Solved

Not receiving username password with Basic Authentication

Posted on 2011-02-22
8
1,072 Views
Last Modified: 2012-05-11
Dear experts,

I'm trying to read the username + password and I'm not receiving it.

Let me illustrate the situation. The user logs in through SonicWall, which uses a LDAP server to verify username+password combinations. Our webserver is IIS7.

We need the username + password so we switched on 'basic authentication' in the SonicWall and in IIS7. We don't want to keep a list of the exact same users + passwords in IIS, so we need to log on to IIS as one user. We used to have an ISAPI filter (ldapauth.dll) that did this for us, but now we need to develop an ASP.NET HTTPHandler or HTTPModule. You see, we also need to username + password from the SonicWall to retrieve data from databases.

So what's the problem you ask?

IIS prompts the client for credentials before our HTTPHandler or HTTPModule could tell IIS that everything is fine. In our example this means in fact picking up the username + password --> picking up data --> continue the HTTP Request with 1 single user which IIS knows and accepts.

Any expert in here have any idea what to do? We are somewhat new to webdevelopment, so any idea is very welcome. We're kind of stuck. Our back-up plan is to built a synchronization tool to keep IIS users up to date with the users in the LDAP server and that is kind of ugly.

0
Comment
Question by:Labelsoft
  • 4
  • 4
8 Comments
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 34974242
Not asking for much, are you?  :-)

You will need to write an HTTP module that registers for notifications prior to authentication - maybe like request_begin so that it gets called before the authentication modules.  This way you can grab the credentials befor ethey are used, log them or whatever and then substitute your own values (for your single user) so they get consumed by the Basic auth module and generate a valid user context.

Let me know if this makes sense - I'm not a big code writer myself but I understand what parts need to happen when.

Dave Dietz
0
 
LVL 3

Author Comment

by:Labelsoft
ID: 34977587
@Dave:

First off, thnx for your reply. Me? Asking for much? ;-)

 You've actually hit the problem on the head you know. We registered for request_begin, but we were still too late. It seems HTTP modules/handlers are after IIS handles it.

So, it makes sense what you said, but we really need someone who can tell us exactly how to:

--> With 'anonymous acces' switched on in IIS:
1) Pick up the HTTP request from SonicWall before IIS does;
2) Then tell SonicWall 401 (authentication needed);
3) SonicWall sends the username + password
4) HTTPModule catches the username + password and looks up a bunch of custom stuff  and transports/redirects to the correct aspx page with the custom stuff in the query string so the requested site opens.

* It's not per se a problem for us to switch on anonymous acces because then we say IIS only can be accessed from 1 single IP-address (which happens to be the Sonicwall).

--> With 'basic authentication' switched on in IIS:
1) We can skip 1 + 2 of the former steps;
2) We need to pick up the username + password before IIS does and looks up in a INI file (or something) the single Windows user which has acces to IIS (plus a bunch of other custom stuff) --> Fills this in as LOGON_USER and transports/redirects to the correct aspx page with the custom stuff in the query string so the requested site opens.

* But yeah, like I said. We always seem to be too late to get the username+password before IIS does. And then it starts bugging the client to provide credentials because ofcourse it doesn't know the SonicWall user.

So, do you have an idea how to help us further? Or another expert is welcome ofcourse too. The more the merrier.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 34980029
I think part of the problem may be that you are working from an ASP.Net module perspective rather than an IIS Module perspective.  The notification you mention is in the ASP.Net pipeline rather than the IIS pipeline and will only occur once the request has been mapped to a handler which is after the AuthenticateRequest notification in the pipeline.

Take a look at this article from IIS.net and see if it shines a light on what you are looking for:

     Developing a Module Using .NET
     http://learn.iis.net/page.aspx/170/developing-a-module-using-net/

Dave Dietz
0
 
LVL 3

Author Comment

by:Labelsoft
ID: 34980242
Thanks for the article. I haven't read this exact article yet, but lots of articles like this one.

Well, it says so in the article:

"You should see the basic authentication login dialog. Enter "test" in the "User name:" field and "test" in the "Password:" field to get access. Note that if you copy HTML, JPG, or any other content to your application, they too will be protected by your new BasicAuthenticationModule."

This is exactly the behaviour we're trying to eliminate. But I'm starting to believe it's not possible with a HTTPHandler or HTTPModule. We're looking at HTTPListeners now... To beat IIS to it altogether. Don't know if I should delve more into httphandlers/modules, unless you've got a brilliant idea...
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 35013279
No brilliant ideas, but bear in mind that the article I pointed out is specifically targetted at developing an authentication module that has different functionality than you need.  I did not present it as a drop in solution, more as a pointer in the right direction.

If you write your own module that hooks the BeginRequest event it can do the following fairly easily:

1) Pick up the HTTP request from SonicWall before IIS does;
2) Tell SonicWall 401 (authentication needed);
3) Catch the username + password, look up a bunch of custom stuff and redirect to the correct aspx page with the custom stuff in the query string so the requested site opens.

You could also do this in an ISAPI filter as well if that is a more comfortable development arena.

Dave Dietz
0
 
LVL 3

Author Comment

by:Labelsoft
ID: 35016628
I know it was a pointer to the right direction, no worries.

We háve written our own module which was hooked up to BeginRequest, see my first reply to you: "We registered for request_begin, but we were still too late. It seems HTTP modules/handlers are after IIS handles it."

So what you claim at 1) is unfortunatly not possible. If that was possible, all our problems would be solved.

0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 500 total points
ID: 35021592
Are you running your application pool in Classic or Integrated mode?

If Classic you can only do this in an ISAPI filter.  With Integrated you can use managed Modules prior to the AuthenticateRequest notification.

The fact that you specify "request_begin" rather than "BeginRequest" makes me think you are running in Classic mode and are registering for notifications in the ASP.Net request pipeline rather then notifications in the IIS request pipeline.

Dave Dietz
0
 
LVL 3

Author Closing Comment

by:Labelsoft
ID: 35027309
You nailed it!

Setting the applicationpool's mode to 'integrated' made it possible for our HTTPModule to handle the BeginRequest event faster than IIS.

Thank you very much. A valuable addition to the knowledge base if I may say so.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now