次の方法で共有


HOWTO: Change IIS User Impersonation Token

Question:

Hi,

We are using our third party component for doing authentication and authorization with IIS6 web server on win2k3 X64 EE. Here we are using IMPERSONATION concept for this integration.

Can anybody describe the required configuration which are needed at IIS 6 for successfully impersonation of users with third party component?

Should we need to set Anonymous authentication explicitely for this kind of configuration?

Answer:

Third party code will not be able to directly impersonate and have IIS use that user token. IIS will:

  • Strip off the impersonation token after ISAPI Extension returns control to it
  • Ignore and re-apply IIS's desired impersonation token if ISAPI Filter changed it

Thus, the only way for you to impersonate users with IIS is to change IIS's desired impersonation token. The following are the methods, in no particular order, that ISAPI can change IIS's desired impersonation token and hence control impersonated user. The method you choose depends on your authentication protocol's requirements.

  • ISAPI Filter - SF_NOTIFY_PREPROC_HEADERS event - change the "Authorization" request header value to be: Basic [base64 encoding of username:password] . Requires Basic Authentication enabled in IIS.
  • ISAPI Filter - SF_NOTIFY_AUTHENTICATION event - change pszUser and pszPassword fields on HTTP_FILTER_AUTHENT. Remember to SET your values into the provided buffers (and change the cbUserBuff/cbPasswordBuf values) because those are the actual buffers IIS will use. Requires Anonymous or Basic Authentication enabled in IIS.
  • ISAPI Extension - HSE_REQ_EXEC_URL configured as Wildcard Application Mapping - change hImpersonationToken field on HSE_EXEC_URL_USER_INFO to be the actual NT User Token used by IIS for request impersonation. Requires Anonymous Authentication enabled in IIS.

//David

Comments

  • Anonymous
    June 09, 2008
    I have gone the ISAPI Extension route with HSE_REQ_EXEC_URL.  If I use the LogonUser function with a username and password all works well.  If I try and use an impersonated token (no password) via Kerberos LSALogonUser and the KERB_S4U_LOGON flag then IIS fails to use the impersonated token.  The KERB_S4U_LOGON works in ASP.Net using an HTTP Handler with the new integrated pipeline in IIS7, but I can't get it to work via an ISAPI extention in classic mode or on IIS6.   Is KERB_S4U_LOGON  not supported on IIS6/IIS7 Classic mode? Thanks, matt

  • Anonymous
    May 12, 2010
    I also face the same issue - HSE_REQ_EXEC_URL does not support KERB_S4U_LOGON ? It cannot impersonate with this s4 u logon token. Any thougths?