Remote User Header Variable In IIS

Microsoft IIS

REMOTE_USER is the name of the user as it is derived from the authorization header sent by the client, before the user name is mapped to a Windows account. We had a requirement to manipulate the remote user header variable in IIS into some other format so that our application can read the same and authenticate in a multi-domain environments.


At present IIS does not have the capability to set REMOTE_USER header format in NTLM environments as the IIS Rewriting Module runs before authentication which in turn give a NULL value for remote user. to elaborate the process below are the steps it follows before setting the REMOTE_USER header.

REMOTE_USER and AUTH_USER variables are provided by the web server AFTER the NTLM authentication process has been completed.

NTLM authentication process steps are:

1. Client requests resource protected by NTLM on the web server.

2. The web server responds to the client with a 401.1 HTTP response asking for the username.

3. If the client understands this, it responds with the username.

4. The web server responds to the client with a 401.2 HTTP response asking for the password.

5. The client responds with the password.

Once the IIS validates the credentials it responds with an 200 HTTP response with the requested resource and it will also populate the CGI variables with values such as AUTH_USER and REMOTE_USER.

So to achieve the remote user request header rewrite you can use below third party plugin called Helicon. To give a background, this Helicon ISAPI_Rewrite 3 engine is a third party module which provides apache’s mod_rewrite capability in IIS.
Through which we are able to manipulate session header(REMOTE_USER) information to construct a new application recognizable header format as per the multi domain user needs.

For example we required the REMOTE_USER value in [email protected] instead of default DOMAIN\UserName . So to complete the same follow below simple steps:

1. Download the freeware Helicon Lite plugin.
2. install in your IIS server machine.
3. Add below re-write rule in the Helicon.

RewriteEngine on
RewriteCond %{REMOTE_USER} (.*)\\(.*)
RewriteHeader SSOUSER: .* (%2)(@)(%1)(.com)
RewriteHeader Authorization: .* () 

4. Here the SSOUSER is the new remote user header variable in IIS for the [email protected] format. You can check the header info using any tools like fiddler or HTTP watch.


In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

Leave a Reply