Application Server Solutions for Microsoft IIS and ASP.NET
       solutions   products   partners   company   support   downloads         store
ServletExec Self-Help: FAQ
Back to Search >  Back to Search Results

Faq ID 180
Product ServletExec
Category Admin Username and Password
Question When SE 4.x is used with IIS... Why must the SE Admin User be defined on the machine ? And why must the SE ISAPI filter be configured to use Basic Authentication, why can't it use Integrated Windows Authentication (IWA/NTLM) ?
  1. Because when IIS recieves a request that has a Username and Password in the Request Header it will first look to make sure that the provided username is that of a valid Windows User on the System and that the provided Password is correct for that Windows User. If so, only then will IIS pass the request on to ServletExec. IIS always behaves this way, regardless of which SE configuration is being used with it (ISAPI or AS).
    So this is an extra check that IIS is doing, not ServletExec
  2. Because once the request is passed on to ServletExec, SE will attempt to decrypt the username and password and use it to Authenticate the user.
    In the case of SE ISAPI, the username is compared with the configured SE admin username and then some ISAPI callbacks are made to Authenticate the user.
    In the case of SE AS, the username and password are compared with the configured SE admin username and password. No ISAPI callbacks are made for this step with SE AS.
    In either case, the username and password must have been encrypted using Base64 encoding because that's what SE expects and knows how to decrypt
    Since the encryption used by IWA is proprietary to Microsoft, ServletExec has no way to decrypt it. In addition, the password is not available to SE when iWA is used (it's not transmitted).

It IS possible to configure IIS so that ONLY SE ISAPI uses BASIC Authentication, while the rest of your IIS website uses NTLM Authentication.
Just enable NTLM at the global or website level and then access the "Authentication Methods" dialog box for the ServletExec_ISAPI.dll or ServletExec_Adapter.dll file itself, and turn off NTLM at that level. This would be done by viewing the contents of the Virtual folder named "Scripts" (done in IIS not on the hard-drive) and opening the properties dialog of the ServletExec_ISAPI.dll file shown there in the IIS Management console. See FAQ #65 for a few more details.
This is not required for the SE Admin UI used by SE 5.x or higher since with those versions of SE, the SE Admin username and password are not transmitted using BASIC authentication. Form-based declarative security is used by the SE Admin UI instead.
If your webapp uses BASIC authentication & you are using IIS as your web server software, then it does not matter what version of SE you are using. Even with SE 5.x or 6.x, the following would still be true:
Any Container Users (defined on the SE Admin UI) which may gain access to your webapp, must be valid Windows users defined in the Windows OS. And the passwords defined for those Container Users (on the main SE Admin UI) must match the passwords defined in the Operating System for their respective Windows users.

company media information terms of use privacy policy contact us