Table E-1 outlines some of the common security-related server variables used in Internet Information Server (IIS) 5. These can be accessed in Active Server Pages (ASP) pages by using the Request.ServerVariables collection, or in ISAPI applications using the GetServerVariable function.
Table E-1. Common IIS security-related server variables.
Server Variable | Comments |
---|---|
AUTH_TYPE | Indicates the authentication scheme used to authenticate the client. |
AUTH_USER REMOTE_USER LOGON_USER | Although these three options might have different names, their data is usually the same. It is the name of the user account in domain\user format or UPN format (account@domain). Note that LOGON_USER is the name of the account actually logged on and might be different from AUTH_USER and REMOTE_USER if an ISAPI filter changes the account used to log on. Consider an HTTP request from a client with a Basic authorization header containing base64-encoded username and password "cheryl:$qu1rtAndMaj0r". An ISAPI filter waits for the Web server to fire an SF_NOTIFY_AUTHENTICATE event. The filter changes the username and password settings to "DevUser" and "WeakPassword," respectively. At this point, REMOTE_USER and AUTH_USER are both "cheryl" but LOGON_USER is "DevUser." |
AUTH_PASSWORD | For Basic authentication, this is the password specified by the client. For Digest authentication, the value is not the password provided by the client; it is data used during the negotiation phase, the contents of which are essentially of little use to the application. The setting is blank for all other authentication protocols. |
CERT_FLAGS | Bit 0 is set to 1 if the client certificate is present. Bit 1 is set to 1 if the certificate authority of the client certificate is invalid. Note: You will not see bit 1 set because the condition is true only if the client certificate is not trusted, and if the client certificate is not trusted by the server, the connection isn't established. |
CERT_SUBJECT | Subject field of the client certificate. |
CERT_ISSUER | Distinguished name field of the client certificate issuer. |
CERT_SERIALNUMBER | The client certificate serial number. |
CERT_COOKIE | Unique ID for the client certificate-not the serial certificate's number. |
CERT_SERVER_ISSUER HTTPS_SERVER_ISSUER | Distinguished name field of the server certificate issuer. |
CERT_SERVER_SUBJECT HTTPS_SERVER_SUBJECT | Subject field of the server certificate. |
CERT_KEYSIZE HTTPS_KEYSIZE | Size, in bits, of the symmetric key negotiated during the SSL/TLS handshake-for example, 56 or 128. |
CERT_SECRETKEYSIZE HTTPS_SECRETKEYSIZE | Size, in bits, of the server's private key. |
HTTPS | "Off" indicates SSL/TLS is not in use; "on" indicates SSL/TLS is in use. |
SERVER_PORT_SECURE | The same functionality as the HTTPS variable, but "0" indicates SSL/TLS is not in use and "1" indicates SSL/TLS is in use. |
Table E-2 shows some examples of how the various authentication schemes set some of the server variables.
Table E-2. Example server variables when using authenticated connections.
Anonymous | Basic | Digest | Integrated Windows | Client Certificates | |
---|---|---|---|---|---|
AUTH_TYPE | Basic | Digest | Negotiate | SSL/PCT | |
AUTH_USER | exair/cheryl* | exair/cheryl* | exair/cheryl | exair/cheryl | |
AUTH_PASSWORD | MyPassword | Digest information** | |||
HTTPS | Off*** | Off*** | Off*** | Off*** | On |
HTTPS_KEYSIZE | 0 | 0 | 0 | 0 | 128 |
HTTPS_SECRETKEYSIZE | 0 | 0 | 0 | 0 | 1024 |
CERT_FLAGS | 0 | 0 | 0 | 0 | 1 |
Various CERT_ settings | Not set | Not set | Not set | Not set | Set |
* Username will be a UPN name if default domain is set to "\" and the user enters the username in UPN form (user@domain.com.) rather than in domain\name form.
** The digest information is composed of Digest authentication data used in the browser's HTTP Authorization header. For example,
username="alice@explorationair.com", realm="dbserver", qop="auth", algorithm="MD5", uri="/exair/info.asp", nonce="2c10f3f55dd0fce3688468100000292b3288fc5bbd02574234a296625c12", nc=00000001, cnonce="078b81574a27382e4bcccf2bc6862f0f", response="c2240d01d884fd0dd92e325f4c6368a3" |
*** Will be "On" if used over an SSL/TLS connection.