IIS / Perl CGI - execute script as a user determined at runtime?

I have a web app running with IIS6 and ActiveState Perl 5.8.8 that authenticates a user against an AD server using Net::LDAP. If the log in is successful, I would like to redirect to another perl script that runs as this user. Is such a think possible?


I should note that I’m not really familiar with Perl running on IIS, but I believe what I have to say should apply to it since it’s a fairly fundamental part of IIS.

Generally anonymous requests to IIS run under the identity of the account set up for the anonymous user on that web server. This is actually done by the system account (or other high-privilege account having the SE_TCB_NAME priv) impersonating the identity of the anonymous account. If the client is authenticated then, at the start of the request, the IIS worker thread will revert to its real identity, then impersonate the account that the client authenticated with.

This means that if your clients are authenticated using either basic authentication or using the IIS integrated authentication then any script they access via the server will run on that server under the security account that they authenticated with.

This does require the IIS server to be part of the same domain / AD structure as the users.

On older (IIS4 and early IIS5) you could use an in-process COM component that called the RevertToSelf API (in advapi32.dll) followed by LogonUser and ImpersonateLoggedOnUser to change the security context that the script was running under. I’m pretty sure this no longer works (and was, anyway, a pretty egregious hack that I absolutely never, ever used in a live environment. Not once. Honest)

I’m not sure that running scripts under a security context specified at runtime is possible with IIS6. I’ll have a poke around and see what I can find.

Interesting and Thanks for the quick reply.

I’m doing my authenticating completely outside of IIS within the perl script. Excuse the newbish question, but how does one do the integrated authentication? I’m trying to avoid the pop-up generated window as my login is an HTML form.

In the IIS admin MMC snap-in right-click on the web site you want to configure and select “Properties” from the context menu. Go to the Directory Security tab and click on the Edit… button in the “Anonymous access and authentication control” section (topmost).

This will open the Authentication Methods dialogue. In the lower section you can check the “Integrated Windows authentication” checkbox to enable the integrated authentication. To force users to authenticate you can either uncheck the “Anonymous access” checkbox on the section above or you can deny the anonymous user (normally IUSR_<computername>) access to the webserver files.

You can force authentication on only certain parts of your website by just using the NTFS file permissions rather than totally denying anonymous access.

Integrated authentication uses a challenge/response system that relies on keeping the HTTP connection open during the process. Because of this it will tend to fail when going through proxies etc.