Not receiving username password with Basic Authentication

Dear experts,

I'm trying to read the username + password and I'm not receiving it.

Let me illustrate the situation. The user logs in through SonicWall, which uses a LDAP server to verify username+password combinations. Our webserver is IIS7.

We need the username + password so we switched on 'basic authentication' in the SonicWall and in IIS7. We don't want to keep a list of the exact same users + passwords in IIS, so we need to log on to IIS as one user. We used to have an ISAPI filter (ldapauth.dll) that did this for us, but now we need to develop an ASP.NET HTTPHandler or HTTPModule. You see, we also need to username + password from the SonicWall to retrieve data from databases.

So what's the problem you ask?

IIS prompts the client for credentials before our HTTPHandler or HTTPModule could tell IIS that everything is fine. In our example this means in fact picking up the username + password --> picking up data --> continue the HTTP Request with 1 single user which IIS knows and accepts.

Any expert in here have any idea what to do? We are somewhat new to webdevelopment, so any idea is very welcome. We're kind of stuck. Our back-up plan is to built a synchronization tool to keep IIS users up to date with the users in the LDAP server and that is kind of ugly.

Who is Participating?
Dave_DietzConnect With a Mentor Commented:
Are you running your application pool in Classic or Integrated mode?

If Classic you can only do this in an ISAPI filter.  With Integrated you can use managed Modules prior to the AuthenticateRequest notification.

The fact that you specify "request_begin" rather than "BeginRequest" makes me think you are running in Classic mode and are registering for notifications in the ASP.Net request pipeline rather then notifications in the IIS request pipeline.

Dave Dietz
Not asking for much, are you?  :-)

You will need to write an HTTP module that registers for notifications prior to authentication - maybe like request_begin so that it gets called before the authentication modules.  This way you can grab the credentials befor ethey are used, log them or whatever and then substitute your own values (for your single user) so they get consumed by the Basic auth module and generate a valid user context.

Let me know if this makes sense - I'm not a big code writer myself but I understand what parts need to happen when.

Dave Dietz
LabelsoftAuthor Commented:

First off, thnx for your reply. Me? Asking for much? ;-)

 You've actually hit the problem on the head you know. We registered for request_begin, but we were still too late. It seems HTTP modules/handlers are after IIS handles it.

So, it makes sense what you said, but we really need someone who can tell us exactly how to:

--> With 'anonymous acces' switched on in IIS:
1) Pick up the HTTP request from SonicWall before IIS does;
2) Then tell SonicWall 401 (authentication needed);
3) SonicWall sends the username + password
4) HTTPModule catches the username + password and looks up a bunch of custom stuff  and transports/redirects to the correct aspx page with the custom stuff in the query string so the requested site opens.

* It's not per se a problem for us to switch on anonymous acces because then we say IIS only can be accessed from 1 single IP-address (which happens to be the Sonicwall).

--> With 'basic authentication' switched on in IIS:
1) We can skip 1 + 2 of the former steps;
2) We need to pick up the username + password before IIS does and looks up in a INI file (or something) the single Windows user which has acces to IIS (plus a bunch of other custom stuff) --> Fills this in as LOGON_USER and transports/redirects to the correct aspx page with the custom stuff in the query string so the requested site opens.

* But yeah, like I said. We always seem to be too late to get the username+password before IIS does. And then it starts bugging the client to provide credentials because ofcourse it doesn't know the SonicWall user.

So, do you have an idea how to help us further? Or another expert is welcome ofcourse too. The more the merrier.
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

I think part of the problem may be that you are working from an ASP.Net module perspective rather than an IIS Module perspective.  The notification you mention is in the ASP.Net pipeline rather than the IIS pipeline and will only occur once the request has been mapped to a handler which is after the AuthenticateRequest notification in the pipeline.

Take a look at this article from and see if it shines a light on what you are looking for:

     Developing a Module Using .NET

Dave Dietz
LabelsoftAuthor Commented:
Thanks for the article. I haven't read this exact article yet, but lots of articles like this one.

Well, it says so in the article:

"You should see the basic authentication login dialog. Enter "test" in the "User name:" field and "test" in the "Password:" field to get access. Note that if you copy HTML, JPG, or any other content to your application, they too will be protected by your new BasicAuthenticationModule."

This is exactly the behaviour we're trying to eliminate. But I'm starting to believe it's not possible with a HTTPHandler or HTTPModule. We're looking at HTTPListeners now... To beat IIS to it altogether. Don't know if I should delve more into httphandlers/modules, unless you've got a brilliant idea...
No brilliant ideas, but bear in mind that the article I pointed out is specifically targetted at developing an authentication module that has different functionality than you need.  I did not present it as a drop in solution, more as a pointer in the right direction.

If you write your own module that hooks the BeginRequest event it can do the following fairly easily:

1) Pick up the HTTP request from SonicWall before IIS does;
2) Tell SonicWall 401 (authentication needed);
3) Catch the username + password, look up a bunch of custom stuff and redirect to the correct aspx page with the custom stuff in the query string so the requested site opens.

You could also do this in an ISAPI filter as well if that is a more comfortable development arena.

Dave Dietz
LabelsoftAuthor Commented:
I know it was a pointer to the right direction, no worries.

We háve written our own module which was hooked up to BeginRequest, see my first reply to you: "We registered for request_begin, but we were still too late. It seems HTTP modules/handlers are after IIS handles it."

So what you claim at 1) is unfortunatly not possible. If that was possible, all our problems would be solved.

LabelsoftAuthor Commented:
You nailed it!

Setting the applicationpool's mode to 'integrated' made it possible for our HTTPModule to handle the BeginRequest event faster than IIS.

Thank you very much. A valuable addition to the knowledge base if I may say so.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.