Sharing Basic Authentication between Virtual Directories

As I understand it Forms Based Authentication is simply layered on top of
Basic Authentication.

I have a server with Outlook Web Access (https and using FBA) on the
/exchange virtual directory and another virtual directory that uses normal
Basic Authentication.

If I log into OWA (FBA) and then try to access the other virtual directory I
have to reauthenticate - I thought that the auth was for the 'site' not a
virtual dir, and it should be carried across ??

Is my understanding / expectation wrong ?
Do I have to configure something special ?

Any hints or tips much appreciated...

Thanks .. Ken

--
Ken Hughes

Re: Sharing Basic Authentication between Virtual Directories

Forms Auth per se is not layered on top of Basic.

Basic Authentication is when the browser sends certain Authorization HTTP
headers to the server, and the server uses those to log on the user. That is
what is happening for your second virtual directory.

Your OWA forms based authentication is essentially anonymous authentication
from the browser to the server (i.e. not Authorization HTTP header is sent).
instead, the user's credentials are POSTed as part of a form (i.e. in the
HTTP body). Exchange then has some components installed on IIS that do some
"magic" to turn that data into a Windows logon behind the scenes. But
between the browser and server, there is no Basic Auth happening.

If you disable Forms Based Auth on your Exchange frontend (and go back to
HTTP based auth), then you can configure Basic as your HTTP auth mechanism,
and what you want will happen (browser will send Basic credentials to both
virtual directories). BUT you lose the benefits of OWA FBA - e.g. ability to
timeout an end user.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken


"Ken Hughes" wrote in message
news:255AFDD8-9855-4621-AE64-A9BEE7D704E6@microsoft.com...
> As I understand it Forms Based Authentication is simply layered on top of
> Basic Authentication.
>
> I have a server with Outlook Web Access (https and using FBA) on the
> /exchange virtual directory and another virtual directory that uses normal
> Basic Authentication.
>
> If I log into OWA (FBA) and then try to access the other virtual directory
> I
> have to reauthenticate - I thought that the auth was for the 'site' not a
> virtual dir, and it should be carried across ??
>
> Is my understanding / expectation wrong ?
> Do I have to configure something special ?
>
> Any hints or tips much appreciated...
>
> Thanks .. Ken
>
> --
> Ken Hughes

Re: Sharing Basic Authentication between Virtual Directories

Thanks Ken,

I always thought the credentials were POSTed by the form and the OWA's magic
was in turning that into Basic Auth...

I guess not. Your explanation makes sense as to why I am seeing the
behaviour I am.

So.. Is there any way to 'hook' in to OWA athentication mechanisim, so that
I can use it for my other virtual directory ???
If a added my other virtual directory UNDER the OWA one (/exchange), I guess
that might work ??


... Ken



--
Ken Hughes


"Ken Schaefer" wrote:

> Forms Auth per se is not layered on top of Basic.
>
> Basic Authentication is when the browser sends certain Authorization HTTP
> headers to the server, and the server uses those to log on the user. That is
> what is happening for your second virtual directory.
>
> Your OWA forms based authentication is essentially anonymous authentication
> from the browser to the server (i.e. not Authorization HTTP header is sent).
> instead, the user's credentials are POSTed as part of a form (i.e. in the
> HTTP body). Exchange then has some components installed on IIS that do some
> "magic" to turn that data into a Windows logon behind the scenes. But
> between the browser and server, there is no Basic Auth happening.
>
> If you disable Forms Based Auth on your Exchange frontend (and go back to
> HTTP based auth), then you can configure Basic as your HTTP auth mechanism,
> and what you want will happen (browser will send Basic credentials to both
> virtual directories). BUT you lose the benefits of OWA FBA - e.g. ability to
> timeout an end user.
>
> Cheers
> Ken
>
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>
>
> "Ken Hughes" wrote in message
> news:255AFDD8-9855-4621-AE64-A9BEE7D704E6@microsoft.com...
> > As I understand it Forms Based Authentication is simply layered on top of
> > Basic Authentication.
> >
> > I have a server with Outlook Web Access (https and using FBA) on the
> > /exchange virtual directory and another virtual directory that uses normal
> > Basic Authentication.
> >
> > If I log into OWA (FBA) and then try to access the other virtual directory
> > I
> > have to reauthenticate - I thought that the auth was for the 'site' not a
> > virtual dir, and it should be carried across ??
> >
> > Is my understanding / expectation wrong ?
> > Do I have to configure something special ?
> >
> > Any hints or tips much appreciated...
> >
> > Thanks .. Ken
> >
> > --
> > Ken Hughes
>
>

Re: Sharing Basic Authentication between Virtual Directories

You are both correct.

OWA comes with an ISAPI Filter which translates the Anonymous request
+ special FORM authentication into a Psuedo-Basic authentication on
the server. Over the wire, the request looks like Anonymous. Once
modified by the Filter, the request is treated like Anonymous by IIS,
but the internal logon is like Basic. It's a really dirty chimera of a
hack... which had strange interactions with HSE_REQ_EXEC_URL in IIS6
until we fixed it, and it requires AnonymousAuth, BasicAuth, and ISAPI
Filter modules on IIS7 for the same functionality.

I don't know of any documentation on how to hook into OWA's
authentication mechanism. However, I am not inclined to reverse
engineer the behavior because it would be unspecified and possibly
unsupported, which is simply not the right footing to begin any
security protocol.

I would rather program/use an ISAPI Designed to do this -- such as the
CustomAuth sample from IIS6 SDK, part of the Windows Platform SDK. It
allows you to securely use an HTML FORM to login a Windows user
account.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Jun 19, 4:27 am, Ken Hughes
wrote:
> Thanks Ken,
>
> I always thought the credentials were POSTed by the form and the OWA's magic
> was in turning that into Basic Auth...
>
> I guess not. Your explanation makes sense as to why I am seeing the
> behaviour I am.
>
> So.. Is there any way to 'hook' in to OWA athentication mechanisim, so that
> I can use it for my other virtual directory ???
> If a added my other virtual directory UNDER the OWA one (/exchange), I guess
> that might work ??
>
> .. Ken
>
> --
> Ken Hughes
>
>
>
> "Ken Schaefer" wrote:
> > Forms Auth per se is not layered on top of Basic.
>
> > Basic Authentication is when the browser sends certain Authorization HTTP
> > headers to the server, and the server uses those to log on the user. That is
> > what is happening for your second virtual directory.
>
> > Your OWA forms based authentication is essentially anonymous authentication
> > from the browser to the server (i.e. not Authorization HTTP header is sent).
> > instead, the user's credentials are POSTed as part of a form (i.e. in the
> > HTTP body). Exchange then has some components installed on IIS that do some
> > "magic" to turn that data into a Windows logon behind the scenes. But
> > between the browser and server, there is no Basic Auth happening.
>
> > If you disable Forms Based Auth on your Exchange frontend (and go back to
> > HTTP based auth), then you can configure Basic as your HTTP auth mechanism,
> > and what you want will happen (browser will send Basic credentials to both
> > virtual directories). BUT you lose the benefits of OWA FBA - e.g. ability to
> > timeout an end user.
>
> > Cheers
> > Ken
>
> > --
> > My IIS Blog:www.adOpenStatic.com/cs/blogs/ken
>
> > "Ken Hughes" wrote in message
> >news:255AFDD8-9855-4621-AE64-A9BEE7D704E6@microsoft.com...
> > > As I understand it Forms Based Authentication is simply layered on top of
> > > Basic Authentication.
>
> > > I have a server with Outlook Web Access (https and using FBA) on the
> > > /exchange virtual directory and another virtual directory that uses normal
> > > Basic Authentication.
>
> > > If I log into OWA (FBA) and then try to access the other virtual directory
> > > I
> > > have to reauthenticate - I thought that the auth was for the 'site' not a
> > > virtual dir, and it should be carried across ??
>
> > > Is my understanding / expectation wrong ?
> > > Do I have to configure something special ?
>
> > > Any hints or tips much appreciated...
>
> > > Thanks .. Ken
>
> > > --
> > > Ken Hughes- Hide quoted text -
>
> - Show quoted text -