The LogonUser function takes a third parameter used to identify an
authority for the user name (I assume this is the same intention as the
realm in HTTP authentication). I assumed the idea was to allow
Reporting Services to enable log-ins from users in multiple user
databases. For example, if we are using RS to serve reports on each of
our customers' virtual web sites, then each customer has its own user
database.
The problem is, the IAuthorizationExtension interface does not use
authority strings. I assume the idea is that user names must be unique
amongst all the authorities, perhaps by adding the authority name as a
prefix (e.g., the user "bill" in the user database of customer "Acme"
might have a user name acme.bill for the purposes of authorization. I
assume further that the way this is is achieved is that, after LogonUser
is called as LogonUser("bill", password, "Acme"), then GetUserInfo
returns a userIdentity of "acme.bill" rather than plain "bill". Does
this sound plausible?I wrote:
> I
> assume further that the way this is is achieved is that, after LogonUser
> is called as LogonUser("bill", password, "Acme"), then GetUserInfo
> returns a userIdentity of "acme.bill" rather than plain "bill". Does
> this sound plausible?
After some experimentation, it seems to me that GetUserInfo is *not*
consulted when generating the ticket cookie. I guess this means I need
to feed the qualified user names in to LogonUser, and always use the
same authority string.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment