Introduction

WebAuth-IIS allows Windows web servers to authenticate and authorize users using Stanford WebAuth.

WebAuth-IIS is implemented as an ISAPI filter and extension for IIS 6.0 running on Windows Server 2003. It uses the WebAuth protocol to authenticate visitors to a website, and optionally maps authenticated users to Windows accounts, allowing for simple authorization using Windows access control lists. WebAuth-IIS provides similar functionality on IIS as Stanford WebAuth on an Apache server. However, LDAP directory integration has not yet been implemented on WebAuth-IIS.

The initial version of WebAuth-IIS was developed by Stanford ITSS and released on 3/15/2005. However, it had several errors and security flaws that made it unsuitable for a production environment. This version (which is mostly based on ITSS' code) corrects those flaws and adds a few additional features, noted below. I have been using it on this server since October 2005, and on the CS198 web site since May 2006. To see WebAuth-IIS in use, just login to the CS198 website (SUNet ID required).

Version 1.2.1 (7/10/2006) - Download source code and binaries (.zip)

• Features
  • Allows administrator to configure "logout" URL, which deletes WebAuth cookie and redirects to WebKDC's SSO logout page
  • Compiles on Visual Studio 2005

Version 1.2 (2/19/2006)

• Features
  • Allows administrator to choose whether to map Webauth users to Windows accounts
  • Configuration script for easier setup, protecting/unprotecting web applications
• Bug fixes
  • Performance improvements for Windows user account mapping
  • Obfuscates passwords in registry (passwords only stored if mapping users to Windows accounts)
  • Protected URLs are case-insensitive

Version 1.1 (10/6/2005)

• Features
  • Maps authenticated users to Windows user accounts
  • Includes command-line administration tool to manage Windows users and groups
  • Works as custom authentication for SharePoint
• Bug fixes
  • Fixed buffer overflow that allowed arbitrary code execution
  • Fixed token parsing/creation to correctly handle special characters
  • No longer interferes with other ISAPI filters
  • Removed large amounts of vestigial code