ISAPI problem OnAuthentication

TheMSsForum.com: The Microsoft Software Forum

Hi all

First of all, let me expose the problem:

We have a SharePoint server under IIS, the access to the site is
filtered by Netegrity SiteMinder ISAPIWebAgent ISAPI filter that
checks wether the user has a valid certificate for accessing the site.
After this, I need to pass SharePoint a windows account so I activate
Basic Authentication on the site. The problem we have is that
siteminder ISAPI filter clears Basic Authentication login information
and the behaviour we see is that we can't pass the login form, if we
enable Anonymous Access, I can see in the Request that siteminder has
changed AUTH_USER and AUTH_PASSWORD parameters so this is why I think
that later when I enable Basic Authentication it fails.

What I'm trying to do:

I've created a new Authentication ISAPI filter that simply provides a
valid user login at runtime
(something like:
strcpy(pAuthent->pszUser, "<valid_user>");
strcpy(pAuthent->pszPassword, "<valid_pass>");
)
so fixing login information so that if siteminder changes it before,
then I provide a valid one (hardcoded, I know).

What happens:

It seems that SiteMinder ISAPI filter executes before and after
processing the OnAuthentication event may return with
SF_STATUS_REQ_HANDLED_NOTIFICATION code because my custom ISAPI filter
doesn't get executed. If I change ISAPI filter execution order and
execute my filter first should work ??

This is the problem, I'd like to know if there's a better way to solve
it that I haven't thought about, also if not, how can I get my ISAPI
filter executed after the SiteMinder one even if the later returns
handled notification or if executing my filter first will solve it
(remember that SiteMinder apparently clears login info when it
executes)

Any help will be really appreciated, I don't know what else to try to
solve this, thx in advance.

ori
Top

Re: ISAPI problem OnAuthentication by David

David
Tue Oct 05 23:38:14 CDT 2004

What do you actually want to do, and what IIS version are we talking about.

It sounds like you have an identity whose credentials you first verify with
Netegrity. If it succeeds, then you want to map that identity to a Windows
account so that Sharepoint works.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"ORi" <ori@bbs-ce.uab.es> wrote in message
news:73b37c5e.0410050233.6aab8d41@posting.google.com...
Hi all

First of all, let me expose the problem:

We have a SharePoint server under IIS, the access to the site is
filtered by Netegrity SiteMinder ISAPIWebAgent ISAPI filter that
checks wether the user has a valid certificate for accessing the site.
After this, I need to pass SharePoint a windows account so I activate
Basic Authentication on the site. The problem we have is that
siteminder ISAPI filter clears Basic Authentication login information
and the behaviour we see is that we can't pass the login form, if we
enable Anonymous Access, I can see in the Request that siteminder has
changed AUTH_USER and AUTH_PASSWORD parameters so this is why I think
that later when I enable Basic Authentication it fails.

What I'm trying to do:

I've created a new Authentication ISAPI filter that simply provides a
valid user login at runtime
(something like:
strcpy(pAuthent->pszUser, "<valid_user>");
strcpy(pAuthent->pszPassword, "<valid_pass>");
)
so fixing login information so that if siteminder changes it before,
then I provide a valid one (hardcoded, I know).

What happens:

It seems that SiteMinder ISAPI filter executes before and after
processing the OnAuthentication event may return with
SF_STATUS_REQ_HANDLED_NOTIFICATION code because my custom ISAPI filter
doesn't get executed. If I change ISAPI filter execution order and
execute my filter first should work ??

This is the problem, I'd like to know if there's a better way to solve
it that I haven't thought about, also if not, how can I get my ISAPI
filter executed after the SiteMinder one even if the later returns
handled notification or if executing my filter first will solve it
(remember that SiteMinder apparently clears login info when it
executes)

Any help will be really appreciated, I don't know what else to try to
solve this, thx in advance.

ori


Top

Re: ISAPI problem OnAuthentication by ori

ori
Wed Oct 06 09:35:58 CDT 2004

Yep, that's more less what I'm actually trying to do. I validate a
given credentials with Netegrity, then I enable Basic Authentication
on the site. When trying to access the site, the login popup appears
and I enter the login information with a valid windows account, it
seems that after that, on the OnAuthentication event the SiteMinder
ISAPIWebManager filter resets the entered login information and after
doing the request, the login popup appears again because it can't
login with SiteMinder updated info. So the behaviour is that when I
enable Basic Authentication and SiteMinder on the site, I can't pass
the login popup for Basic Authentication.

The server runs IIS 6.0

thx in advance,
ori

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:<ORhucC2qEHA.3848@TK2MSFTNGP14.phx.gbl>...
> What do you actually want to do, and what IIS version are we talking about.
>
> It sounds like you have an identity whose credentials you first verify with
> Netegrity. If it succeeds, then you want to map that identity to a Windows
> account so that Sharepoint works.
Top

Re: ISAPI problem OnAuthentication by David

David
Thu Oct 07 01:33:28 CDT 2004

So, the problem you are describing here is that SiteMinder is incompatible
with any other authentication methods.

First, you need to make sure that SiteMinder is completely unable to work
with any standard authentication method on IIS.

If the SiteMinder ISAPI sets incorrect credentials in its OnAuthentication
event, returns "handled", and IIS is set to require authentication, then you
have no alternatives since SiteMinder is quite intentionally getting in your
way of implementing any workaround.

In the above scenario, if you set IIS to not require authentication (i.e.
only anonymous authentication is enabled), you can work around SiteMinder by
using a customized version of the CustomAuth sample ISAPI from the IIS
Platform SDK to set the Windows account impersonated by IIS for the request
(i.e. roughly the same thing that you can do with Basic+OnAuthentication in
an ISAPI Filter, except it requires anonymous authentication to work).

http://www.microsoft.com/msdownload/platformsdk/sdkupdate/default.htm

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"ORi" <ori@bbs-ce.uab.es> wrote in message
news:73b37c5e.0410060635.29f3d6b3@posting.google.com...
Yep, that's more less what I'm actually trying to do. I validate a
given credentials with Netegrity, then I enable Basic Authentication
on the site. When trying to access the site, the login popup appears
and I enter the login information with a valid windows account, it
seems that after that, on the OnAuthentication event the SiteMinder
ISAPIWebManager filter resets the entered login information and after
doing the request, the login popup appears again because it can't
login with SiteMinder updated info. So the behaviour is that when I
enable Basic Authentication and SiteMinder on the site, I can't pass
the login popup for Basic Authentication.

The server runs IIS 6.0

thx in advance,
ori

"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:<ORhucC2qEHA.3848@TK2MSFTNGP14.phx.gbl>...
> What do you actually want to do, and what IIS version are we talking
about.
>
> It sounds like you have an identity whose credentials you first verify
with
> Netegrity. If it succeeds, then you want to map that identity to a
Windows
> account so that Sharepoint works.


Top