HOWTO: Install and Use CustomAuth on IIS 6

re: HOWTO: Install and Use CustomAuth on IIS 6

Vlad — Mon, 06 Feb 2006 00:33:34 GMT

David, are the other options to rewrite or simulate what CustomAuth does in .NET? One example would be for SharePoint Single Sign On solution. Since SPS has their own ISAPI filter to manage url, what customers are doing is using CustAuth to intercept calls before SPS. Any other approaches besides writing it in C++?
Thanks a lot.

re: HOWTO: Install and Use CustomAuth on IIS 6

David.Wang — Mon, 06 Feb 2006 03:28:19 GMT

Vlad - You cannot do what CustomAuth does with .NET and IIS6.

CustomAuth simply provides you a way to use a URL-based Form to retrieve username/password which is converted to a NT User Token on the server and assigned to IIS for use on a given request.

.NET has no way to assign a NT User Token to IIS. You may be able to do this with HttpModules for purely managed resources, but there is no way to provide CustomAuth behavior using managed code.

The ability to fully extend server behavior using both native and managed code is something we are doing in IIS7.

This seems like something interesting to clarify with examples. I am soliciting for questions/analysis of SharePoint/IIS customization:
http://blogs.msdn.com/david.wang/archive/2006/02/05/HOWTO_Sharepoint_and_CustomAuth_Part_1_Soliciting_Questions.aspx

//David

re: HOWTO: Install and Use CustomAuth on IIS 6

Richard — Mon, 06 Feb 2006 22:55:24 GMT

I am using CustomAuth.dll as ISAPI filter for form authentication in SharePoint Portal server. It works fine. But after a iisreset somehow the authentication doesn't work anymore. I get the an error: "You cannot view this area, either because the area no longer exists or because you do not have the rights to view this area".

Do you have any suggestion?

Thank you in advance

re: HOWTO: Install and Use CustomAuth on IIS 6

Han Chaal — Tue, 07 Feb 2006 05:03:44 GMT

Greetings Richard,

The reason you got the error was because you must turn off Anonymous Access BEFORE resetting IIS. This bug is inherent with IIS6 and no, there is no patch for it to the best of my knowledge.

The only way around this is to goto IIS and disable Anonymous Access for all the sites, then reset IIS, and then re-enable Anonymous Access. Some users do not encounter this problem for some reason which is why this bug is not readily apparant.

re: HOWTO: Install and Use CustomAuth on IIS 6

David.Wang — Tue, 07 Feb 2006 15:37:14 GMT

Richard - do not use IISRESET on IIS6. You should never need to use it on IIS6, and it does bad things to IIS6 including possibility of corrupting configuration. Please describe WHY you are using IISRESET, and whether you are running in IIS5 Compatibility Mode or IIS6 Worker Process Isolation Mode

Han - Can you give definitive steps to reproduce the issue? Without definitive repro steps, I can tell you that it will *never* be patched. In other words, since software is a creative process, without user feedback, issues will never be addressed and you simply have to live within your own silence.

I suspect that something simpler explains what you are seeing, but it cannot be diagnosed unless it can be readily reproduced.

Right now, one thing I am considering is if Integrated authentication is in use across a worker process recycle because that can lead to loss of authentication/rights to a website without the client noticing. But that is a known condition.

//David

re: HOWTO: Install and Use CustomAuth on IIS 6

Richard — Tue, 07 Feb 2006 20:45:58 GMT

Thank you, Han and David.
You are right. I Do not need resset IIS. The only reason I use iisreset is that it can reproduce the problem. In my case, after I configure the CustomAuth, it works fine. However, I always got same error message the next day. It means I have to reset IIS every day to get CustomAuth to work.
By the way, IIS is running in IIS6 Worker Process Isolation Mode ("Run WWW service in IIS 5.0 isolation mode" is unchecked), and ASP.Net is 1.1.4322.

Thank you again,

Richard

re: HOWTO: Install and Use CustomAuth on IIS 6

Han Chaal — Fri, 10 Feb 2006 10:04:12 GMT

Greetings David Wang,

The reason I reset IIS was to reload the web.config file for that site as I had made changes to the SafeControl Assemblies for my custom web parts. To the best of my knowledge that is the only way to reload the web.config file?

But I agree that resetting IIS should only be done as a last-resort. If anyone has a better way please let me know.

Best Regards
Harnam S Chaal

re: HOWTO: Install and Use CustomAuth on IIS 6

Akif — Mon, 27 Feb 2006 10:08:57 GMT

Hi David Wang

I m using a wild card ISAPI extension with SPS. It is working properly but when I reset IIS, it generates an exception in its CHttpServer::GetExtensionVersion method and I have to first remove it, then start SPS and then again register it and it works fine then.

So is there any way to avapod this entire cycle again and again or it is the prob at my side.

Regards and Thanx,
Syed Akif kamal

re: HOWTO: Install and Use CustomAuth on IIS 6

David.Wang — Mon, 27 Feb 2006 10:44:40 GMT

Akif - the problem has to be with your ISAPI Extension DLL since IIS is simply loading/invoking the ISAPI and the ISAPI is responsible for handling whatever environment it is placed in. Your workaround illustrates that your ISAPI has some problem with the environment; you have to figure out what it is.

My guess is that SPS uses one version of the .Net Framework in the process while your ISAPI DLL triggers code requiring another .Net Framework version to load... which fails due to the well-known CLR Versioning issue.

You will have to debug GetExtensionVersion of your ISAPI DLL to figure out what is going on. This is easy to do using:
"sx e ld <module name>"
with the debuggers in the the freely available Microsoft Debugging Toolkit.

//David

re: HOWTO: Install and Use CustomAuth on IIS 6

Akif — Tue, 28 Feb 2006 09:15:30 GMT

Thanx for ur reply.

Actually I m calling managed Assemblies of SPS from the ISAPI. So if these assemblies are not loaded before hand, my ISAPI fails to load them. Is there any workaround, a proper one :)

Regards and thanx
Syed Akif Kamal

re: HOWTO: Install and Use CustomAuth on IIS 6

Rasmus Foged — Mon, 13 Mar 2006 10:50:05 GMT

Just wanted to share that you can use .NET to make what customauth does. But this does not apply to Sharepoint - only .NET/classical ASP solutions.

You will need the activets library and a custom HttpHandler, map all request to your handler and write the token so IIS interpets the handle.

/Foged

re: HOWTO: Install and Use CustomAuth on IIS 6

David.Wang — Mon, 13 Mar 2006 12:00:41 GMT

Rasmus - I do not think what you are describing is comparable to what CustomAuth does.

CustomAuth calls LogonUser with the username/password to get a NT User Token, and then calls HSE_REQ_EXEC_URL with the NT User Token to change the Impersonation Token IIS uses to execute the remainder of the request.

The only ways to modify the IIS Impersonation Token are through authentication protocol, ISAPI Filter subscribing to either SF_NOTIFY_PREPROC_HEADERS, SF_NOTIFY_AUTHENTICATION, or SF_NOTIFY_AUTH_COMPLETE event, or ISAPI Extension calling HSE_REQ_EXEC_URL. No .Net library can call any of these functions.

I can believe that your component changes the thread token that remains in effect for the remainder of the .Net request, but it is in no way similar to the what CustomAuth does. If it was real, then it would also apply to Sharepoint (like CustomAuth) because Sharepoint is merely a .NET solution.

//David

re: HOWTO: Install and Use CustomAuth on IIS 6

Mark — Thu, 06 Apr 2006 20:39:04 GMT

David - You last post seems to seems to contradict another post you made awhile back on another topic. (I'm certain I'm just not quite understanding something)...

your last post replying to Rasmus Foged on Monday, March 13, 2006 5:00 AM, you say "No .Net library can call any of these functions." referring to 'HSE_REQ_EXEC_URL' along with a number of other functions.

But how then does the DefaultHttpHandler in IIS6 (with ASP.Net 2.0) call 'HSE_REQ_EXEC_URL' as you mention in your other thread post at:

http://blogs.msdn.com/david.wang/archive/2005/08/29/HOWTO_Protect_non_dotNET_content.aspx

The specific post I'm referring to was made on:
Monday, October 24, 2005 9:41 PM

I know it's a little off topic, Sorry,

--Mark

re: HOWTO: Install and Use CustomAuth on IIS 6

David.Wang — Fri, 07 Apr 2006 03:29:31 GMT

Mark - What I mean is that:
1. Microsoft does not provide any .Net library nor managed code to directly call those native code functions.
2. Microsoft does provide limited and wrapped access to those native code functions from managed code (for example, DefaultHttpHandler is indirect way for User to control pszUrl of HSE_REQ_EXEC_URL - ASP.Net ISAPI DLL is mapping between User's Managed Code modules and ISAPI, so it translates the String returned by DefaultHttpHandler into pszUrl on its internal HSE_REQ_EXEC_URL call. But, User Managed Code module STILL has no way to set any other HSE_REQ_EXEC_URL properties like request header, entity body, user token...)
3. It's just code, so User can always write native/managed interop to allow Managed code access to those native code functions.

Most users cannot do #3, so it is easier for me to say "No .Net library can call any of these functions." than "Microsoft does not provide any .Net library to call those functions". Because if I do, the next User question would be "since you did not say it is impossible, how do I do that with managed code"... and that would be opening a Pandora's Box of questions and design details beyond most people's comfort level.

In other words, if you are not satisfied with #2, you will either have to wait for us to change #1 (in IIS7), or you will need to figure out how to do #3 yourself.

//David

re: HOWTO: Install and Use CustomAuth on IIS 6

Mark — Fri, 07 Apr 2006 17:55:03 GMT

Great explanation, thanks for clearing that up for me.
--Mark

re: HOWTO: Install and Use CustomAuth on IIS 6

Ramon — Fri, 07 Jul 2006 13:37:52 GMT

Hi David,

i'm trying to use CustomAuth with my SPS and I'm having some problems. After I have readed your topic I have achieved to see the built-in logon page when requesting a page. My problem is when I push de "Log On" Button, then browser is redirected to "\Logon" and a 404 Error is displayed. This seems like CustomAuth.dll is not intercepting this Page. Can you help me?

Thanks in advanced

re: HOWTO: Install and Use CustomAuth on IIS 6

Ramon Espuga — Fri, 07 Jul 2006 16:14:20 GMT

Hi,

I'm here another time. Finally seems that I have solved the 404 error. I think the problem was with IISRESET bug or with Exclude Path.

The problem now is that I cannot enter into Sharepoint, I'm pushing the submit button and the Logon.htm page displays another time. I don't know if CustomAuth.dll is validating me or not, is there any way to debug the process or to see where is the problem?

re: HOWTO: Install and Use CustomAuth on IIS 6

Ramon Espuga — Tue, 18 Jul 2006 09:22:09 GMT

Hi David,

finally CuastomAuth is working in my development environment, but not in my real server. But this is not the question this time. Now I'm trying to make a redirection back to the user's requested page before the authentication and I'm not sure how to make it. Can you help me?

re: HOWTO: Install and Use CustomAuth on IIS 6

Tom — Fri, 21 Jul 2006 17:45:05 GMT

I have never been able to get this option to work any assitance would be helpful.
I installed the ISAPI Filter and set Mapping for the IIS extensions and webservices extensions.
I set the appropriate settings and paths in the .ini file.

Yet when I go to the portal site I still get the default login prompt from IIS and it also apears to block me from other items even after I have logged in. so I get 2 prompts and the second no longer works.

re: HOWTO: Install and Use CustomAuth on IIS 6

David.Wang — Fri, 21 Jul 2006 22:01:03 GMT

Tom - Since we are talking about security and it is completely custom, every single detail has to be perfect or else it won't work. Please re-read the blog entry to understand and follow all details because that is all you need to get CustomAuth to work with default IIS.

For example, CustomAuth *requires* ONLY Anonymous authentication to be enabled, any custom portal applications *must* work with ONLY anonymous authentication enabled, but all protected resources must DENY the anonymous user access.

You may need to do additional steps to get other applications on IIS to work with it, but since the application is arbitrary, the steps are also arbitrary.

//David

re: HOWTO: Install and Use CustomAuth on IIS 6

Johnny — Wed, 05 Dec 2007 00:43:45 GMT

Windows Authentication & CustomAuth

I am struggeling to find a solution to my fairly basic problem. On the global intranet site I am developing the authentication is done using Windows Authentication and Active Directory groups. Our company has a desk sharing policy and in some cases multiple users share 1 PCs. My website would then require all these users to constantly be logging in and out. I looked at the CustomAuth Extension in Detail, to me this looks like all users would then have to type in username and password.

Ideally I would like to have a start page which has 2 links:

1. Login with current Windows User

2. Login as a different User

When 1. is pressed the current Windows credentials would be used without any manual typing. When 2. is pressed a page (or pop-up) appears where the credentials can be entered manually.

This solution would solve many of my issues:

- if a user with auth is sitting at the PC of a user without auth, then the credentials can be entered of the user who has access

- my app has 2 types of user: normal & admin....hence if an admin user is sitting at the PC of a non admin user, then the admin can enter the required credentials

I have looked all over and find many people looking to solve the same issue as me, but with no solution around. There are some 'dirty' work arounds, like starting IE using the 'RunAs' command, changing the IE settings to prompt for all sites, and so forth.

Is there a way to achieve my goal of offering my users maximum comfort & flexibility with IIS6.0?

Will there be an easy way to achieve this in IIS 7.0? Is there an official date for release yet?

Many thanks, I hope this blog is still being used.

Regards

Johnny

re: HOWTO: Install and Use CustomAuth on IIS 6

Tim Mansell — Wed, 23 Jul 2008 19:31:36 GMT

Hi David,

I will most likely need to use this functionality within IIS7, can you confirm whether CustomAuth will work with IIS7.

Thanks,

Tim

re: HOWTO: Install and Use CustomAuth on IIS 6

David.Wang — Sat, 26 Jul 2008 12:44:02 GMT

Johnny - your requirements actually have nothing to do with IIS. You want the browser to perform such logins patterns.

IIS will accept the login no matter how the user clicked the button.

//David