[my english is broken, but you may read the entire message anyway. it is very interesting] Hello, I asked some days ago how to make IIS handle authentication and pass the information back to Zope through REMOTE_USER. Rob Page said that if IIS doesn't pass REMOTE_USER, I could write an ISAPI filter to stuff the value in the request. He's right: it is easy to do (I wrote the filter in 10mn !) *but* I then realized that IIS in fact passes REMOTE_USER.... *after* the authentication process. here is how it works in challenge/response authentication mode: - if the cgi program (for instance, Zope through pcgi-wrapper) says 401 Unauthorized *OR* the NT user (including the anonymous user set in IIS) has not the read/execute permission on the ressource, neither the current user (identified with the challenge/response protocol) has the proper rights, the browser triggers the 'identify yourself sucker' dialog box. - the chat is beetween the browser and IIS for the moment, and the browser keep asking for a username and a password until IIS realize that the user identified by the browser has the read/execute permission on the ressource. - *then* it calls the cgi program with either AUTH_USER or LOGON_USER environment variable set (it is still unclear what variable is set and when. I have to test for both for the authentication process to work) - if the cgi program is happy with AUTH_USER/LOGON_USER, IIS calls it with REMOTE_USER variable set. it sounds very odd, because the cgi seems to be called only once, but it works that way: I patched lib/python/AccessControl/User.py to test for AUTH_USER and LOGON_USER in remote user mode, and it works now in remote user mode: ------------------------------8<------------------------------ --- User.py.orig Wed Nov 03 05:33:10 1999 +++ User.py Tue Dec 28 07:03:26 1999 @@ -432,6 +432,10 @@ e=request.environ if e.has_key('REMOTE_USER'): name=e['REMOTE_USER'] + elif e.has_key('AUTH_USER'): + name=e['AUTH_USER'] + elif e.has_key('LOGON_USER'): + name=e['LOGON_USER'] else: for ob in self.getUsers(): domains=ob.getDomains() ------------------------------8<------------------------------ Once this patch has been applied, there's another trick to do: NT users are written that way: ServerComputerName\UserName *so* your access file must be something like: NTServer\superuser: where superuser is a user created on NTServer (a PDC or a standalone server) and the user you create in the user folder *must* be in the Server\UserName format. And voila! IIS handles authentication and passes it back to Zope. You favorite user folder must support remote user mode though. I plan to review NTUserFolder and if it doesn't support remote user mode, I want to integrate the feature in it. That way, I don't even need to manually add user to any user folder! Please send any comment to minf7@educ.univ-reunion.fr This document may turn into an howto, once I get sufficient time Regards, Jephte CLAIN