HOWTO: Single SignOn (SSO) considerations for ISAPI

A few days ago, I got the following question about single sign on using ISAPI.

Question:

Hi David,

I read some of waht u wrote about ISAPI in https://groups.google.com

I have different servers with different site. Most of them are asp sites and some are asp.net and html (each server has some sites). One of those sites will be the authentication site. If this is valid user (user name /pw or dialing using our phone number) then she/he can view the other sites .How can I handle this problem? How can I share data between those sites? (Like session and cookies with in one site)

I thought ISAPI can handel this am I right?

so this is my first ISAPI(ISAPI for authenticate the user to view a site) and I have some problems with it:(

1-I overrided the funtion OnAuthentication to do the following:

check the username and password form Database(Sql 2000 server) if valid returns SF_STATUS_REQ_HANDLED_NOTIFICATION

else

SF_STATUS_REQ_ERROR

2-I made a new site in the IIS and add the filter to it & made the authentication basic(I guess this is form where the OnAuthentication takes the username and password) am I right?

3-I run REGEDT32.EXE and modify the server's registry as follows. Select the Filter DLLs key in HKEY_LOCAL_MACHINE\CurrentControlSet\Services\W3SVC\Parameters and add my dll.

Is there somthing missing in those steps in order to make the ISAPI works?

Thx for any help u can offer

Regards,

Answer:

First, you must realize that this is a really loaded question that people usually get paid consulting to handle. Since you are implementing it, I am not going to give any details but instead just point out the general issues that you must handle. You must have a good idea of HTTP (read RFC2616) and the general design of your custom authentication protocol before you think about the technologies necessary to build it. Of course, ISAPI can handle this task, but until you have a good handle on what the tasks are, ISAPI will not be useful.

  1. OnAuthenticate() is only fired when the user attempts Anonymous or Basic authentication, and it allows you to change the username/password that IIS will use to call LogonUser and obtain an NT user token.
  2. If you want IIS to handle the authentication tasks, then you configure IIS to handle non-anonymous authentication. If you want to implement a custom authentication scheme and do NOT want IIS involved in the protocol handshake (it is custom, after all, and IIS does not know anything about it), then make sure to only configure anonymous authentication in IIS
  3. It is incorrect to edit the registry to add ISAPI Filters. It has been deprecated since IIS5, and IIS6 does not even read that registry location. Use the IIS Manager UI to configure the metabase to add the ISAPI Filter, or use a tool like %SYSTEMROOT%\Inetpub\AdminScripts\ADSUTIL.VBS or a custom script if you know what you are doing.

Based on your description, I am certain your filter is not even close to working as you want. You have not solved the following problems:

  1. How does the authentication "state" from one website get transferred to the other websites? HTTP is stateless, so there is no way that logging onto one server automagically allows you to log onto another server. Cookies are also bound per-website, so you cannot get browsers to send the cookies. So, how do sites make Passport work? Once you figure out this solution, ISAPI can help you implement it (early versions of Passport was an ISAPI Filter).
  2. Session is just another form of "state" that needs to transferred, so it is solved analogously as #1. I recommend that you use a shared session server between all the web servers such that users can move between sites without losing session. Once again, realize that ASP has no such notion of a shared session, and ASP.Net has its own implementation of a shared session server, so if you cannot figure out how to make them work for your needs, you may have to build your own (or reformat your problem to be able to use pre-built ones).
  3. How does your ISAPI Filter determine the scope of URLs to protect as well as the means of "authorization"

If this looks daunting, you may want to consider using ASP.Net 2.0 on IIS6 and wildcard scriptmap ASP.Net ISAPI to allow you to write HttpHandlers and HttpModules to do what you want. It will still protect ASP content, and you get to re-leverage a lot of the capabilities in ASP.Net that you have not written yourself. And yes, it is still an ISAPI (the ASP.Net ISAPI) that is doing the real work. It is just a different extensibility interface.

//David