HTTP_FILTER_AUTH_COMPLETE

Microsoft Internet Security and Acceleration Server 2000

HTTP_FILTER_AUTH_COMPLETE_INFO

This notification allows you to view or modify the method, URL, version, or headers sent from the client. This notification fires after the client's identity has been negotiated with the client. Because of the timing of this notification, the AUTH_USER server variable can be used to reliably obtain the identity of the user. Also, functionality is provided to retrieve a copy of the token that ISA will impersonate when processing the request.

If your filter should be notified for this event, it should register for the SF_NOTIFY_AUTH_COMPLETE event.

typedef struct _HTTP_FILTER_AUTH_COMPLETE_INFO
{
  BOOL (WINAPI * GetHeader);
  BOOL (WINAPI * SetHeader);
  BOOL (WINAPI * AddHeader);
  BOOL (WINAPI * GetUserToken);
  DWORD HttpStatus;
  BOOL  fResetAuth;
  DWORD dwReserved;
} HTTP_FILTER_AUTH_COMPLETE_INFO, *PHTTP_FILTER_AUTH_COMPLETE_INFO;

Members

GetHeader: Points to the GetHeader function, which retrieves the specified header value. Header names should include the trailing colon (:). The special values method, URL, and version can be used to retrieve the individual portions of the request line. The special values are case sensitive and must not include the trailing colon.
SetHeader: Points to the SetHeader function, which changes or deletes the value of a header. The function can not be used to change the special values included in the request line.
AddHeader: Points to the AddHeader function to add a header to the response.
GetUserToken: Returns handle to Token of user for whom impersonation will be performed.
fResetAuth: If set to TRUE, the authentication process will be reset, and no impersonation will be done.
HttpStatus: Not used.
dwReserved: A DWORD reserved for later use.

Remarks

The SF_NOTIFY_AUTH_COMPLETE notification should be called before you use BASIC Authentication, as in the case when you want to map a user to a Windows 2000 user.

Other authentication schemes, such as NTLM, KERBEROS, INTEGRATED, and NEGOTIATE, will not lead to a SF_NOTIFY_AUTH_COMPLETE notification.

All authentication schemes processes should result in either SF_NOTIFY_AUTH_COMPLETE, authentication, giving the filter a handle to a token of the user to be impersonated, or ACCESS_DENIED, when the user is not recognized by the system.

SF_NOTIFY_AUTH_COMPLETE notification may be used for:

Accessing the user token of the user to be impersonated.
All actions that can be done in PREPROC_HEADERS, such as SET/GET/ADD request headers, including the URL special header, allowing the filter to remap the requested URL to a different URL.
Resetting authentication.

Here is an example of how to use the GetUserToken function to get the impersonated user name and domain.

PHTTP_FILTER_AUTH_COMPLETE_INFO pAuthCompInfo =(PHTTP_FILTER_AUTH_COMPLETE_INFO) pvNotification;

HANDLE TokenHandle;
DWORD dwLen = 0;
PTOKEN_USER pTokenUser = NULL;

// Get user token.
if ( pAuthCompInfo->GetUserToken(pFC,&TokenHandle) )
{
			// Get token information size.
	if ( !GetTokenInformation(TokenHandle,TokenUser,NULL,dwLen,&dwLen) )
		{
					dwErr = GetLastError();
			if ( ERROR_INSUFFICIENT_BUFFER == dwErr )
			{
								 // Alocate buffer for token information.
			pTokenUser = (PTOKEN_USER)GlobalAlloc(GPTR,dwLen);
				dwErr = S_OK;
		}
	}

					 // Now get the actual token information.
		if ( dwErr != S_OK || 
 !GetTokenInformation(TokenHandle, TokenUser,pTokenUser,dwLen,&dwLen) )
		{
			// Error …
	}
		else // We have the token information in hand.
		{
								 // Extract from the token information - the SID.
			SID *pSid = (SID *)pTokenUser->User.Sid;
			char name[MAX_NAME], domain[MAX_NAME];
			DWORD dwNLen = MAX_NAME, dwDLen = MAX_NAME;
			SID_NAME_USE eUse;

									 // Get  the user name and the domain from the SID.
			if ( ! LookupAccountSid(NULL,pSid,name,&dwNLen,domain,&dwDLen,&eUse) )
			{
				// Error …
		}
			else
			{
												// name buffer contains user name. 
												// domain buffer contains user domain.
		}
	}
}