|
Home > Archive > IIS Server > November 2004 > IIS Authentication Providers
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS Authentication Providers
|
|
| Timothy J. Bruce 2004-11-28, 2:47 am |
| Greetings:
You can call me crazy if you like, but I would like to create an additional
authentication provider for IIS. I would like IIS to throw a 300 response
(this bringing up the ever famous `porn challenge') and resolve the
plain-text supplied credentials using my library instead of the system's. I
am not interested in the System.Web.Security.HttpHandler Dot Not class.
The metabase key NTAuthenticationProviders seems like the place to look,
perhaps changing it from (for example) `Negotiate, NTLM' to simply `Foo'. I
was, unfortunately, unable to find much data on the
NTAuthenticationProviders key. The description of this key
(http://msdn.microsoft.com/library/e...authenticationp
roviders.asp?frame=true) doesn't define the semantics, merely the syntax.
I know `Negotiate' invokes Kerberos and `NTLM' invokes LanMan, but I also
know there is no mention of `Negotiate' in my
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentContro
lSet\Control\Lsa' key. I can write
a kernel-mode Authentication Provider, but I would prefer not to. I really
do not understand this key beyond where it is found, and the two values
discussed.
To create a new AP for use by IIS, must I create a kernel-mode SSP/AP, or is
there a trick to have IIS invoke a user-mode AP?
Where do I specify that package, in the NTAuthenticationProviders metabase
key?
Again, my goal is to write a new Authentication Package for IIS. People
that answer with `Just use Digest' (or what-ever) are not helping.
Respectfully,
Timothy J. Bruce
uniblab@hotmail.com
</RANT>
| |
| David Wang [Msft] 2004-11-29, 7:51 am |
| NTAuthenticationProviders is not an extensibility point nor what you are
looking for. You want to implement a new authentication protocol, not
extend an existing one. As soon as you said "throw a 300 response", it
eliminated NTAuthenticationProviders.
Instead, write an ISAPI Filter to do your own custom Authentication scheme,
and turn off authentication in IIS so that you have complete control. Lots
of such filters have been written, some are for purchase, and you are always
free to write your own.
For help, first read MSDN documentation. Community newsgroup support can be
found at:
microsoft.public.platformsdk.internet.server.isapi-dev
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Timothy J. Bruce" <uniblab@hotmail.com> wrote in message
news:_sfqd.167$925.24247@news1.epix.net...
Greetings:
You can call me crazy if you like, but I would like to create an additional
authentication provider for IIS. I would like IIS to throw a 300 response
(this bringing up the ever famous `porn challenge') and resolve the
plain-text supplied credentials using my library instead of the system's. I
am not interested in the System.Web.Security.HttpHandler Dot Not class.
The metabase key NTAuthenticationProviders seems like the place to look,
perhaps changing it from (for example) `Negotiate, NTLM' to simply `Foo'. I
was, unfortunately, unable to find much data on the
NTAuthenticationProviders key. The description of this key
(http://msdn.microsoft.com/library/e...authenticationp
roviders.asp?frame=true) doesn't define the semantics, merely the syntax.
I know `Negotiate' invokes Kerberos and `NTLM' invokes LanMan, but I also
know there is no mention of `Negotiate' in my
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentContro
lSet\Control\Lsa' key. I can write
a kernel-mode Authentication Provider, but I would prefer not to. I really
do not understand this key beyond where it is found, and the two values
discussed.
To create a new AP for use by IIS, must I create a kernel-mode SSP/AP, or is
there a trick to have IIS invoke a user-mode AP?
Where do I specify that package, in the NTAuthenticationProviders metabase
key?
Again, my goal is to write a new Authentication Package for IIS. People
that answer with `Just use Digest' (or what-ever) are not helping.
Respectfully,
Timothy J. Bruce
uniblab@hotmail.com
</RANT>
| |
| Timothy J. Bruce 2004-11-29, 7:51 am |
| David:
I can see the `300 response' bit was misleading, as I do not wish to merely
extend w3svc, but would like to extend w3svc, msftpsvc, smtpsvc, nntpsvc,
and chatsvc. That precludes HttpHandler and ISAPI, and the mistake is mine
for not being explicit. I should have been a bit more forthright earlier,
and I'll take this as a good time to do so.
I would like to write an AP that w3svc, nntpsvc, smtpsvc, msftpsvc, and
chatsvc can all use. While I can write a kernel-mode AP, I do not wish to
do so as that would require access to the system logons. If I adding system
logins were an option then using Basic auth would bne satisfactory and work
with all the above systems.
Instead I would like to write a user-mode (if possible) AP that matches
name/passwd credentials against some database (perhaps LDAP Person entries,
not User entries) and on a successful match the server process would
continue to impersonate the anonymous logon defined by that service mount.
For example, most virtual domain hosting subscribers are not at liberty to
add user accounts, but often have subscription content in their FTP and NNTP
stores.
<example> One firm I worked for back in 96 offered complete newsgroup access
to our clients. The news demon we ran supported this `pseudo' security
terminating successful news login requests with a call to setuid() to
whatever we had defined `nobody' on that system. </example>
It would seem what I would like is a user-mode subauthentication AP, and the
real question is `Can IIS call arbitrary APs?' I know ChatSvc can, and
ChatSvc (I currently run Exchange 5.5's ChatSvc) is also quite a different
animal entirely; but I suspect the authentication process is similar to the
IIS services.
Thanks for you time and thoughts on this matter,
Timothy J. Bruce
uniblab@hotmail.com
</RANT>
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:eciBHdg1EHA.3452@TK2MSFTNGP14.phx.gbl...
> NTAuthenticationProviders is not an extensibility point nor what you are
> looking for. You want to implement a new authentication protocol, not
> extend an existing one. As soon as you said "throw a 300 response", it
> eliminated NTAuthenticationProviders.
>
> Instead, write an ISAPI Filter to do your own custom Authentication
scheme,
> and turn off authentication in IIS so that you have complete control.
Lots
> of such filters have been written, some are for purchase, and you are
always
> free to write your own.
>
> For help, first read MSDN documentation. Community newsgroup support can
be
> found at:
> microsoft.public.platformsdk.internet.server.isapi-dev
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Timothy J. Bruce" <uniblab@hotmail.com> wrote in message
> news:_sfqd.167$925.24247@news1.epix.net...
> Greetings:
>
> You can call me crazy if you like, but I would like to create an
additional
> authentication provider for IIS. I would like IIS to throw a 300 response
> (this bringing up the ever famous `porn challenge') and resolve the
> plain-text supplied credentials using my library instead of the system's.
I
> am not interested in the System.Web.Security.HttpHandler Dot Not class.
> The metabase key NTAuthenticationProviders seems like the place to look,
> perhaps changing it from (for example) `Negotiate, NTLM' to simply `Foo'.
I
> was, unfortunately, unable to find much data on the
> NTAuthenticationProviders key. The description of this key
>
(http://msdn.microsoft.com/library/e...authenticationp
> roviders.asp?frame=true) doesn't define the semantics, merely the syntax.
> I know `Negotiate' invokes Kerberos and `NTLM' invokes LanMan, but I also
> know there is no mention of `Negotiate' in my
> `HKEY_LOCAL_MACHINE\SYSTEM\CurrentContro
lSet\Control\Lsa' key. I can
write
> a kernel-mode Authentication Provider, but I would prefer not to. I
really
> do not understand this key beyond where it is found, and the two values
> discussed.
>
> To create a new AP for use by IIS, must I create a kernel-mode SSP/AP, or
is
> there a trick to have IIS invoke a user-mode AP?
> Where do I specify that package, in the NTAuthenticationProviders metabase
> key?
>
> Again, my goal is to write a new Authentication Package for IIS. People
> that answer with `Just use Digest' (or what-ever) are not helping.
>
> Respectfully,
> Timothy J. Bruce
> uniblab@hotmail.com
> </RANT>
>
>
>
|
|
|
|
|