Allowing Users to Switch Proxy Accounts
You can allow users visiting your site to re-authenticate in Active Directory using another proxy account.
For example, it is possible to seamlessly change the account the user is logged in as. When users first authenticate, the login page will select the correct proxy (Proxy1) account credentials to pass onto AuthFilter to use to pass to IIS to authenticate the user. Now, they want to view a directory that requires another proxy account's credentials (Proxy2), so they get redirected to the Login.asp because their current credentials do not allow access to the page. On the login page, the new credentials (Proxy2) are passed to AuthFilter, which passes the new credentials to IIS so that the user can log on using the new credentials.
To support this scenario, application-specific code must be implemented in a Login.asp to recognize that the user has already authenticated and to retrieve the credentials for Proxy2 and pass them along to the filter. Because the user already has a GUID property (which was added so that AuthFilter will do look-ups in its password cache based on the GUID and not the userid) in the MSCSAuth ticket, this GUID should be passed onto the filter instead of generating a new GUID. It is up to the application to map the user to the correct proxy account, the only thing the AuthFilter ensures is that if the user is denied access for a request the request is redirected to the Login.asp page.
See Also
Copyright © 2005 Microsoft Corporation.
All rights reserved.