The project I'm working on requires IIS (5.1 and above running SSL) to accept client connections that use no authentication, basic authentication or client certificate authentication.
By default, if the client uses basic authentication IIS will attempt to validate the credentials back to a user on the server and the reject connections if the user is not found or the password is incorrect. Similarly, if the client authenticates using a certificate, IIS will validate that certificate to ensure that it was issued by a CA it trusts and reject connections for those that don't.
I need to configure IIS so that it will not attempt to validate either the user ID/password or anything about their certificate but simply permit all credentials to be accepted. The objective is to allow the client authentication to be performed by the individual ASP pages that make up the site, each of which will have different criteria for deciding what consititutes a valid user and the actions they can perform.
I understand that to achieve this will require a custom ISAPI filter which must be written in C++.
Information about the user ID and password (if provided by the client) must be available to the ASP pages via [url removed, login to view]("AUTH_USER") and [url removed, login to view]("AUTH_PASSWORD"). The raw client certificate (if provided by the client) must be available via [url removed, login to view]("Certificate"). An ASP page that can be used to verify this is attached.