W2 should
be the first place to recieve user's credentials.
Thanks
Ramesh
On May 6, 4:50 pm, David Wang wrote:
> On May 6, 8:53 am, "asnowf...@gmail.com" wrote:
>
>
>
>
>
> > I have a website (W1), running on IIS6, containing ASP 1.0 files,
> > having "Integrated Authentication", and an another website (W2) having
> > "Formbased Authentication". I would like to redirect from W1 to W2,
> > bypassing authentication, only when the URL contains few selected ASP> > pages.
>
> > Example:http://w1.com/g1.asp --> Show "Integrated Authentication"
> > dialog and then load g1.asp located on
> > w1.com
> > http://w1.com/g2.asp --> Should not show "Integrated
> > Authentication" dialog and redirected it to
> > w2.com.
> > Authentication of W1 should get completely bypassed.
>
> > I am not an expect in IIS, did good amount of reading and based on
> > that I may have to write 'ISAPI Filter'.
> > Because I have ASP 1.0 files, I can not use C# classes, and I do not
> > mind writing C.
>
> > Please let me know whether there are other solutions...
>
> > Thanks
> > Ramesh
>
> It is not advised to just jump into ISAPI Filter or whatever
> implementation platform without fully understanding what you are
> trying to write.
>
> You need to first define this custom "authentication protocol" and
> then based on the protocol sequence, determine the proper
> implementation technology. At this point, ISAPI Filter, C#, ASP, etc
> are irrelevant to the discussion. All of them are technologies that
> can solve problems like yours, but none of them magically help you do
> anything.
>
> At this point, it is not clear to me HOW W1 is supposed to show proof
> of user authentication to W2 and why W2 should even trust proof of
> authentication from W1. There is no such thing as "bypass
> authentication" -- if you want to selectively bypass authentication,
> then you might as well turn off authentication. And since Integrated
> Authentication never passes the user's password to the website, it is
> not clear how you can legitimately do "Forms based authentication" --
> proof of authentication tend to not transfer across different
> authentication protocols like Forms Auth and Integrated Auth without
> establishment of trust.
>
> I'm not saying this sort of thing is impossible to accomplish.
> However, you have to work out the details because you're assuming lots
> of trust between entities that have no real reason to trust each
> other. Security cares about these details, and if you want to assemble
> your own proprietary authentication sequence, you must know,
> understand, and work with these details.
>
> Otherwise, you must reuse existing solutions (either from Microsoft or
> others) and not proprietary ones.
>
> Of course, you can do all of this in an insecure manner by using less
> secure protocols that allow passwords to be passed around, but that's
> the usual security issue surrounding any authentication protocol,
> proprietary or standard.
>
> //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David.Wang
> //- Hide quoted text -
>
> - Show quoted text -
date: Tue, 6 May 2008 14:21:43 -0700 (PDT)
author: unknown
Re: Do I have to write ISAPI Filter?
I'm verifying my understanding -- you want users who request certain
URLs from W1 to be transparently redirected to certain URLs on W2.
You do NOT want users to authenticate to W1 be transparently
authenticated when accessing URLs on W2.
If this is correct, then simply create same IIsWebFile for each URL
you want to redirect, set Anonymous Authentication on them, and set
HttpRedirect on that URL to go to the desired URL on W2. No ISAPI
Filter necessary.
This means that if users accessing those certain URLs on W1 they will
always be redirected to W2, while if they access any other URL on W1
they will be required to do Integrated Authentication as you've
configured.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On May 6, 2:21 pm, "asnowf...@gmail.com" wrote:
> > At this point, it is not clear to me HOW W1 is supposed to show proof
> > of user authentication to W2 and why W2 should even trust proof of
> > authentication from W1. There is no such thing as "bypass
> > authentication" -- if you want to selectively bypass authentication,
> > then you might as well turn off authentication. And since Integrated
>
> W2 has a custom membership provider and is using LDAP server for
> authentication, and I as you know W1 is using "Windows Integrated
> Authentication."
> Before redirecting the web request to W2, I do not want W1 to show any
> login dialog box. W2 is already protected with FormBasedAuthentication
> so that will show *custom* log-in dialog to recieive u/p, and this
> user/password would used for look against LDAP server.
>
> To summarize, both sites W1 and W2 are secure, and we do not want W1
> to show Windows log-in dialog, and custom log-in dialog of W2 should
> be the first place to recieve user's credentials.
>
> Thanks
> Ramesh
>
> On May 6, 4:50 pm, David Wang wrote:
>
>
>
> > On May 6, 8:53 am, "asnowf...@gmail.com" wrote:
>
> > > I have a website (W1), running on IIS6, containing ASP 1.0 files,
> > > having "Integrated Authentication", and an another website (W2) having> > > "Formbased Authentication". I would like to redirect from W1 to W2,
> > > bypassing authentication, only when the URL contains few selected ASP
> > > pages.
>
> > > Example:http://w1.com/g1.asp --> Show "Integrated Authentication"
> > > dialog and then load g1.asp located on
> > > w1.com
> > > http://w1.com/g2.asp --> Should not show "Integrated
> > > Authentication" dialog and redirected it to
> > > w2.com.
> > > Authentication of W1 should get completely bypassed.
>
> > > I am not an expect in IIS, did good amount of reading and based on
> > > that I may have to write 'ISAPI Filter'.
> > > Because I have ASP 1.0 files, I can not use C# classes, and I do not
> > > mind writing C.
>
> > > Please let me know whether there are other solutions...
>
> > > Thanks
> > > Ramesh
>
> > It is not advised to just jump into ISAPI Filter or whatever
> > implementation platform without fully understanding what you are
> > trying to write.
>
> > You need to first define this custom "authentication protocol" and
> > then based on the protocol sequence, determine the proper
> > implementation technology. At this point, ISAPI Filter, C#, ASP, etc
> > are irrelevant to the discussion. All of them are technologies that
> > can solve problems like yours, but none of them magically help you do
> > anything.
>
> > At this point, it is not clear to me HOW W1 is supposed to show proof
> > of user authentication to W2 and why W2 should even trust proof of
> > authentication from W1. There is no such thing as "bypass
> > authentication" -- if you want to selectively bypass authentication,
> > then you might as well turn off authentication. And since Integrated
> > Authentication never passes the user's password to the website, it is
> > not clear how you can legitimately do "Forms based authentication" --
> > proof of authentication tend to not transfer across different
> > authentication protocols like Forms Auth and Integrated Auth without
> > establishment of trust.
>
> > I'm not saying this sort of thing is impossible to accomplish.
> > However, you have to work out the details because you're assuming lots
> > of trust between entities that have no real reason to trust each
> > other. Security cares about these details, and if you want to assemble
> > your own proprietary authentication sequence, you must know,
> > understand, and work with these details.
>
> > Otherwise, you must reuse existing solutions (either from Microsoft or
> > others) and not proprietary ones.
>
> > Of course, you can do all of this in an insecure manner by using less
> > secure protocols that allow passwords to be passed around, but that's
> > the usual security issue surrounding any authentication protocol,
> > proprietary or standard.
>
> > //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -
date: Tue, 6 May 2008 19:40:24 -0700 (PDT)
author: David Wang
Re: Do I have to write ISAPI Filter?
Your understanding of my question is correct and your answer solved my
problem.
Thanks
Ramesh
On May 6, 10:40 pm, David Wang wrote:
> I'm verifying my understanding -- you want users who request certain
> URLs from W1 to be transparently redirected to certain URLs on W2.
>
> You do NOT want users to authenticate to W1 be transparently
> authenticated when accessing URLs on W2.
>
> If this is correct, then simply create same IIsWebFile for each URL
> you want to redirect, set Anonymous Authentication on them, and set
> HttpRedirect on that URL to go to the desired URL on W2. No ISAPI
> Filter necessary.
>
> This means that if users accessing those certain URLs on W1 they will
> always be redirected to W2, while if they access any other URL on W1
> they will be required to do Integrated Authentication as you've
> configured.
>
> //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David.Wang
> //
>
> On May 6, 2:21 pm, "asnowf...@gmail.com" wrote:
>
>
>
> > > At this point, it is not clear to me HOW W1 is supposed to show proof
> > > of user authentication to W2 and why W2 should even trust proof of
> > > authentication from W1. There is no such thing as "bypass
> > > authentication" -- if you want to selectively bypass authentication,
> > > then you might as well turn off authentication. And since Integrated
>
> > W2 has a custom membership provider and is using LDAP server for
> > authentication, and I as you know W1 is using "Windows Integrated
> > Authentication."
> > Before redirecting the web request to W2, I do not want W1 to show any
> > login dialog box. W2 is already protected with FormBasedAuthentication
> > so that will show *custom* log-in dialog to recieive u/p, and this
> > user/password would used for look against LDAP server.
>
> > To summarize, both sites W1 and W2 are secure, and we do not want W1
> > to show Windows log-in dialog, and custom log-in dialog of W2 should
> > be the first place to recieve user's credentials.
>
> > Thanks
> > Ramesh
>
> > On May 6, 4:50 pm, David Wang wrote:
>
> > > On May 6, 8:53 am, "asnowf...@gmail.com" wrote> > > > I have a website (W1), running on IIS6, containing ASP 1.0 files,
> > > > having "Integrated Authentication", and an another website (W2) having
> > > > "Formbased Authentication". I would like to redirect from W1 to W2,
> > > > bypassing authentication, only when the URL contains few selected ASP
> > > > pages.
>
> > > > Example:http://w1.com/g1.asp --> Show "Integrated Authentication"
> > > > dialog and then load g1.asp located on
> > > > w1.com
> > > > http://w1.com/g2.asp --> Should not show "Integrated
> > > > Authentication" dialog and redirected it to
> > > > w2.com.
> > > > Authentication of W1 should get completely bypassed.
>
> > > > I am not an expect in IIS, did good amount of reading and based on
> > > > that I may have to write 'ISAPI Filter'.
> > > > Because I have ASP 1.0 files, I can not use C# classes, and I do not> > > > mind writing C.
>
> > > > Please let me know whether there are other solutions...
>
> > > > Thanks
> > > > Ramesh
>
> > > It is not advised to just jump into ISAPI Filter or whatever
> > > implementation platform without fully understanding what you are
> > > trying to write.
>
> > > You need to first define this custom "authentication protocol" and
> > > then based on the protocol sequence, determine the proper
> > > implementation technology. At this point, ISAPI Filter, C#, ASP, etc
> > > are irrelevant to the discussion. All of them are technologies that
> > > can solve problems like yours, but none of them magically help you do
> > > anything.
>
> > > At this point, it is not clear to me HOW W1 is supposed to show proof
> > > of user authentication to W2 and why W2 should even trust proof of
> > > authentication from W1. There is no such thing as "bypass
> > > authentication" -- if you want to selectively bypass authentication,
> > > then you might as well turn off authentication. And since Integrated
> > > Authentication never passes the user's password to the website, it is
> > > not clear how you can legitimately do "Forms based authentication" --
> > > proof of authentication tend to not transfer across different
> > > authentication protocols like Forms Auth and Integrated Auth without
> > > establishment of trust.
>
> > > I'm not saying this sort of thing is impossible to accomplish.
> > > However, you have to work out the details because you're assuming lots> > > of trust between entities that have no real reason to trust each
> > > other. Security cares about these details, and if you want to assemble> > > your own proprietary authentication sequence, you must know,
> > > understand, and work with these details.
>
> > > Otherwise, you must reuse existing solutions (either from Microsoft or> > > others) and not proprietary ones.
>
> > > Of course, you can do all of this in an insecure manner by using less
> > > secure protocols that allow passwords to be passed around, but that's
> > > the usual security issue surrounding any authentication protocol,
> > > proprietary or standard.
>
> > > //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David.Wang
> > > //- Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -
date: Thu, 8 May 2008 12:29:34 -0700 (PDT)
author: unknown
|
|
