[Zope-dev] Authentication with IIS --> Zope through REMOTE_USER: at last!

Ava ava@dde974.equipement.gouv.fr
Tue, 28 Dec 1999 11:39:32 +0400 

[my english is broken, but you may read the entire message anyway. it is
very interesting]

Hello,

I asked some days ago how to make IIS handle authentication and pass the
information back to Zope through REMOTE_USER.
Rob Page said that if IIS doesn't pass REMOTE_USER, I could write an ISAPI
filter to stuff the value in the request. He's right: it is easy to do (I
wrote the filter in 10mn !)

*but* I then realized that IIS in fact passes REMOTE_USER.... *after* the
authentication process. here is how it works in challenge/response
authentication mode:

- if the cgi program (for instance, Zope through pcgi-wrapper) says 401
Unauthorized *OR* the NT user (including the anonymous user set in IIS) has
not the read/execute permission on the ressource, neither the current user
(identified with the challenge/response protocol) has the proper rights, the
browser triggers the 'identify yourself sucker' dialog box.

- the chat is beetween the browser and IIS for the moment, and the browser
keep asking for a username and a password until IIS realize that the user
identified by the browser has the read/execute permission on the ressource.

- *then* it calls the cgi program with either AUTH_USER or LOGON_USER
environment variable set (it is still unclear what variable is set and when.
I have to test for both for the authentication process to work)

- if the cgi program is happy with AUTH_USER/LOGON_USER, IIS calls it with
REMOTE_USER variable set.

it sounds very odd, because the cgi seems to be called only once, but it
works that way: I patched lib/python/AccessControl/User.py to test for
AUTH_USER and LOGON_USER in remote user mode, and it works now in remote
user mode:

------------------------------8<------------------------------
--- User.py.orig	Wed Nov 03 05:33:10 1999
+++ User.py	Tue Dec 28 07:03:26 1999
@@ -432,6 +432,10 @@
             e=request.environ
             if e.has_key('REMOTE_USER'):
                 name=e['REMOTE_USER']
+            elif e.has_key('AUTH_USER'):
+                name=e['AUTH_USER']
+            elif e.has_key('LOGON_USER'):
+                name=e['LOGON_USER']
             else:
                 for ob in self.getUsers():
                     domains=ob.getDomains()
------------------------------8<------------------------------

Once this patch has been applied, there's another trick to do: NT users are
written that way: ServerComputerName\UserName

*so* your access file must be something like:

NTServer\superuser:

where superuser is a user created on NTServer (a PDC or a standalone server)
and the user you create in the user folder *must* be in the Server\UserName
format.

And voila! IIS handles authentication and passes it back to Zope. You
favorite user folder must support remote user mode though.

I plan to review NTUserFolder and if it doesn't support remote user mode, I
want to integrate the feature in it. That way, I don't even need to manually
add user to any user folder!

Please send any comment to minf7@educ.univ-reunion.fr
This document may turn into an howto, once I get sufficient time

Regards,
Jephte CLAIN