Slx 72 Web Windows Authentication Explained
Posted By: nicocrm on November 22nd, 2007 in Saleslogix
No Gravatar

If you read over the installation instructions to enable the Windows authentication for the 7.2 web client, you will see that there is a fairly lengthy setup process – you need to setspn this and that, configure your users to use Windows authentication, and set up the Web server to run as a domain admin, no less. You know when I read that I could not believe they would actually recommend running IIS – seems like the most obvious point of entry for any attacker – as a Domain Administrator, but I suppose it is not that big of a step from their previous recommendation to run it as a Local Administrator. I may be weird but I like this stuff to run as either Network Service or some other reasonably lowly trusted user. So I had to peek at the implementation to see if it was really necessary and how to get around it if it was.

Now in general under ASP.NET enabling Windows authentication by itself is a pretty easy task. What is a bit more difficult is getting it to coexist with the regular forms authentication, so that some users will be directed to the Windows login page, some to the forms login page, and they will be accessing the same application. In Saleslogix they have a special HTTP module called MixedModeSecurityModule – it will intercept requests to the /Windows.aspx page and hijack the forms authentication process at that point. Basically:

  1. User sends request to /Windows.aspx
  2. IIS sends a 401 response to get the browser to pass credentials. There is a bit of trickery here – 2 HTTP modules around the forms authentication module, one to hide the 401 status and replace it with a 200, and the other one to restore the 401 status so it is sent to the browser (otherwise, the forms authentication module will catch the whole thing and redirect to login page)
  3. Browser sends credential. As a side note I had a bit of trouble getting IE7 to send that automatically, if there is a dot in the site’s name it will assume it is in the internet zone and not pass them
  4. MixedModeSecurityModule handles the FormsAuthentication “Authenticate” event and retrieves the SID using the LogonUserIdentity property of the request, connects to the database (more on this below) and checks whether the SID passed is associated with a user.
  5. At this point it retrieves the user logon and password, decrypts the password, forms the connection string, and generates the FormsAuthentication cookie – the user is now properly set up.

No need for Domain Admin rights, right? Network Service will be enough since it will be able to identify the domain users.

There is one iffy step: the one where the module connects to the database to retrieve the user info. This is the step where the web site should use impersonation to connect to the Saleslogix server. Saleslogix would have you configure the whole web site to run as a privileged user, and, I guess that would work, IF the user was also enabled to log into Saleslogix – pretty radical, though. Seems like we have 2 options to get around it:

  1. Use an actual user for the connection string that will check the Windows Authentication. I tried that one, hard-coding the credentials for Admin, and it worked – so I know that is possible. The credentials are also stored somewhere in the registry (lightly encrypted) if the Legacy web components have been configured (which is required for the mail merge anyway)
  2. Use impersonation/delegation to pass the credentials of the user logging into the web site. This is kind of nicer because it doesn’t require us to dig for password, one drawback is the computer will have to be trusted for delegation… This is likely to be tough to get configured at customer’s sites so I am not going to look into it any further.

Either way, we have to replace the stock MixedModeSecurityModule class, and replace the GetUserPass method so that it will be able to connect to the database. The easiest way to make the change would be to paste the code from Reflector and add User Id and Password parameters to OleDbConnectionBuilder – so basically only 2 lines of code. The rest of the stuff looks a bit crusty (it seems like they tried a lot of different methods before settling on that one and forgot to clean up afterward) but it does work.

Finally, here are a few links that deal with the Mixed Mode authentication:

If it was up to me I would like to rewrite it using the technique shown in that last link. But currently the Windows authentication is very intermingled with the rest of the login crap and I have seen too many times what happens to Saleslogix when you start pulling on one of the strings!

Updated (2007-03-18): this still works under 7.2.2. Here is the code for the security module helper I created (based on the one distributed by Sage). You will have to adjust the references to SSSWorld assemblies in order to be able to use it, though.