Not receiving username password with Basic Authentication

Posted on 2011-02-22
Last Modified: 2012-05-11
Dear experts,

I'm trying to read the username + password and I'm not receiving it.

Let me illustrate the situation. The user logs in through SonicWall, which uses a LDAP server to verify username+password combinations. Our webserver is IIS7.

We need the username + password so we switched on 'basic authentication' in the SonicWall and in IIS7. We don't want to keep a list of the exact same users + passwords in IIS, so we need to log on to IIS as one user. We used to have an ISAPI filter (ldapauth.dll) that did this for us, but now we need to develop an ASP.NET HTTPHandler or HTTPModule. You see, we also need to username + password from the SonicWall to retrieve data from databases.

So what's the problem you ask?

IIS prompts the client for credentials before our HTTPHandler or HTTPModule could tell IIS that everything is fine. In our example this means in fact picking up the username + password --> picking up data --> continue the HTTP Request with 1 single user which IIS knows and accepts.

Any expert in here have any idea what to do? We are somewhat new to webdevelopment, so any idea is very welcome. We're kind of stuck. Our back-up plan is to built a synchronization tool to keep IIS users up to date with the users in the LDAP server and that is kind of ugly.

Question by:Labelsoft
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 34

Expert Comment

ID: 34974242
Not asking for much, are you?  :-)

You will need to write an HTTP module that registers for notifications prior to authentication - maybe like request_begin so that it gets called before the authentication modules.  This way you can grab the credentials befor ethey are used, log them or whatever and then substitute your own values (for your single user) so they get consumed by the Basic auth module and generate a valid user context.

Let me know if this makes sense - I'm not a big code writer myself but I understand what parts need to happen when.

Dave Dietz

Author Comment

ID: 34977587

First off, thnx for your reply. Me? Asking for much? ;-)

 You've actually hit the problem on the head you know. We registered for request_begin, but we were still too late. It seems HTTP modules/handlers are after IIS handles it.

So, it makes sense what you said, but we really need someone who can tell us exactly how to:

--> With 'anonymous acces' switched on in IIS:
1) Pick up the HTTP request from SonicWall before IIS does;
2) Then tell SonicWall 401 (authentication needed);
3) SonicWall sends the username + password
4) HTTPModule catches the username + password and looks up a bunch of custom stuff  and transports/redirects to the correct aspx page with the custom stuff in the query string so the requested site opens.

* It's not per se a problem for us to switch on anonymous acces because then we say IIS only can be accessed from 1 single IP-address (which happens to be the Sonicwall).

--> With 'basic authentication' switched on in IIS:
1) We can skip 1 + 2 of the former steps;
2) We need to pick up the username + password before IIS does and looks up in a INI file (or something) the single Windows user which has acces to IIS (plus a bunch of other custom stuff) --> Fills this in as LOGON_USER and transports/redirects to the correct aspx page with the custom stuff in the query string so the requested site opens.

* But yeah, like I said. We always seem to be too late to get the username+password before IIS does. And then it starts bugging the client to provide credentials because ofcourse it doesn't know the SonicWall user.

So, do you have an idea how to help us further? Or another expert is welcome ofcourse too. The more the merrier.
LVL 34

Expert Comment

ID: 34980029
I think part of the problem may be that you are working from an ASP.Net module perspective rather than an IIS Module perspective.  The notification you mention is in the ASP.Net pipeline rather than the IIS pipeline and will only occur once the request has been mapped to a handler which is after the AuthenticateRequest notification in the pipeline.

Take a look at this article from and see if it shines a light on what you are looking for:

     Developing a Module Using .NET

Dave Dietz
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 34980242
Thanks for the article. I haven't read this exact article yet, but lots of articles like this one.

Well, it says so in the article:

"You should see the basic authentication login dialog. Enter "test" in the "User name:" field and "test" in the "Password:" field to get access. Note that if you copy HTML, JPG, or any other content to your application, they too will be protected by your new BasicAuthenticationModule."

This is exactly the behaviour we're trying to eliminate. But I'm starting to believe it's not possible with a HTTPHandler or HTTPModule. We're looking at HTTPListeners now... To beat IIS to it altogether. Don't know if I should delve more into httphandlers/modules, unless you've got a brilliant idea...
LVL 34

Expert Comment

ID: 35013279
No brilliant ideas, but bear in mind that the article I pointed out is specifically targetted at developing an authentication module that has different functionality than you need.  I did not present it as a drop in solution, more as a pointer in the right direction.

If you write your own module that hooks the BeginRequest event it can do the following fairly easily:

1) Pick up the HTTP request from SonicWall before IIS does;
2) Tell SonicWall 401 (authentication needed);
3) Catch the username + password, look up a bunch of custom stuff and redirect to the correct aspx page with the custom stuff in the query string so the requested site opens.

You could also do this in an ISAPI filter as well if that is a more comfortable development arena.

Dave Dietz

Author Comment

ID: 35016628
I know it was a pointer to the right direction, no worries.

We háve written our own module which was hooked up to BeginRequest, see my first reply to you: "We registered for request_begin, but we were still too late. It seems HTTP modules/handlers are after IIS handles it."

So what you claim at 1) is unfortunatly not possible. If that was possible, all our problems would be solved.

LVL 34

Accepted Solution

Dave_Dietz earned 500 total points
ID: 35021592
Are you running your application pool in Classic or Integrated mode?

If Classic you can only do this in an ISAPI filter.  With Integrated you can use managed Modules prior to the AuthenticateRequest notification.

The fact that you specify "request_begin" rather than "BeginRequest" makes me think you are running in Classic mode and are registering for notifications in the ASP.Net request pipeline rather then notifications in the IIS request pipeline.

Dave Dietz

Author Closing Comment

ID: 35027309
You nailed it!

Setting the applicationpool's mode to 'integrated' made it possible for our HTTPModule to handle the BeginRequest event faster than IIS.

Thank you very much. A valuable addition to the knowledge base if I may say so.

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question