|
Home > Archive > Radius Server > February 2004 > Win2003 Auth/AuthZ DLL no access to Access-Reject Attributes...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Win2003 Auth/AuthZ DLL no access to Access-Reject Attributes...
|
|
|
| We seem to have run into an issue using Win2003's new
RadiusExtensionProcess2 API.
Setup:
* Win2003 EE setup as a MS of a Win2003 domain
* A simple "attribute logging" DLL registered at both the Auth and AuthZ
callouts.
I send a MS-CHAPv1 Access-Request to IAS knowing that the user's password
has expired. At the AuthZ callout the rcResponseType is rcAccessReject (as
expected); however, the Attribute Array for the ResponseType of
rcAccessReject contains **no** attributes (GetSize returns 0). Yet the
client receives the MS-CHAP-Error attribute (indicating an expired
password). Why don't we "see" the MS-CHAP-Error attribute at the AuthZ
callout?
We need to change our AuthZ's DLL behavior if an Access-Reject is to be sent
due to password expiration, etc. How do we access that information?
Shouldn't the MS-CHAP-Error attribute be part of the rcAccessReject
attribute array when the AuthZ DLL is called?
--
Tony
| |
|
| I just implemented a RadiusExtensionProcessEx at both callouts. When the
authentication results in a access-reject, why isn't the AuthZ callout
executed? The flowchart in the SDK indicates that the AuthZ callout should
be called regardless of the outcome from the Auth DLL or IAS's own
authentication process.
What gives?
--
Tony
| |
| Wajih Yahyaoui [MSFT] 2004-02-11, 6:36 am |
| known issue
--
Thanks
Wajih
========================================
===================
This posting is provided "AS IS" with no warranties and confers no rights
========================================
===================
"Tony" <tburnettATNOSPAMcolumbusDOTrrLASTDOTcom> wrote in message
news:#5Boh9$6DHA.3880@tk2msftngp13.phx.gbl...
> I just implemented a RadiusExtensionProcessEx at both callouts. When the
> authentication results in a access-reject, why isn't the AuthZ callout
> executed? The flowchart in the SDK indicates that the AuthZ callout
should
> be called regardless of the outcome from the Auth DLL or IAS's own
> authentication process.
>
> What gives?
> --
> Tony
>
>
| |
| Sam Salhi [MSFT] 2004-02-11, 9:37 am |
| To expand on this a little bit, This is a by design behavior, it's expected
From MSDN,
If the user is not authorized, the packet action is set to Reject, any
extension DLLs that export xxProcess and xxProcessEx are skipped and
xxProcess2 is called.
http://msdn.microsoft.com/library/d...cess
.asp
Thanks to Xuemei's help on this one
--
========================================
===================
This posting is provided "AS IS" with no warranties and confers no rights
========================================
===================
"Wajih Yahyaoui [MSFT]" <wajihy@online.microsoft.com> wrote in message
news:u8ecmfN8DHA.3420@TK2MSFTNGP11.phx.gbl...
> known issue
>
> --
> Thanks
> Wajih
>
> ========================================
===================
> This posting is provided "AS IS" with no warranties and confers no rights
> ========================================
===================
> "Tony" <tburnettATNOSPAMcolumbusDOTrrLASTDOTcom> wrote in message
> news:#5Boh9$6DHA.3880@tk2msftngp13.phx.gbl...
the[color=blue]
> should
>
>
| |
|
| Understood. The statement is a bit confusing by using the term "extension
DLL" (I see now that the "e" is lower case) a reader might think that
additional Authentication DLLs are skipped, not Authorization DLLs. The
statement is using "extension DLLs" to mean *BOTH* Extension DLLs (big "E")
and Authorization DLLs. Hence the confusion.
Though it is still not clear why the xxxProcess2 at the Authorization
callout does not have access to the MS-CHAP-Error attribute for
Access-Reject messages due to expired password. I know the answer is "by
design", but it appears to be more of an oversight. Seems odd that what is
really an Authentication process action (building the reject packet and its
attributes) occurs *AFTER* the Authorization DLLs are called. I suppose
IAS's RAPs get to have the last look at an outbound packet, rather than the
AuthZ DLLs.
--
Tony
"Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
news:uOTBZHP8DHA.3704@tk2msftngp13.phx.gbl...
> To expand on this a little bit, This is a by design behavior, it's
expected
> From MSDN,
> If the user is not authorized, the packet action is set to Reject, any
> extension DLLs that export xxProcess and xxProcessEx are skipped and
> xxProcess2 is called.
>
>
http://msdn.microsoft.com/library/d...cess
.asp
>
| |
| Sam Salhi [MSFT] 2004-02-12, 10:35 am |
| Sorry for the confusion in MSDN...
Let me ask you something
How would YOU like to see it work? And why?
We would LOVE to hear you out, and know your needs. We can't promise you
anything, but would love to understand how you would want our product to
work. We might be able to cater for your needs in the future.
Again with no explicit or implicit promises
--
========================================
===================
This posting is provided "AS IS" with no warranties and confers no rights
========================================
===================
"Tony" <tburnettATNOSPAMcolumbusDOTrrLASTDOTcom> wrote in message
news:us$9fIa8DHA.1632@TK2MSFTNGP12.phx.gbl...
> Understood. The statement is a bit confusing by using the term "extension
> DLL" (I see now that the "e" is lower case) a reader might think that
> additional Authentication DLLs are skipped, not Authorization DLLs. The
> statement is using "extension DLLs" to mean *BOTH* Extension DLLs (big
"E")
> and Authorization DLLs. Hence the confusion.
>
> Though it is still not clear why the xxxProcess2 at the Authorization
> callout does not have access to the MS-CHAP-Error attribute for
> Access-Reject messages due to expired password. I know the answer is "by
> design", but it appears to be more of an oversight. Seems odd that what
is
> really an Authentication process action (building the reject packet and
its
> attributes) occurs *AFTER* the Authorization DLLs are called. I suppose
> IAS's RAPs get to have the last look at an outbound packet, rather than
the
> AuthZ DLLs.
>
> --
> Tony
> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
> news:uOTBZHP8DHA.3704@tk2msftngp13.phx.gbl...
> expected
>
http://msdn.microsoft.com/library/d...cess
.asp
>
>
|
|
|
|
|