JOSSO

Dusan Fisic added a comment - 12/Jan/11 4:05 PM Currently, josso isapi fileter is relaying on IIS anonymous authentication in a way that client is accessing protected resource as anonymous (looking from IIS perspective). Official documentation is pointing that, in order to set this variable, Basic authentication should be used for protected resource. Solutions mentioned at http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2003-07/1173.html don't work because once you set username or password, anonymous access is omitted and windows (basic) authentication is used (window pops up). So this approach require existence of same accounts on local Windows installation (Windows is trying to impersonate user). REMOTE_USER is set only if Basic authentication is used.

Bobby Lawrence added a comment - 12/Jan/11 5:36 PM Why this is not being addressed? After reading the information at the supplied link, it seems like all that is required is a bit of modification to the ISAPI extension code of the agent....perhaps I'm missing something? The author of the article you pasted in your comment stated a key point that "HSE_REQ_EXEC_URL (ISAPI Extension functionality) is able to change the server variables...HSE_REQ_EXEC_URL on IIS6 makes this entire process trivially easy as it can directly modify impersonation token (REMOTE_USER, and all *_USER variables)...it's possible with one function call to just change REMOTE_USER server variable of a request". The author also goes on to describe the issues faced when trying to set the REMOTE_USER variable from within an ISAPI filter. It seems that these issues were the reasoning for closing this request and not wanting to provide a fix. However, from what I can tell, the JOSSO agent is both an ISAPI filter AND an ISAPI extension so providing this functionality should be "trivially easy" as David Wang at Microsoft states...