For an IIS web server to populate its REMOTE_USER header, Basic authentication has to be enabled for the web server. Basic authentication is set in the IIS Management Console in the Directory Security settings.
When Basic authentication is enabled and a user requests a SiteMinder-protected resource, the Web Agent attempts to set the IIS web server's HTTP_Authorization header by providing a user name but not a password. The presence of the HTTP_Authorization header means that the IIS server's Basic authentication takes precedence over any other authentication challenge. Therefore, the IIS web server thinks that the user is responding to its own challenge. Unless an ISAPI filter, such as the SiteMinder Web Agent sets the user context of the request, the IIS web server attempts to authenticate the user name passed by the incomplete HTTP_Authorization header.
Because the Web Agent operates as an ISAPI filter, it can set the user context of the request and provide a value for the REMOTE_USER header. The Agent populates the REMOTE_USER header based on the SetRemoteUser parameter being set to Yes plus the configuration of any one or more of the following Web Agent parameters:
Be cautious when using the SetRemoteUser parameter and the UseAnonAccess parameter together.
The following table shows how these parameters work together.
If... |
Then... |
---|---|
SetRemoteUser=yes and UseAnonAccess=yes |
The REMOTE_USER variable cannot be set because the Web Agent does not pass along a user security context. The lack of a user security context forces the IIS web server to use the credentials from the HTTP_Authorization header that the Agent modified; however it is incomplete because it contains only the user name. |
SetRemoteUser=yes and UseAnonAccess=no |
The Web Agent can pass along a user context of some type, depending on how other parameters are set, such as DefaultUserName, DefaultPassword, or ForceIISProxyUser. If the Web Agent does pass on a security context, the IIS web server ignores the incomplete HTTP_Authorization header in favor of the credentials provided by the Web Agent. |
Copyright © 2010 CA. All rights reserved. | Email CA about this topic |