We have an existing ISAPI filter that performs authentication for all pages
on our web site, including pages we are now writing for ASP.NET. The filter
is pretty basic, receiving the user name and password in clear text and
checking them against a database of users. The filter has been in use for
some time with classic ASP pages.
From classic ASP pages, the application can retrieve the login name that the
user entered from Request.ServerVariables("AUTH_USER"), which I assume
simply parses the http Authorization header. The account used by the
authentication filter for impersonation can be retreived using
Request.ServerVariables("LOGON_USER").
The problem we are running into with ASP.NET is that no matter what
authentication mode we set in the Web.Config file (Windows or None), we are
having problems accessing the login name entered by the user.
Request.ServerVariables("AUTH_USER") will always return blank, and
IIdentity.Name will either be blank or will contain the name of the
impersonation account.
We were planning on writing our own implementation of the IPrincipal and
IIdentity interfaces so that we can set the IIdentity.Name property
correctly, but I am trying to figure which authorization mode is correct and
how we should extract the login name entered by the user. I would prefer to
not parse the http headers in our code just to extract the login name, but I
can't find any other way to do it.
Any suggestions?
TIA
MJS
