From: Eric Chamberlain, CISSP (eric_at_uclink.berkeley.edu)
Date: Thu Aug 28 2003 - 11:43:43 PDT
I've done some more research. It looks like it is possible to come up
with an ISAPI filter for IIS 6.0 that would use AWS for authentication and
then generate a windows token for the user. Then IIS can handle the
authentication instead of each individual application. IIS 6.0 can
actually get Kerberos tickets for the user, without ever receiving the
users password. My problem now is that I have never done any ISAPI
programming and need to find someone that could code the filter.
In any case, I think someone needs to come up with a module soon, since
IIS 6.0 can natively act as a Kerberos proxy and bypass AWS.
-- Eric Chamberlain, CISSP Campus Active Directory Architect Central Computing Services University of California, Berkeley http://calnetad.berkeley.edu > -----Original Message----- > From: rmeans_at_law.berkeley.edu [mailto:rmeans_at_law.berkeley.edu] > Sent: Thursday, August 28, 2003 10:36 AM > To: eric_at_uclink.berkeley.edu > Cc: Mike Friedman; micronet-list_at_uclink.berkeley.edu > Subject: Re: [Micronet] IIS coding question > > > I've also written an Apache module in mod_perl that authenticates the > user with AWS and then authorizes them with AD groups. It's working > quite well for use, except for those users that aren't in our OU yet > (and others that never will be). I'm coming up with an alternate > authentication method (AD binds, I'm thinking) for those > folks. I'm sure > that IIS can be set up in a similar way. > > Ryan > > Mike Friedman wrote: > > > On Tue Aug 26 17:27:44 2003, Eric Chamberlain, CISSP said: > > > > > >>I have a website. > >> > >>What I want: > >>Users connecting from a CalNetAD member machine can use Integrated > >>Authentication and would not get prompted for a username > and password. > >>Users connecting from machines not in the domain, would get > prompted to > >>enter their CalNetID and Passphrase, via Basic > Authentication, so I need > >>SSL. > > > > > > Eric, > > > > It sounds like you're talking about receiving (non-domain) users' > > CalNet passphrases in your own web server (you mention Basic > > Authentication), which runs counter to the CalNet model. The main > > reason for having a central AWS is so that users send their > > passphrases only there and not to individual application servers. > > Even if you use SSL to protect the passphrase in > transmission, anyone > > who gains access to your server could potentially capture the > > passphrases, which is a risk to other applications as well. > > > > > >>Has anyone come up with a module for IIS to use AWS for > >>authentication, instead of using Basic or Integrated > Authentication? > >>I'm looking for something that would generate a Windows credential > >>token. > > > > > > I understand that Ray Davis of ETS has an Apache plugin that may be > > based on a similar concept. It allows the web server itself to use > > the AWS and then maintain authentication state without the > application > > having to do this. (This is based on my meager > understanding of the > > thing, only knowing about it by hearsay). Clearly, you'd need > > something different for IIS, but maybe this can be adapted (in > > particular, to generate a Windows credential token). > > > > Mike > > > > > -------------------------------------------------------------- > ---------------- > > Mike Friedman System and > Network Security > > mikef_at_ack.Berkeley.EDU 2484 Shattuck Avenue > > 1-510-642-1410 University of > California at Berkeley > > http://ack.Berkeley.EDU/~mikef > http://security.berkeley.edu > > > ---------------------------------------------------------------------- > > -------- > > > > > ---------------------------------------------------------------------- > > -- > > The following was automatically added to this message by > the list server: > > > > For information about Micronet, including subscribing to > > or unsubscribing from its mailing list and finding out > > about upcoming meetings, please visit the Micronet Web site: > > <http://micronet.berkeley.edu/>. > > -- > Ryan L. Means > Chief Technical Officer > School of Law (Boalt Hall) > University of California, Berkeley >
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Thu Aug 28 2003 - 12:13:54 PDT