SetAuthenticatedUser Callback Function

The SetAuthenticatedUser callback function is used by Web filters to set an authenticated non-Windows user. This allows associating information about an authenticated user with the current request.

The SetAuthenticatedUser callback function is declared as:


BOOL WINAPI * SetAuthenticatedUser(
  __in  struct _HTTP_FILTER_CONTEXT* pfc,
  __in  LPSTR lpszUserName ,
  __in  LPSTR lpszNameSpace ,
  __in  LPSTR lpszUserGroups 



Pointer to the HTTP_FILTER_CONTEXT data structure that is associated with the current, active HTTP session. The filter context is passed in this parameter.


Pointer to a null-terminated string containing the user name.


Pointer to a null-terminated string containing the namespace of the authentication scheme for the user, as specified in IFPCAuthenticationScheme.

Note  The server variables AUTH_USER, REMOTE_USER, LOGON_USER (described in GetServerVariable) do not contain the namespace when using SetAuthenticatedUser. These variables contain only the user name. The AUTH_TYPE variable contains the name of the custom authentication scheme, which should have the same name as the namespace. The authentication scheme can also be retrieved from the Web listener. Note that there can only be one extensible authentication scheme.


Pointer to a null-terminated string containing the user groups.

Return Value

This callback function returns TRUE if the call is successful; otherwise, it returns FALSE. To obtain extended error information, call GetLastError.


The filter should check whether the authentication scheme specified in the lpszNameSpace parameter is enabled by calling GetAuthSchemeStatus, before passing a user of this authentication scheme.

Both the lpszUserName and lpszNameSpace parameters are required. If the string supplied in lpszNameSpace is longer than UNLEN characters, the function will fail. UNLEN is defined in Lmcons.h.

The lpszUserGroups parameter is optional. It enables the administrator to create a broader rule. For example, an administrator could set a rule for MyAuthScheme\MyAdministrators. Then the Web filter implementing MyAuthScheme could pass a specific user name, indicating that the user is a member of MyAdministrators, and the user will match the rule.

The string supplied in lpszUserGroups can be a comma-separated list of user groups.

Web filters call the SetAuthenticatedUser function through a pointer that is a member of the WPX_FILTER_AUTHENT_EX structure. A pointer to this structure is passed in each call to the HttpFilterProc entry-point function when the Web proxy sends an SF_NOTIFY_AUTHENTICATION notification to the Web filters that are registered to receive this notification just before Forefront TMG authenticates a client. If the fAuthIsRequired member of the WPX_FILTER_AUTHENT_EX structure is set to FALSE, the call to SetAuthenticatedUser succeeds, but the user specified is not set as an authenticated user.


Server Requires Windows Server 2008.
Version Requires Forefront Threat Management Gateway (TMG).

Declared in Wpxhttpfilt.h.


Requires W3Filter.dll.

See Also

Callback Functions

Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.