I haven’t posted in a long time due to work, hobbies, and just being lazy. But I’m here now, and that’s all that matters.
Anyway, the next series of posts is going to be about my experiences modifying CustomAuth, a Microsoft ISAPI Filter/Extension. I’m going to try to make my posts shorter, each post talking about a different modified section of code or problem I encountered. Also, if you don’t have to, I would advise against implementing this form of authentication. There is not very much documentation that I have found (thus why I’m posting it here) on the subject, it is not supported, requires a great deal of customization, and generally you should try to find a supported solution or one with lots of documentation.
To start, you can try to get the Microsoft Server SDK, which will give you the source code for the CustomAuth Filter. It will also give you the ISAPI Tools files for it as well. I haven’t tested this version of the SDK, but I think this should be right.
Download Windows Server 2003 R2 Platform SDK
A great reference for this topic is David Wang, whose blog provides more advanced and generally ideological solutions rather than specific fixes. A specific blog post discusses the compiling of the CustomAuth files which I will be going over in a later post.
HOWTO Install and Use CustomAuth on IIS6
Overall a great help to me and a wonderful blog on the subject of ISAPI and IIS, although his responses do seem to be full of contempt for the person asking the question. The idea I get from the blog is that only those with enough experience with this subject should be trying these methods, yet from what I have found, how can anyone get experience when so little information is available. But I digress.
If all else fails, here is the CustomAuth project that can be opened and compiled in VS 2003.
Simply change the extension from .doc to .zip and unzip it. I don’t know why I didn’t think about doing this with my earlier posts to get past the upload restrictions of WordPress. I understand why the restrictions are in place, but it also seems these blogs are not very ‘code’ friendly. I mean, not even .txt files are allowed for upload, what is with that?
November 22, 2007 at 1:42 pm
Hi Andre,
I have a couple of questions about CustomAuth. If you’re interested in helping, would you mind e-mailling me on craig.box@softinn.com?
What I would like to do is allow authentication via Windows auth, if the credentials pass the initial challenge, and if not, stop prompting for them, and redirect to a form login page. I am not sure if this is possible but feel you might have more of an idea!
Thanks,
Craig
November 27, 2007 at 1:08 pm
Greetings Craig!
So, you would like to automatically login users with Windows authentication and if the login fails, then prompt them for credentials at a login page. Unfortunately, this is not possible with the CustomAuth filter I talk about on my blog. However, there are a few options.
The CustomAuth filter only works when the authentication scheme is set to Anonymous, if any other scheme is used, that scheme takes precedence over the filter. This is because in the code of the filter, it explicitly decides that when it finds another authentication scheme, it will disable itself from further IIS notifications. This may be an option, if you wish to dig into doing ISAPI Filters/Extensions and working with IIS on a much deeper level, but I do not have the experience to provide a way to do this, nor did I find any useful documentation on the subject when I was looking. If you do end up modifying the filter, then perhaps you will post your own guide on how you did it!
The second option, which is just a workaround and may not be possible, is where I can offer some help. This option is to just take the CustomAuth filter and get it all setup (which I could help with by sending a completed version of the Cleaned Custom Auth and the .NET login page I used). Now, when the user goes to a webpage protected by the CustomAuth filter, they would be redirected to the login page. This is the part where I’m not sure if it would work. Using the CustomAuth filter with .NET pages, the and properties have to be completely removed from the web.config files. If they exist at all, then the .NET ISAPI filter/extension will take over. Thus Windows authentication cannot be set for .NET pages. Some research may find a solution to obtain Windows credentials through a .NET page without having Windows authentication set. Assuming this is possible, when the user first hits the login page, automatically create a cookie for the filter and attempt to log them in. In the login page, simply do a check every time someone hits the page to see if the login cookie exists. If it does, then you know that the Windows authentication login failed and that you should not automatically try to log them in again.
I can go into more detail about the CustomAuth filter to help you understand and thus get a better idea of may or may not be possible for you environment, but for now this is where I will end it.
Andre