Microsoft Professional Advisory Services is a support option that provides short-term, proactive, consultative support beyond break-fix product maintenance needs. This includes working with the same technician for assistance with issues like product migration, code review, or new program development and is a remote, phone-based support option. This service is typically used for shorter engagements, and is designed for developers and IT professionals who do not require the traditional onsite consulting or sustained account management services that are available from other Microsoft support options.

For additional information on Microsoft Advisory Services, including on how to engage, refer to this Microsoft web page:

http://support.microsoft.com/gp/AdvisoryService (http://support.microsoft.com/gp/AdvisoryService)

We provide customer with a demonstration sample for showing how to implement single sign on with an ISAPI filter in IIS basic authentication scenario.

Single Sign-On Solution is a cookie based authentication solution for all cookie enabled clients, including IE, Firefox, Opera, Safari and certain cookie ready APIs, such as Wininet App and System.Net.HttpWebRequest App.

We provide customer with a sample for showing how to implement Single Sign On (SSO) with an ISAPI filter for Basic authentication credential scenario.

The solution includes:

1. Client (C) - - -> IIS (ISAPI). Client sends request to ISAPI.
2. ISAPI checks user auth cookie. If cookie is not found, ISAPI redirects clients to the authentication page/server (ASP.Net webform authentication where client provides basic credentials). ISAPI adds a cookie or a parameter in the redirect message to notify the auth server of the original url requested by client.
3. Auth page, on successful authentication, redirects the client back to the original URL
4. Authentication page will set the user basic credential into a cookie to allow client contiguous requests pass through ISAPI. Note: the cookie can be further encoded for security consideration, but this solution will not cover the cookie encryption part.
5. ISAPI retrieves the cookie and translate it into Basic Authentication Token and set it in the HTTP Authorization header.
6. Complete basic authentication in IIS.
7. Solution can also be modified into an ISAPI authentication blocker to filter out/reject a certain type of incoming requests, such as requests with unique User-Agent or unique user domain name.

Statement of Work for this Scenario:

Assumption:

Customer has to be a C/C++ developer and capable handling C/C++ coding/compiling/debugging

Included with Scope

• Understanding customer services and applications with environment requirement
• Demonstrate/explain ISAPI API for entry point of HTTPFilterVersion function to register certain IIS notification events
• Demonstrate/explain HttpFilterProc function for HTTP request handling
• Send and discuss a sample ISAPI code to demo the ISAPI API concept and IIS pipeline flow
• Help customer to load ISAPI sample dll in testing environment
• Teach customer how to use DebugView to track ISAPI code flow
• Teach customer how to use supported version of Visual Studio C/C++ to step through application code
• Best practices for ISAPI Filter Context handling
• Educate customer for how ISAPI filter interacts with IIS
• Discuss with customer for cookie handling. Protocol RFC 2616 and RFC 2109/RFC 2965

Out of Scope

• The sample solution will not be modified/tailored into customer’s application environment
• This deliverable will not include application integration with any 3rd party application or 3rd party web solution
• This deliverable will not include any suggestion or discussion for the cookie encryption scenario.
• This deliverable will not include application integration with other Microsoft products, such as SharePoint, OWA, SQL Reporting Service etc.
• This deliverable will not include any architecture design specific to customer application and server environment
• This deliverable will not include discussions around creating highly available failover solution or extensive error handling
• This deliverable will not include any performance tweak/troubleshooting or scalability discussion

The following is a general list of items and information which should be discussed and gathered as part of the scoping analysis.
Questions to Ask:

1. Operation System? 64 bit or 32 bit Build?
2. The target ISAPI dll build? 64 bit or 32 bit?
3. IIS version?
4. Customer’s skill set and experience for C/C++ and Windows Asynchronous Callback function debugging
5. What is the network topology? Network Diagrams, Firewall, load balancer NLB?
6. What type of authentication is being used and cookie design.
7. Whether SSL and encryption feature involved in both client side and server side.
8. Client application, IE, Firefox, Opera, Safari or customer application and version information
9. Visual Studio Version and the debugger had been used before.
10. Any other applications and technologies involved after ISAPI filter processing the request
11. Whether any 3rd party ISAPI application may interfere with our SSO solution
12. Any anti-virus or web intrusion detection software installed.
13. ISAPI deployment method, Manual or Automation.
14. Whether COM or additional thread pool handling involved in the processing incoming request?

Below is a list of self-help resources for this scenario. Microsoft Support Engineers may also use these resources during an Advisory Services engagement.

Internet Server Application Programming Interface

ISAPI Filter StructuresISAPI Filter Entry-Point FunctionsISAPI Filter Event NotificationsHow to debug ISAPI DLLs in IIS 4.0, IIS 5.0, IIS 5.1, and IIS 6.0 Implement a Single-Sign On solution by using basic authentication and Internet Explorer clientHOWTO: Single SignOn (SSO) considerations for ISAPI