Welcome to MobyThreads.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in
All support for the MobyThreads Threaded phpBB MOD can now be found on welsolutions at this forum

ISAPI problem OnAuthentication

  
   Web Hosting and Web Master Forums (Home) -> IIS RSS
Next:  many IISs on one server (storage system)  
Author Message
ori

External


Since: Oct 05, 2004
Posts: 2



(Msg. 1) Posted: Tue Oct 05, 2004 6:33 am
Post subject: ISAPI problem OnAuthentication
Archived from groups: microsoft>public>inetserver>iis (more info?)
Hi all

First of all, let me expose the problem:

We have a SharePoint server under IIS, the access to the site is
filtered by Netegrity SiteMinder ISAPIWebAgent ISAPI filter that
checks wether the user has a valid certificate for accessing the site.
After this, I need to pass SharePoint a windows account so I activate
Basic Authentication on the site. The problem we have is that
siteminder ISAPI filter clears Basic Authentication login information
and the behaviour we see is that we can't pass the login form, if we
enable Anonymous Access, I can see in the Request that siteminder has
changed AUTH_USER and AUTH_PASSWORD parameters so this is why I think
that later when I enable Basic Authentication it fails.

What I'm trying to do:

I've created a new Authentication ISAPI filter that simply provides a
valid user login at runtime
(something like:
  strcpy(pAuthent->pszUser, "<valid_user>");
  strcpy(pAuthent->pszPassword, "<valid_pass>");
)
so fixing login information so that if siteminder changes it before,
then I provide a valid one (hardcoded, I know).

What happens:

It seems that SiteMinder ISAPI filter executes before and after
processing the OnAuthentication event may return with
SF_STATUS_REQ_HANDLED_NOTIFICATION code because my custom ISAPI filter
doesn't get executed. If I change ISAPI filter execution order and
execute my filter first should work ??

This is the problem, I'd like to know if there's a better way to solve
it that I haven't thought about, also if not, how can I get my ISAPI
filter executed after the SiteMinder one even if the later returns
handled notification or if executing my filter first will solve it
(remember that SiteMinder apparently clears login info when it
executes)

Any help will be really appreciated, I don't know what else to try to
solve this, thx in advance.

ori<!-- ~MESSAGE_AFTER~ -->

 >> Stay informed about: ISAPI problem OnAuthentication 
Back to top
Login to vote
someone9

External


Since: Aug 25, 2003
Posts: 2419



(Msg. 2) Posted: Wed Oct 06, 2004 12:38 am
Post subject: Re: ISAPI problem OnAuthentication [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
What do you actually want to do, and what IIS version are we talking about.

It sounds like you have an identity whose credentials you first verify with
Netegrity. If it succeeds, then you want to map that identity to a Windows
account so that Sharepoint works.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"ORi" <ori DeleteThis @bbs-ce.uab.es> wrote in message
news:73b37c5e.0410050233.6aab8d41@posting.google.com...
Hi all

First of all, let me expose the problem:

We have a SharePoint server under IIS, the access to the site is
filtered by Netegrity SiteMinder ISAPIWebAgent ISAPI filter that
checks wether the user has a valid certificate for accessing the site.
After this, I need to pass SharePoint a windows account so I activate
Basic Authentication on the site. The problem we have is that
siteminder ISAPI filter clears Basic Authentication login information
and the behaviour we see is that we can't pass the login form, if we
enable Anonymous Access, I can see in the Request that siteminder has
changed AUTH_USER and AUTH_PASSWORD parameters so this is why I think
that later when I enable Basic Authentication it fails.

What I'm trying to do:

I've created a new Authentication ISAPI filter that simply provides a
valid user login at runtime
(something like:
strcpy(pAuthent->pszUser, "<valid_user>");
strcpy(pAuthent->pszPassword, "<valid_pass>");
)
so fixing login information so that if siteminder changes it before,
then I provide a valid one (hardcoded, I know).

What happens:

It seems that SiteMinder ISAPI filter executes before and after
processing the OnAuthentication event may return with
SF_STATUS_REQ_HANDLED_NOTIFICATION code because my custom ISAPI filter
doesn't get executed. If I change ISAPI filter execution order and
execute my filter first should work ??

This is the problem, I'd like to know if there's a better way to solve
it that I haven't thought about, also if not, how can I get my ISAPI
filter executed after the SiteMinder one even if the later returns
handled notification or if executing my filter first will solve it
(remember that SiteMinder apparently clears login info when it
executes)

Any help will be really appreciated, I don't know what else to try to
solve this, thx in advance.

ori

 >> Stay informed about: ISAPI problem OnAuthentication 
Back to top
Login to vote
ori

External


Since: Oct 05, 2004
Posts: 2



(Msg. 3) Posted: Wed Oct 06, 2004 10:35 am
Post subject: Re: ISAPI problem OnAuthentication [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Yep, that's more less what I'm actually trying to do. I validate a
given credentials with Netegrity, then I enable Basic Authentication
on the site. When trying to access the site, the login popup appears
and I enter the login information with a valid windows account, it
seems that after that, on the OnAuthentication event the SiteMinder
ISAPIWebManager filter resets the entered login information and after
doing the request, the login popup appears again because it can't
login with SiteMinder updated info. So the behaviour is that when I
enable Basic Authentication and SiteMinder on the site, I can't pass
the login popup for Basic Authentication.

The server runs IIS 6.0

thx in advance,
ori

"David Wang [Msft]" <someone RemoveThis @online.microsoft.com> wrote in message news:<ORhucC2qEHA.3848 RemoveThis @TK2MSFTNGP14.phx.gbl>...
 > What do you actually want to do, and what IIS version are we talking about.
 >
 > It sounds like you have an identity whose credentials you first verify with
 > Netegrity. If it succeeds, then you want to map that identity to a Windows
 > account so that Sharepoint works.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: ISAPI problem OnAuthentication 
Back to top
Login to vote
someone9

External


Since: Aug 25, 2003
Posts: 2419



(Msg. 4) Posted: Thu Oct 07, 2004 2:33 am
Post subject: Re: ISAPI problem OnAuthentication [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
So, the problem you are describing here is that SiteMinder is incompatible
with any other authentication methods.

First, you need to make sure that SiteMinder is completely unable to work
with any standard authentication method on IIS.

If the SiteMinder ISAPI sets incorrect credentials in its OnAuthentication
event, returns "handled", and IIS is set to require authentication, then you
have no alternatives since SiteMinder is quite intentionally getting in your
way of implementing any workaround.

In the above scenario, if you set IIS to not require authentication (i.e.
only anonymous authentication is enabled), you can work around SiteMinder by
using a customized version of the CustomAuth sample ISAPI from the IIS
Platform SDK to set the Windows account impersonated by IIS for the request
(i.e. roughly the same thing that you can do with Basic+OnAuthentication in
an ISAPI Filter, except it requires anonymous authentication to work).

<a style='text-decoration: underline;' href="http://www.microsoft.com/msdownload/platformsdk/sdkupdate/default.htm" target="_blank">http://www.microsoft.com/msdownload/platformsdk/sdkupdate/default.htm</a>

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"ORi" <ori.DeleteThis@bbs-ce.uab.es> wrote in message
news:73b37c5e.0410060635.29f3d6b3@posting.google.com...
Yep, that's more less what I'm actually trying to do. I validate a
given credentials with Netegrity, then I enable Basic Authentication
on the site. When trying to access the site, the login popup appears
and I enter the login information with a valid windows account, it
seems that after that, on the OnAuthentication event the SiteMinder
ISAPIWebManager filter resets the entered login information and after
doing the request, the login popup appears again because it can't
login with SiteMinder updated info. So the behaviour is that when I
enable Basic Authentication and SiteMinder on the site, I can't pass
the login popup for Basic Authentication.

The server runs IIS 6.0

thx in advance,
ori

"David Wang [Msft]" <someone.DeleteThis@online.microsoft.com> wrote in message
news:<ORhucC2qEHA.3848.DeleteThis@TK2MSFTNGP14.phx.gbl>...
 > What do you actually want to do, and what IIS version are we talking
about.
 >
 > It sounds like you have an identity whose credentials you first verify
with
 > Netegrity. If it succeeds, then you want to map that identity to a
Windows
 > account so that Sharepoint works.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: ISAPI problem OnAuthentication 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Problem with IIS 6.0 and ISAPI WriteClient() - Hi, We use ISAPI WriteClient API to write multiple buffers to be sent to the client. We are calling the WriteClient API in a loop. This implementation works very fast with the IIS 5.0, but with IIS 6.0 the performance is very slow. We have noticed that....

ISAPI Filter Problem in IIS 6.0 - Hi, I have an ISAPI Filter DLL which worked just fine on IIS 5.0, and fails to work on IIS 6.0 (unless I use the 5.0 isolation mode). From all the documentation I've seen, this should happen only when registering for the READ_RAW_DATA event, yet my DLL..

IIS 6.0 Isapi problem (works in IIS 5.0) - I have an ISAPI application which works on IIS 5.0. On 6.0 I get the following behavior. I can build the DLL, start the IIS Service, and Browse the application from IIS Admin (or IE). If I restart IIS from the Service control panel and then go to..

Problem with ISAPI filter on IIS 6.0 - Hi everyone, I have an ISAPI filter writen for IIS 5.0. It does not work correctly on IIS 6.0. It uses SF_NOTIFY_SEND_RAW_DATA. According to Microsoft, I change IIS from worker process isolation mode to IIS 5.0 isolation mode. Still not working, even..

ISAPI DLL and IIS 5.0 on Windows 2000 Problem - Hello , I am presently working on ISAPI DLL using IIS5.0 on Windows 2000 along with VC++6.0/MFC. I am following TN063 given in MSDN , which also says to attach the inetinfo process , but it does not lead me to anywhere . Here are the steps...
   Web Hosting and Web Master Forums (Home) -> IIS All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]