ODBCFilter

Owned by Brian Donnelly
Last updated: Jan 10, 2018 by Tom Poage (Unlicensed)
3 min read

ODBCFilter ISAPI Module

In this Section

Overview

Windows Internet Information (IIS) server is used to deliver web sites and applications for numerous departments. Both CAS and Distauth authentication clients exist for this platform, however they only provide the most basic level of authentication and authorization. In response to need, the College of Letters and Science has developed a more advanced authorization module that can be chained after a Distauth or CAS authentication filter. This module can consult a database via ODBC to determine what users should be allowed to access a protected url.

Download

Click here to download the ODBCFilter Package

Installation Instructions

  1. Download (and configure, if necessary) the ODBC filter zip file, which contains an example configuration file. Please read the Configuration Options section below for information on how to configure the module.

  2. Place the downloaded dll file in a secure directory on your machine, such as C:\WINDOWS\system32\inetsrv\.

    We suggest this directory because it is the inet service that loads the dll, and any security permissions implemented on the Web server will be inherited here (even though the dll is compiled and can not be edited, it could be replaced with a different file of the same name, so you don't want unauthorized users having any write access in that directory).

  3. Configure IIS to use the ODBC Filter you downloaded in step 1 above:
    1. The Web Server and IIS Admin service must be stopped. Check the services dialog box and stop these services if they are running.
    2. Start the IIS Administrator Console
    3. Click on your Web server instance in your Console. The default title of your Web server instance is "Default Web Site", unless you changed it. It maybe hidden under "Console Root/Internet Information Server/NAME", where "NAME" is the name of your computer.
    4. Hold the right mouse button down on top of the line for your Web server instance and select "Properties" from the pop up menu.
    5. Select the Edit button for the correct Web server instance.
    6. When the new window appears, Click on the "ISAPI Filters" tab.
    7. Another new window will appear. Click on the "Add..." button on it.
    8. Enter "ODBCFilter" as the "Filter Name".
    9. Enter the path to the dll file that you saved in Step 1 above (Example C:\WINDOWS\system32\inetsrv\ODBCFilter.dll).
    10. Click the "Ok" button on the "Filter Properties" dialog box.
    11. Click the "Ok" button on the "Web Site Properties" dialog box.
    12. Restart the Web Services and IIS Admin services.
  4. That's it! Test the filter by trying to access the protected url with accounts that are both in and out of the ODBC data source.

Configuration Options

  • UNIQUE_KEY=
    Unique string used to determine restricted directory. Maximum directory size : 50 characters.
    • default: .secure
  • CACHE_TIMEOUT=
    Cache timeout period. (in minutes)
    • default: 5
  • DB_DSN=
    DSN to use to connect to the database
    • default: myDSN
  • DB_USER=
    The username to access the database. Comment out if there is none.
    • default: MyUser
  • DB_PASSWORD=
    The password to access the database. Comment out if there is none.
    • default: ********
  • DB_QUERY=
    Query to be run when verifying access. Maximum query size : 1023 characters.
    • Requirements :
      1. Query must be on one line
      2. Query must include a place holder (%s) for both kerberos and requested Directory (Kerberos first, AuthDirectory second)

    • default: SELECT Kerberos FROM tblUsers WHERE lower(Kerberos)='%s' AND lower(AuthDirectory)='%s'

      Sample Querys

      DB_QUERY=SELECT Kerberos FROM tblUsers WHERE lower(Kerberos)='%s' AND lower(AuthDirectory)='%s'
      DB_QUERY=SELECT Kerberos FROM tblUsers WHERE lower(Kerberos)='%s' AND lower(AuthDirectory)='%s' AND Status='ACTIVE' AND (ExpireDT is NULL OR ExpireDT > GETDATE())

  • ACCESS_DENIED=
    Redirection URL to redirect to if authentication fails

Troubleshooting

If the filter is not working correctly, you may want to check these items.

  • Red Arrow in IIS Administrator
    • Make sure the IIS group (whatever group the IWAM_MACHINENAME user belongs to) has read access to its location.
    • Try turning on IIS 5.0 Isolation mode. In the IIS Adminsistrator, Right Click on the 'Web Sites' folder and choose 'Properties'. In the properties window, select the 'Service' tab, and make sure the Checkbox labeled 'Run WWW service in IIS 5.0 Isolation mode' is checked. Then restart IIS.
  • It's not blocking access
    • Make sure the filter is loading. Under the Internet Information Services panel, look for the filter where you applied it earlier, and make sure there is a green arrow up next to it. Make sure the IIS group (whatever group the IWAM_MACHINENAME user belongs to) has read access to its location.
  • Other Problems
    • Please contact websso@ucdavis.edu if you need additional assistance.