Welcome to MobyThreads.com!
FAQFAQ   SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log in/Register/PasswordLog in/Register/Password

Can IIS perform SSO for Java webapp?

  
   Web Hosting and Web Master Forums (Home) -> IIS RSS
Related Topics:
Not enough storage to perform ... - We are running a site for our employees on IIS6.0 on Win2000 server. Lately we have are getting severe problems , which are making the site as soon the number of users increase. It works very fine during OFF -office hours but start..

Error: You have to be a machine admin to p.. - Dears, Please tell me the solution for this error You have to be a machine admin to perform comes when we enable Forntpage on website through ASP script on the server. the website has been with (admin..

ASP will not serve requests because it could not perform t.. - Hi, I'm spend many hour to fix this problem, read many articles about it but no article gave a solution. To isolate the problem I've created in IIS6 a virtual directory test to the local C:\test, in this directory I have index.htm and..

CGI Apps can't perform system commands (IIS 6.0 / Windows .. - None of the CGI apps (Perl and ASP) on my site can perform system commands (dir, del, copy, etc.) for most users. I am running IIS 6.0 on Windows Server 2003. I have an app pool set up for the virtual that need this The..

Question about "Perform reverse DNS lookup on incomin.. - Dear all, I install a IIS 6 SMTP for my SMTP gateway, and them relay emails to my Exchange server. Yesterday I enable ¡§Perform reverse DNS lookup on incoming but looks like some email can¡¦t send to our company. I have some..
Next:  IIS: Getting started  
Author Message
Daniel Borlean

External


Since: Oct 22, 2007
Posts: 1



(Msg. 1) Posted: Mon Oct 22, 2007 9:55 am
Post subject: Can IIS perform SSO for Java webapp?
Archived from groups: microsoft>public>inetserver>iis (more info?)
Hi,

I've got a Java web application that is running on Tomcat and supports
Single Sign-On (SSO) by detecting a specific HTTP header with the
authenticated user id (e.g., SSO_USER: bsmith). On IIS, I've installed the
ISAPI_Redirect.dll filter to connect IIS to Tomcat so the user can execute
the Java web app through IIS.

I configured IIS V6.0 on Windows Server 2003 to enable "Integrated Windows
authentication" and disable "Anonymous access", and I've configured my IE web
browser with the "Automatic logon with current username and password" setting
in the User Authentication Security Settings section.

The integrated Windows authentication is working well from IE to IIS, but my
Java webapp is not detecting the authenticated user and I don't know how to
configure IIS to pass the user's login id as an HTTP header to the Java
webapp. Can this behavior be configured in IIS natively, or even with a
third-party utility?

One HTTP header I noticed while monitoring the HTTP exchanges between the
browser and Tomcat server was the following:
authorization = Negotiate <long string>

I'm assuming that the <long string> text (which appears to be base64
encoded, e.g., TIRMTVNTUAADAAA.....) would contain the authentication
information of the current user, but may also be encrypted or be in a
specific format that my Java webapp does not understand.

Thanks,
Daniel

PS I've also got a Firefox web browser to be able to authenticate to the
IIS server by configuring it's "network.negotiate-auth.trusted-uris"
preference.

 >> Stay informed about: Can IIS perform SSO for Java webapp? 
Back to top
Login to vote
Pat [MSFT]

External


Since: May 24, 2006
Posts: 74



(Msg. 2) Posted: Mon Oct 22, 2007 2:08 pm
Post subject: Re: Can IIS perform SSO for Java webapp? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Integrated Windows Auth is NTLM does not support multi-hop authentication -
meaning that authenticating with the front-end will not proxy authentication
down stream. Basic Authentication will make the IIS server the
authenticated user (Basic Auth requires a log-in local permission) which can
be handled by a form-based login or a pop-up and passed downstream. This is
why OWA has a login screen.


Pat


"Daniel Borlean" <Daniel Borlean RemoveThis @discussions.microsoft.com> wrote in message
news:0C4BD7AE-4657-4F75-B6EF-2DABB32641B8@microsoft.com...
> Hi,
>
> I've got a Java web application that is running on Tomcat and supports
> Single Sign-On (SSO) by detecting a specific HTTP header with the
> authenticated user id (e.g., SSO_USER: bsmith). On IIS, I've installed
> the
> ISAPI_Redirect.dll filter to connect IIS to Tomcat so the user can execute
> the Java web app through IIS.
>
> I configured IIS V6.0 on Windows Server 2003 to enable "Integrated Windows
> authentication" and disable "Anonymous access", and I've configured my IE
> web
> browser with the "Automatic logon with current username and password"
> setting
> in the User Authentication Security Settings section.
>
> The integrated Windows authentication is working well from IE to IIS, but
> my
> Java webapp is not detecting the authenticated user and I don't know how
> to
> configure IIS to pass the user's login id as an HTTP header to the Java
> webapp. Can this behavior be configured in IIS natively, or even with a
> third-party utility?
>
> One HTTP header I noticed while monitoring the HTTP exchanges between the
> browser and Tomcat server was the following:
> authorization = Negotiate <long string>
>
> I'm assuming that the <long string> text (which appears to be base64
> encoded, e.g., TIRMTVNTUAADAAA.....) would contain the authentication
> information of the current user, but may also be encrypted or be in a
> specific format that my Java webapp does not understand.
>
> Thanks,
> Daniel
>
> PS I've also got a Firefox web browser to be able to authenticate to the
> IIS server by configuring it's "network.negotiate-auth.trusted-uris"
> preference.

 >> Stay informed about: Can IIS perform SSO for Java webapp? 
Back to top
Login to vote
Daniel Borlean

External


Since: Oct 22, 2007
Posts: 1



(Msg. 3) Posted: Mon Oct 22, 2007 4:12 pm
Post subject: Re: Can IIS perform SSO for Java webapp? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Thanks for the info. Actually, after much trial and error, I discovered the
solution:

Use the ISAPI_Rewrite filter with the following httpd.conf configuration:
RewriteEngine on
RewriteCond %{REMOTE_USER} TEST\\(.*)
RewriteHeader SSO_USER: .* %1

This ISAPI filter parses out the userid from the REMOTE_USER server variable
(after the "TEST\" domain portion) and adds the custom SSO_USER HTTP header
to the request to the Java webapp that now knows who the authenticated user
is. This, I'm assuming, only works with Integrated Windows Authentication.
 >> Stay informed about: Can IIS perform SSO for Java webapp? 
Back to top
Login to vote
David Wang

External


Since: Nov 01, 2007
Posts: 309



(Msg. 4) Posted: Tue Oct 23, 2007 3:31 am
Post subject: Re: Can IIS perform SSO for Java webapp? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Oct 22, 4:12 pm, Daniel Borlean
<DanielBorl... RemoveThis @discussions.microsoft.com> wrote:
> Thanks for the info. Actually, after much trial and error, I discovered the
> solution:
>
> Use the ISAPI_Rewrite filter with the following httpd.conf configuration:
> RewriteEngine on
> RewriteCond %{REMOTE_USER} TEST\\(.*)
> RewriteHeader SSO_USER: .* %1
>
> This ISAPI filter parses out the userid from the REMOTE_USER server variable
> (after the "TEST\" domain portion) and adds the custom SSO_USER HTTP header
> to the request to the Java webapp that now knows who the authenticated user
> is. This, I'm assuming, only works with Integrated Windows Authentication.


Your solution works with any standard Authentication protocol
supported by IIS which populates those server variables.

For your situation, Windows Authentication will populate REMOTE_USER
with the Windows username, which you then remap with the ISAPI Filter
to SSO_USER: request header and have that resulting request be proxied
by isapi_redirect.dll to Java.

For Windows Authentication, you will find LOGON_USER more
representative of the actual user that IIS logged on to execute the
request (which is what gets proxied by isapi_redirect.dll).
REMOTE_USER and AUTH_USER are parsed from the HTTP request header and
does not account for ISAPI Filter CustomAuth modifications.

FYI: your scheme works... but is actually very insecure, but that is
the nature of patch-work SSO solutions that cross multiple
authentication protocols. Secure SSO solutions would never allow an
ISAPI Filter to do the man-in-the-middle attack that forms the basis
of your solution.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
 >> Stay informed about: Can IIS perform SSO for Java webapp? 
Back to top
Login to vote
Display posts from previous:   
   Web Hosting and Web Master Forums (Home) -> IIS All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]