Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Not receiving username password with Basic Authentication

Posted on 2011-02-22
8
Medium Priority
?
1,090 Views
Last Modified: 2012-05-11
Dear experts,

I'm trying to read the username + password and I'm not receiving it.

Let me illustrate the situation. The user logs in through SonicWall, which uses a LDAP server to verify username+password combinations. Our webserver is IIS7.

We need the username + password so we switched on 'basic authentication' in the SonicWall and in IIS7. We don't want to keep a list of the exact same users + passwords in IIS, so we need to log on to IIS as one user. We used to have an ISAPI filter (ldapauth.dll) that did this for us, but now we need to develop an ASP.NET HTTPHandler or HTTPModule. You see, we also need to username + password from the SonicWall to retrieve data from databases.

So what's the problem you ask?

IIS prompts the client for credentials before our HTTPHandler or HTTPModule could tell IIS that everything is fine. In our example this means in fact picking up the username + password --> picking up data --> continue the HTTP Request with 1 single user which IIS knows and accepts.

Any expert in here have any idea what to do? We are somewhat new to webdevelopment, so any idea is very welcome. We're kind of stuck. Our back-up plan is to built a synchronization tool to keep IIS users up to date with the users in the LDAP server and that is kind of ugly.

0
Comment
Question by:Labelsoft
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 34974242
Not asking for much, are you?  :-)

You will need to write an HTTP module that registers for notifications prior to authentication - maybe like request_begin so that it gets called before the authentication modules.  This way you can grab the credentials befor ethey are used, log them or whatever and then substitute your own values (for your single user) so they get consumed by the Basic auth module and generate a valid user context.

Let me know if this makes sense - I'm not a big code writer myself but I understand what parts need to happen when.

Dave Dietz
0
 
LVL 3

Author Comment

by:Labelsoft
ID: 34977587
@Dave:

First off, thnx for your reply. Me? Asking for much? ;-)

 You've actually hit the problem on the head you know. We registered for request_begin, but we were still too late. It seems HTTP modules/handlers are after IIS handles it.

So, it makes sense what you said, but we really need someone who can tell us exactly how to:

--> With 'anonymous acces' switched on in IIS:
1) Pick up the HTTP request from SonicWall before IIS does;
2) Then tell SonicWall 401 (authentication needed);
3) SonicWall sends the username + password
4) HTTPModule catches the username + password and looks up a bunch of custom stuff  and transports/redirects to the correct aspx page with the custom stuff in the query string so the requested site opens.

* It's not per se a problem for us to switch on anonymous acces because then we say IIS only can be accessed from 1 single IP-address (which happens to be the Sonicwall).

--> With 'basic authentication' switched on in IIS:
1) We can skip 1 + 2 of the former steps;
2) We need to pick up the username + password before IIS does and looks up in a INI file (or something) the single Windows user which has acces to IIS (plus a bunch of other custom stuff) --> Fills this in as LOGON_USER and transports/redirects to the correct aspx page with the custom stuff in the query string so the requested site opens.

* But yeah, like I said. We always seem to be too late to get the username+password before IIS does. And then it starts bugging the client to provide credentials because ofcourse it doesn't know the SonicWall user.

So, do you have an idea how to help us further? Or another expert is welcome ofcourse too. The more the merrier.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 34980029
I think part of the problem may be that you are working from an ASP.Net module perspective rather than an IIS Module perspective.  The notification you mention is in the ASP.Net pipeline rather than the IIS pipeline and will only occur once the request has been mapped to a handler which is after the AuthenticateRequest notification in the pipeline.

Take a look at this article from IIS.net and see if it shines a light on what you are looking for:

     Developing a Module Using .NET
     http://learn.iis.net/page.aspx/170/developing-a-module-using-net/

Dave Dietz
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 3

Author Comment

by:Labelsoft
ID: 34980242
Thanks for the article. I haven't read this exact article yet, but lots of articles like this one.

Well, it says so in the article:

"You should see the basic authentication login dialog. Enter "test" in the "User name:" field and "test" in the "Password:" field to get access. Note that if you copy HTML, JPG, or any other content to your application, they too will be protected by your new BasicAuthenticationModule."

This is exactly the behaviour we're trying to eliminate. But I'm starting to believe it's not possible with a HTTPHandler or HTTPModule. We're looking at HTTPListeners now... To beat IIS to it altogether. Don't know if I should delve more into httphandlers/modules, unless you've got a brilliant idea...
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 35013279
No brilliant ideas, but bear in mind that the article I pointed out is specifically targetted at developing an authentication module that has different functionality than you need.  I did not present it as a drop in solution, more as a pointer in the right direction.

If you write your own module that hooks the BeginRequest event it can do the following fairly easily:

1) Pick up the HTTP request from SonicWall before IIS does;
2) Tell SonicWall 401 (authentication needed);
3) Catch the username + password, look up a bunch of custom stuff and redirect to the correct aspx page with the custom stuff in the query string so the requested site opens.

You could also do this in an ISAPI filter as well if that is a more comfortable development arena.

Dave Dietz
0
 
LVL 3

Author Comment

by:Labelsoft
ID: 35016628
I know it was a pointer to the right direction, no worries.

We háve written our own module which was hooked up to BeginRequest, see my first reply to you: "We registered for request_begin, but we were still too late. It seems HTTP modules/handlers are after IIS handles it."

So what you claim at 1) is unfortunatly not possible. If that was possible, all our problems would be solved.

0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 2000 total points
ID: 35021592
Are you running your application pool in Classic or Integrated mode?

If Classic you can only do this in an ISAPI filter.  With Integrated you can use managed Modules prior to the AuthenticateRequest notification.

The fact that you specify "request_begin" rather than "BeginRequest" makes me think you are running in Classic mode and are registering for notifications in the ASP.Net request pipeline rather then notifications in the IIS request pipeline.

Dave Dietz
0
 
LVL 3

Author Closing Comment

by:Labelsoft
ID: 35027309
You nailed it!

Setting the applicationpool's mode to 'integrated' made it possible for our HTTPModule to handle the BeginRequest event faster than IIS.

Thank you very much. A valuable addition to the knowledge base if I may say so.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question