WebAuth-IIS allows Windows web servers to authenticate and authorize users using Stanford WebAuth.
WebAuth-IIS is implemented as an ISAPI filter and extension for IIS 6.0 running on Windows Server 2003. It uses the WebAuth protocol to authenticate visitors to a website, and optionally maps authenticated users to Windows accounts, allowing for simple authorization using Windows access control lists. WebAuth-IIS provides similar functionality on IIS as Stanford WebAuth on an Apache server. However, LDAP directory integration has not yet been implemented on WebAuth-IIS.
The initial version of WebAuth-IIS was developed by Stanford ITSS and released on 3/15/2005. However, it had several errors and security flaws that made it unsuitable for a production environment. This version (which is mostly based on ITSS' code) corrects those flaws and adds a few additional features, noted below. I have been using it on this server since October 2005, and on the CS198 web site since May 2006. To see WebAuth-IIS in use, just login to the CS198 website (SUNet ID required).
Version 1.2.1 (7/10/2006) - Download source code and binaries (.zip)
- Allows administrator to configure "logout" URL, which deletes WebAuth cookie and redirects to WebKDC's SSO logout page
- Compiles on Visual Studio 2005
Version 1.2 (2/19/2006)
- Allows administrator to choose whether to map Webauth users to Windows accounts
- Configuration script for easier setup, protecting/unprotecting web applications
- Bug fixes
- Performance improvements for Windows user account mapping
- Obfuscates passwords in registry (passwords only stored if mapping users to Windows accounts)
- Protected URLs are case-insensitive
Version 1.1 (10/6/2005)
- Maps authenticated users to Windows user accounts
- Includes command-line administration tool to manage Windows users and groups
- Works as custom authentication for SharePoint
- Bug fixes
- Fixed buffer overflow that allowed arbitrary code execution
- Fixed token parsing/creation to correctly handle special characters
- No longer interferes with other ISAPI filters
- Removed large amounts of vestigial code