Getting SPNEGO HTTP headers to a CGI?

Getting SPNEGO HTTP headers to a CGI?

am 23.04.2008 15:25:08 von Michael Schlenker

Hi all,

trying to get the following setup to work:

IE <---------------------> IIS <---> CGI
<--------------------------------> AppServer

So basically using IIS as a primitve frontend for an AppServer that
can do Kerberos Auth itself (via SSPI or GSSAPI). The AppServer may be
on Windows but it may be on some Unix host, shouldn't matter.

Basically i would need to put the HTTP auth headers into the CGI
environment somehow but didn't find any IIS docs about it.

Not sure if this would work:

register an SPN HTTP/ and let
the AppServer use that SPN with its call to SSPI AcquireCredentials()/
InitializeSecurityContext(). Now configure IIS somehow to pass all
Auth headers for* to my CGI that
simply forwards stuff to the AppServer.

I know that its in principle unsafe to pass such info through CGI
environment vars, but for SPNEGO based Kerberos tokens it shouldn't
matter, those are designed for unsafe networks.

So is there a simple way to do this with IIS (handle auth stuff on the
CGI level)?