Solved

Not receiving username password with Basic Authentication

Posted on 2011-02-22
8
1,082 Views
Last Modified: 2012-05-11
Dear experts,

I'm trying to read the username + password and I'm not receiving it.

Let me illustrate the situation. The user logs in through SonicWall, which uses a LDAP server to verify username+password combinations. Our webserver is IIS7.

We need the username + password so we switched on 'basic authentication' in the SonicWall and in IIS7. We don't want to keep a list of the exact same users + passwords in IIS, so we need to log on to IIS as one user. We used to have an ISAPI filter (ldapauth.dll) that did this for us, but now we need to develop an ASP.NET HTTPHandler or HTTPModule. You see, we also need to username + password from the SonicWall to retrieve data from databases.

So what's the problem you ask?

IIS prompts the client for credentials before our HTTPHandler or HTTPModule could tell IIS that everything is fine. In our example this means in fact picking up the username + password --> picking up data --> continue the HTTP Request with 1 single user which IIS knows and accepts.

Any expert in here have any idea what to do? We are somewhat new to webdevelopment, so any idea is very welcome. We're kind of stuck. Our back-up plan is to built a synchronization tool to keep IIS users up to date with the users in the LDAP server and that is kind of ugly.

0
Comment
Question by:Labelsoft
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 34974242
Not asking for much, are you?  :-)

You will need to write an HTTP module that registers for notifications prior to authentication - maybe like request_begin so that it gets called before the authentication modules.  This way you can grab the credentials befor ethey are used, log them or whatever and then substitute your own values (for your single user) so they get consumed by the Basic auth module and generate a valid user context.

Let me know if this makes sense - I'm not a big code writer myself but I understand what parts need to happen when.

Dave Dietz
0
 
LVL 3

Author Comment

by:Labelsoft
ID: 34977587
@Dave:

First off, thnx for your reply. Me? Asking for much? ;-)

 You've actually hit the problem on the head you know. We registered for request_begin, but we were still too late. It seems HTTP modules/handlers are after IIS handles it.

So, it makes sense what you said, but we really need someone who can tell us exactly how to:

--> With 'anonymous acces' switched on in IIS:
1) Pick up the HTTP request from SonicWall before IIS does;
2) Then tell SonicWall 401 (authentication needed);
3) SonicWall sends the username + password
4) HTTPModule catches the username + password and looks up a bunch of custom stuff  and transports/redirects to the correct aspx page with the custom stuff in the query string so the requested site opens.

* It's not per se a problem for us to switch on anonymous acces because then we say IIS only can be accessed from 1 single IP-address (which happens to be the Sonicwall).

--> With 'basic authentication' switched on in IIS:
1) We can skip 1 + 2 of the former steps;
2) We need to pick up the username + password before IIS does and looks up in a INI file (or something) the single Windows user which has acces to IIS (plus a bunch of other custom stuff) --> Fills this in as LOGON_USER and transports/redirects to the correct aspx page with the custom stuff in the query string so the requested site opens.

* But yeah, like I said. We always seem to be too late to get the username+password before IIS does. And then it starts bugging the client to provide credentials because ofcourse it doesn't know the SonicWall user.

So, do you have an idea how to help us further? Or another expert is welcome ofcourse too. The more the merrier.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 34980029
I think part of the problem may be that you are working from an ASP.Net module perspective rather than an IIS Module perspective.  The notification you mention is in the ASP.Net pipeline rather than the IIS pipeline and will only occur once the request has been mapped to a handler which is after the AuthenticateRequest notification in the pipeline.

Take a look at this article from IIS.net and see if it shines a light on what you are looking for:

     Developing a Module Using .NET
     http://learn.iis.net/page.aspx/170/developing-a-module-using-net/

Dave Dietz
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 3

Author Comment

by:Labelsoft
ID: 34980242
Thanks for the article. I haven't read this exact article yet, but lots of articles like this one.

Well, it says so in the article:

"You should see the basic authentication login dialog. Enter "test" in the "User name:" field and "test" in the "Password:" field to get access. Note that if you copy HTML, JPG, or any other content to your application, they too will be protected by your new BasicAuthenticationModule."

This is exactly the behaviour we're trying to eliminate. But I'm starting to believe it's not possible with a HTTPHandler or HTTPModule. We're looking at HTTPListeners now... To beat IIS to it altogether. Don't know if I should delve more into httphandlers/modules, unless you've got a brilliant idea...
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 35013279
No brilliant ideas, but bear in mind that the article I pointed out is specifically targetted at developing an authentication module that has different functionality than you need.  I did not present it as a drop in solution, more as a pointer in the right direction.

If you write your own module that hooks the BeginRequest event it can do the following fairly easily:

1) Pick up the HTTP request from SonicWall before IIS does;
2) Tell SonicWall 401 (authentication needed);
3) Catch the username + password, look up a bunch of custom stuff and redirect to the correct aspx page with the custom stuff in the query string so the requested site opens.

You could also do this in an ISAPI filter as well if that is a more comfortable development arena.

Dave Dietz
0
 
LVL 3

Author Comment

by:Labelsoft
ID: 35016628
I know it was a pointer to the right direction, no worries.

We háve written our own module which was hooked up to BeginRequest, see my first reply to you: "We registered for request_begin, but we were still too late. It seems HTTP modules/handlers are after IIS handles it."

So what you claim at 1) is unfortunatly not possible. If that was possible, all our problems would be solved.

0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 500 total points
ID: 35021592
Are you running your application pool in Classic or Integrated mode?

If Classic you can only do this in an ISAPI filter.  With Integrated you can use managed Modules prior to the AuthenticateRequest notification.

The fact that you specify "request_begin" rather than "BeginRequest" makes me think you are running in Classic mode and are registering for notifications in the ASP.Net request pipeline rather then notifications in the IIS request pipeline.

Dave Dietz
0
 
LVL 3

Author Closing Comment

by:Labelsoft
ID: 35027309
You nailed it!

Setting the applicationpool's mode to 'integrated' made it possible for our HTTPModule to handle the BeginRequest event faster than IIS.

Thank you very much. A valuable addition to the knowledge base if I may say so.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Data organization issue 7 55
YouTube API get the Video Tags - vb.net 7 50
Services disabled 1 23
.NET universe documentation poster 2 20
Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question