Classic ASP has enabled Windows Authentication, but Request.ServerVariables ("LOGON_USER") sometimes returns the wrong username
I have classic ASP deployed in IIS 7. Windows Authentication is enabled and all other authentication is disabled. Thus, the page does not require login, the server can determine the username NTADMIN.
We have an in-place Apache rewrite so that the page can be accessed in an alias like https: //www-site/app/page.asp rather than accessing it like https: // ntp123: 8090 / app / page.asp ; the rewriting looks like this:
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/app https://%{HTTP_HOST} %{REQUEST_URI} [R,L]
ProxyPass /app http://ntp123:8090/app/
ProxyPassReverse /app http://ntp123:8090/app/
In most cases, perhaps 99% of cases, the code returns the correct "NTADMIN \ user":
LoginName = Request.ServerVariables("Logon_User")
However, there were a few cases where the code received the wrong NTADMIN username. I tried to search for any similar problems through google but most of them do not display the resolution.
Perhaps this might have ASP / IIS experts ?
source to share
It turns out the culprit was the Apache HTTP Rewrite, because from observing the IIS logs, the client's IP address is always the same, in this case Apache Server. It looks like it has some kind of caching issue or it just isn't compatible with Windows IIS authentication. In any case, by removing this, the problem no longer occurs.
source to share