IIS Server Security - How does IIS handle user impersonation token?

Author

How does IIS handle user impersonation token?

Gery D. Dorazio

2005-10-11, 7:59 am

I am using a custom authentication ISAPI filter/extension in conjunction
with using an html form page to authenticate users. As part of this process
I am trying to understand how IIS handles authentication on subsequent round
trips to the server. Specifically, how does IIS handle the user
impersonation token? Does it put it into a header or cookie for each request
after login?

I am trying to understand this so that I can properly initialize the
impersonation token into the right place so that IIS can continue doing its
authentication.

Any helpful good reads on this would be appreciated.

Thanks,
Gery

--
Gery D. Dorazio
Development Engineer

EnQue Corporation
www.EnQue.com
www.ImagingHardware.com

Ken Schaefer

2005-10-11, 7:59 am

"Gery D. Dorazio" <gdorazio@enque.net> wrote in message
news:egkTIhgzFHA.3892@TK2MSFTNGP12.phx.gbl...
:I am using a custom authentication ISAPI filter/extension in conjunction
: with using an html form page to authenticate users. As part of this
process
: I am trying to understand how IIS handles authentication on subsequent
round
: trips to the server. Specifically, how does IIS handle the user
: impersonation token? Does it put it into a header or cookie for each
request
: after login?

IIS doesn't put the user token anywhere (headers or cookie it sends to the
client).

If you are using something like Forms Authentication (with ASP.NET), then
"yes", cookies are used, but that's a function of ASP.NET not IIS. LIkewise,
Password authentication uses cookies too, but that's part of the Passport
infrastructure.

For HTTP based authentication mechanisms (Basic, Digest, NTLM, Kerberos),
the client sends the credentials to IIS using the Authorization: header as
part of each request to the server. The server does not send any
authentication information to the client (all the server does is challenge
the client if the client attempts to make an anonymous request, and as part
of the challenge lists the acceptable authentication mechanisms via the use
of WWW-Authenticate: headers).

Hope that helps.

Cheers
Ken

:
: I am trying to understand this so that I can properly initialize the
: impersonation token into the right place so that IIS can continue doing
its
: authentication.
:
: Any helpful good reads on this would be appreciated.
:
: Thanks,
: Gery
:
: --
: Gery D. Dorazio
: Development Engineer
:
: EnQue Corporation
: www.EnQue.com
: www.ImagingHardware.com
:
:

Gery D. Dorazio

2005-10-12, 6:15 pm

Thanks Ken...this helps a great deal.

I also took your advice from the post on the aspnet.security newsgroup and
installed fiddler. I ran it on both an online SharePoint machine and my
development SharePoint server and can see the NTLM sequencing that you
describe here. It's quite interesting how this works and it makes sense when
I close the browser after being logged onto SharePoint....I have to logon
again. Also, I can see the browser respond to 401s for every visit to the
site (for authorization required pages)...showing the 'automatic' NTLM
authorization sequence for each request.

Thanks for your help in this matter.

Gery

--
Gery D. Dorazio
Development Engineer

EnQue Corporation
www.EnQue.com
www.ImagingHardware.com

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:uMaSspgzFHA.2424@TK2MSFTNGP12.phx.gbl...
> "Gery D. Dorazio" <gdorazio@enque.net> wrote in message
> news:egkTIhgzFHA.3892@TK2MSFTNGP12.phx.gbl...
> :I am using a custom authentication ISAPI filter/extension in conjunction
> : with using an html form page to authenticate users. As part of this
> process
> : I am trying to understand how IIS handles authentication on subsequent
> round
> : trips to the server. Specifically, how does IIS handle the user
> : impersonation token? Does it put it into a header or cookie for each
> request
> : after login?
>
> IIS doesn't put the user token anywhere (headers or cookie it sends to the
> client).
>
> If you are using something like Forms Authentication (with ASP.NET), then
> "yes", cookies are used, but that's a function of ASP.NET not IIS.
> LIkewise,
> Password authentication uses cookies too, but that's part of the Passport
> infrastructure.
>
> For HTTP based authentication mechanisms (Basic, Digest, NTLM, Kerberos),
> the client sends the credentials to IIS using the Authorization: header as
> part of each request to the server. The server does not send any
> authentication information to the client (all the server does is challenge
> the client if the client attempts to make an anonymous request, and as
> part
> of the challenge lists the acceptable authentication mechanisms via the
> use
> of WWW-Authenticate: headers).
>
> Hope that helps.
>
> Cheers
> Ken
>
>
>
>
>
> :
> : I am trying to understand this so that I can properly initialize the
> : impersonation token into the right place so that IIS can continue doing
> its
> : authentication.
> :
> : Any helpful good reads on this would be appreciated.
> :
> : Thanks,
> : Gery
> :
> : --
> : Gery D. Dorazio
> : Development Engineer
> :
> : EnQue Corporation
> : www.EnQue.com
> : www.ImagingHardware.com
> :
> :
>
>

Rashad Rivera

2005-10-24, 11:03 am

Hello Ken,

I am having a problem that is related to this topic. I have a web
application that needs to use Intergrated Windows Authentication. But when
I uncheck the Annonymous setting, I keep getting a "Cannot find server or
DNS Error". I even created a seperate virtual directory and places a simple
HTML file in it. When annonymous is on, it works fine, but when I check it
off, I get the same error. I have tried auditing the files and there are no
errors in the Security log. I even checked the IIS logs and they just show:
401 2 2148074254
401 1 0

The "2148074254" code means "No credentials are available in the security
package", but I don't have a clue as to what it is trying to tell me. Can
you tell me what the problem is? Thanks.

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:uMaSspgzFHA.2424@TK2MSFTNGP12.phx.gbl...
> "Gery D. Dorazio" <gdorazio@enque.net> wrote in message
> news:egkTIhgzFHA.3892@TK2MSFTNGP12.phx.gbl...
> :I am using a custom authentication ISAPI filter/extension in conjunction
> : with using an html form page to authenticate users. As part of this
> process
> : I am trying to understand how IIS handles authentication on subsequent
> round
> : trips to the server. Specifically, how does IIS handle the user
> : impersonation token? Does it put it into a header or cookie for each
> request
> : after login?
>
> IIS doesn't put the user token anywhere (headers or cookie it sends to the
> client).
>
> If you are using something like Forms Authentication (with ASP.NET), then
> "yes", cookies are used, but that's a function of ASP.NET not IIS.
> LIkewise,
> Password authentication uses cookies too, but that's part of the Passport
> infrastructure.
>
> For HTTP based authentication mechanisms (Basic, Digest, NTLM, Kerberos),
> the client sends the credentials to IIS using the Authorization: header as
> part of each request to the server. The server does not send any
> authentication information to the client (all the server does is challenge
> the client if the client attempts to make an anonymous request, and as
> part
> of the challenge lists the acceptable authentication mechanisms via the
> use
> of WWW-Authenticate: headers).
>
> Hope that helps.
>
> Cheers
> Ken
>
>
>
>
>
> :
> : I am trying to understand this so that I can properly initialize the
> : impersonation token into the right place so that IIS can continue doing
> its
> : authentication.
> :
> : Any helpful good reads on this would be appreciated.
> :
> : Thanks,
> : Gery
> :
> : --
> : Gery D. Dorazio
> : Development Engineer
> :
> : EnQue Corporation
> : www.EnQue.com
> : www.ImagingHardware.com
> :
> :
>
>