kevin

If one calls GetUserName() in an ISAPI extension .dll,
what will be returned, the user that the server is logged
in under or the user that was authenticated?

david wang [msft]

Please read MSDN Do***entation on GetUserName for the answer.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//


If one calls GetUserName() in an ISAPI extension .dll,
what will be returned, the user that the server is logged
in under or the user that was authenticated?

wade a. hilmo [ms]

Hi Kevin,

GetUserName returns the name associated with the thread that calls the
function. If there is an impersonation token on the thread, then you'll get
the name of the impersonated user. If there is no impersonation happening,
then you'll get the name associated with what the process is running.

IIS will impersonate the authenticated user just before calling into
HttpExtensionProc or a completion that you specified with
HSE_REQ_IO_COMPLETION. So, in this case, you'll get the authenticated user.
If the your ISAPI has done something to get rid of the token, say called
RevertToSelf, then you'll get the name associated with whatever process is
hosting your ISAPI.

Also, if you create any new threads from your ISAPI - even while
impersonating the authenticated user - those threads will not automatically
impersonate. So, if you call GetUserName from one of those threads, you'll
get the hosting process again.

Finally, if you are calling GetUserName from inside a COM component hosted
by your ISAPI, there are many possible results, based on the threading model
of the component and how you CoInitialized. It is deterministic, but if you
are interested in following up on it, it's a very COM-centric topic.
Basically in any case where COM is do***ented to use a proxy interface, the
component will run as the process user. In any case where COM uses a direct
interface, the impersonation token from the calling thread will continue to
apply.

My advice is to play with it. Calling GetUserName from different points in
an ISAPI extension and logging the result or dumping it to debug output, is
an excellent introductory lesson into how authentication works in an ISAPI.

I hope that this helps,
-Wade A. Hilmo,
-Microsoft

vash

So, what about ISAPI filter?
Wheh i can get impersonated token?

wade a. hilmo [ms]

Hi Vasiliy,

The impersonation token is not available in a filter.

Filters are associated with server events, and are not intended to acutally
handle requests. Because of this, filters always run as the server process.
You can still get the identity of the authenticated user in the REMOTE_USER
and LOGON_USER server variables...assuming that IIS already knows what it
is. Keep in mind that a number of filter notifications occur before
authentication, so there is no authenticated user at all.

Thank you,
-Wade A. Hilmo,
-Microsoft