SetAuthenticatedUser callback function

  • Article

Applies to: desktop apps only

The SetAuthenticatedUser callback function is used by Web filters to set an authenticated non-Windows user. This allows associating information about an authenticated user with the current request.

The SetAuthenticatedUser callback function is declared as:

Syntax

BOOL WINAPI SetAuthenticatedUser(
  _In_  struct _HTTP_FILTER_CONTEXT *pfc,
  _In_  LPSTR lpszUserName ,
  _In_  LPSTR lpszNameSpace ,
  _In_  LPSTR lpszUserGroups 
);

Parameters

  • pfc [in]
    Pointer to the HTTP_FILTER_CONTEXT data structure that is associated with the current, active HTTP session. The filter context is passed in this parameter.

  • lpszUserName [in]
    Pointer to a null-terminated string containing the user name.

  • lpszNameSpace [in]
    Pointer to a null-terminated string containing the namespace of the authentication scheme for the user, as specified in IFPCAuthenticationScheme.

    Note  The server variables AUTH_USER, REMOTE_USER, LOGON_USER (described in GetServerVariable) do not contain the namespace when using SetAuthenticatedUser. These variables contain only the user name. The AUTH_TYPE variable contains the name of the custom authentication scheme, which should have the same name as the namespace. The authentication scheme can also be retrieved from the Web listener. Note that there can only be one extensible authentication scheme.

  • lpszUserGroups [in]
    Pointer to a null-terminated string containing the user groups.

Return value

This callback function returns TRUE if the call is successful; otherwise, it returns FALSE. To obtain extended error information, call GetLastError.

Remarks

The filter should check whether the authentication scheme specified in the lpszNameSpace parameter is enabled by calling GetAuthSchemeStatus, before passing a user of this authentication scheme.

Both the lpszUserName and lpszNameSpace parameters are required. If the string supplied in lpszNameSpace is longer than UNLEN characters, the function will fail. UNLEN is defined in Lmcons.h.

The lpszUserGroups parameter is optional. It enables the administrator to create a broader rule. For example, an administrator could set a rule for MyAuthScheme\MyAdministrators. Then the Web filter implementing MyAuthScheme could pass a specific user name, indicating that the user is a member of MyAdministrators, and the user will match the rule.

The string supplied in lpszUserGroups can be a comma-separated list of user groups.

Web filters call the SetAuthenticatedUser function through a pointer that is a member of the WPX_FILTER_AUTHENT_EX structure. A pointer to this structure is passed in each call to the HttpFilterProc entry-point function when the Web proxy sends an SF_NOTIFY_AUTHENTICATION notification to the Web filters that are registered to receive this notification just before Forefront TMG authenticates a client. If the fAuthIsRequired member of the WPX_FILTER_AUTHENT_EX structure is set to FALSE, the call to SetAuthenticatedUser succeeds, but the user specified is not set as an authenticated user.

Requirements

Minimum supported client

 None supported

Minimum supported server

 Windows Server 2008 R2, Windows Server 2008 with SP2 (64-bit only)

Version

 Forefront Threat Management Gateway (TMG) 2010

Header

 Wpxhttpfilt.h

See also

Callback Functions

 

 

Build date: 7/12/2010