locked
Sharepoint and Custom IIS7 authentication module (impersonation) RRS feed

  • Question

  • Hi, 

    I have big problem with custom IIS7 native authentication module and Sharepoint MOSS 2007 SP2 x64.

    I created IIS7.5 x64bit native module that creates Windows Token using LsaLogonUser function, add that user to every request, and that way I got full impersonation token for user from Active Directory, if i test that module in test application, and got following:

    System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType = WindowsIdentity
    System.Web.HttpContext.Current.User.Identity.AuthenticationType = Kerberos;
    System.Security.Principal.WindowsIdentity.GetCurrent().ImpersonationLevel.ToString() = Kerberos
    System.Web.HttpContext.Current.User.Identity.GetType().Name = Impersonation
    System.Environment.UserName = TestUser
    Request.ServerVariables["LOGON_USER"] = TEST\TestUser
    System.Security.Principal.WindowsIdentity.GetCurrent().Name = TEST\TestUser
    Request.LogonUserIdentity.Name = TEST\TestUser
    System.Threading.Thread.CurrentPrincipal.Identity.Name = TEST\TestUser
    System.Web.HttpContext.Current.User.Identity.Name = TEST\TestUser
    Page.User.Identity.Name = TEST\TestUser
    System.Web.HttpContext.Current.Request.ServerVariables["AUTH_USER"] = TEST\TestUser
    System.Web.HttpContext.Current.Request.ServerVariables["REMOTE_USER"] = TEST\TestUser
    System.Web.HttpContext.Current.Request.ServerVariables["HTTP_COMMON_NAME"] = TEST\TestUser

    So basically this is windows authentication module.

    Sharepoint is installed as local (not server farm or front end …) and is working in LocalSystem application pool identity, membership provider is Windows, and without module with every settings it works (Integrated Windows authentication – negotiate (kerberos) or NTLM, basic … ), in pop-up I enter TEST\TestUser and password and everything works as it supposed, but...

    When I add module, it should impersonate every request and act like any other modules, but it's working only if make direct request for .ASPX page, but not on file or directory.( Settings in Central administration → Application management → Authentication providers → Edit authentication are: Authentication type = Windows, and everything else is off)

    Example:

    With module that impersonate TEST\User I got whole page, current user is TEST\User, all pictures are loaded and so on, if I go for example on Document center, and click on Documents on left side inside Site Hierarchy I got Access denied – no permission,

    In Fiddler request is for localhost:55555/document/Documents and response is 401 Access denied, but if I click on View all site content → Documents everything works file because it doesn't require transport to Location: http://localhost :55555/document/Documents/Forms/AllItems.aspx but ruther link goes directly.

    Same is with default site, if I enter localhost:55555 it says 401 Access denied, but it should transport to http://localhost:55555/Wiki%20Pages/Home.aspx.

    So whats wrong is that Transport doesn't work It says 401 Acces denied:

    If I select Integrated Windows authentication to ON, or Basic authentication ON inside Central administration → Application management → Authentication providers → Edit authentication, or Basic authentication, then I got pop-up for authentication against AD and that is not an option, because my module impersonate EVERY request, and Sharepoint should know what user is requesting.

    Same problems are with files, I can upload some file in Document center → Documents but when I try to view that picture it says Acces denied
    ( link for picture is direct, example: http://localhost:55555/document/Documents/Winter.jpg )

    So is there any other way to fix this? Why Sharepoint or IIS is making this problem?

    Can i make custom Sharepoint membership provider and role manager that will use generated windows token from WindowsIdentity (or LsaLogonUser function) class and provide authentication against Active directory for existing user ? Maybe with AspNetWindowsTokenProvider (WindowsTokenRoleProvider?) - how that works?

    Help me please, i'm really confused! Tnx!

     

     

     

    Tuesday, February 16, 2010 2:27 PM