Re: Impersonation with NTLM

From: Paul Glavich (glav_at_aspalliance.com-NOSPAM)
Date: 02/10/04


Date: Tue, 10 Feb 2004 19:35:21 +1100

It may still be suffering the "double hop" syndrome if it thinks that the
page you are trying to access (even though its on the same machine) is on
another machine. when you specify the "host" part of the URL is it as you
specified below (ie. https://server/....) or does it contain periods (eg.
https://my.server/...)?

Also, try it without using SSL (ie. http://server/....) to see what happens.

--
- Paul Glavich
"Thomas Mueller-Lynch" <thomas.mueller-lynch(remove)@siemens.com> wrote in
message news:C6C4D26E-9B93-4326-97F3-B78534E7EFA2@microsoft.com...
> In this case I have only one server.
> the aspx page which is running on my server is executing another page on
the same server.
>
> Any ideas? Thanks in advance
>
> Thomas Mueller-Lynch
>
>      ----- Paul Glavich wrote: -----
>
>      At a guess, you are trying to do a "double hop" in that, you have
used
>      windows auth/NTLM to logon to your web app, then that same security
token to
>      go to another web site on another machine. Using NTLM, you cannot
>      impersonate a user, then use that impersonation to authenticate to
another
>      machine (this is the double hop). Basic works because the credentials
are
>      propagated in clear text as part of the Http header. NTLM used a
security
>      token and cannot propagate the same token and be valid.
>
>      Kerberos can do it, but you still need to mark the user account as
>      "Delegateable". (Win2000+)
>      --
>      - Paul Glavich
>
>
>      "Thomas Mueller-Lynch" <thomas.mueller-lynch(remove)@siemens.com>
wrote in
>      message news:D73319EC-F94A-4EFF-871A-E3D15F4909A8@microsoft.com...
>      > I want to use impersonation within a second thread of an
httpwebrequest.
>      > While configuring IIS with basic authentication everything works
fine.
>      > Changing to Intergrated Windows Authentication the thread (which
should
>      return a secure web-page) returns the http status code 401.
>      >> My web.config looks like:
>      > ...
>      ><identity impersonate="true"/><authentication mode="Windows" />> ...
>      >>> My Testpage looks like:
>      >> dim url as String = "https://server/secure/index.html"
>      > dim Req as HttpWebRequest = DirectCast(WebRequest.Create(url),
>      HttpWebRequest)
>      >> Req.Method = "GET"
>      > Req.ContentType =
"application/x-www-form-urlencoded;charset=iso-8859-1"
>      > Req.PreAuthenticate = true
>      >> if Request.ServerVariables("AUTH_TYPE") = "Basic"
>      > Req.Credentials = new
>
System.Net.NetworkCredential(Request.ServerVariables("AUTH_USER"),Request.Se
>      rverVariables("AUTH_PASSWORD"))
>      > else
>      > Req.Credentials = CredentialCache.DefaultCredentials
>      > ' Should impersonate the user in case of NTLM, shouldn't it???
>      > end if
>      >> dim Resp as HttpWebResponse =
>      DirectCast(req.GetResponse(),HttpWebResponse)
>      > dim Reader as StreamReader
>      >> Reader = new StreamReader(Resp.GetResponseStream())
>      >> while Reader.Peek() > -1
>      > strLine = Reader.ReadLine()
>      > Trace.write(strLine)
>      > end while
>      >> Reader.Close()
>      > Resp.Close()
>      >> The included thread should impersonate the logged-on user (NTLM or
Basic).
>      >> What did I do wrong?
>      >> Thomas
>
>
>


Relevant Pages

  • Re: Impersonation with NTLM
    ... windows auth/NTLM to logon to your web app, then that same security token to ... Using NTLM, you cannot ... > I want to use impersonation within a second thread of an httpwebrequest. ... > ' Should impersonate the user in case of NTLM, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Windows Auth -- double hop issue??
    ... the double-hop problem? ... > Given that you are using default credentials, it does look like it might ... > a double hop issue. ... >> CType, HttpWebRequest) ...
    (microsoft.public.dotnet.security)
  • Re: Windows Auth -- double hop issue??
    ... the double-hop problem? ... > Given that you are using default credentials, it does look like it might ... > a double hop issue. ... >> CType, HttpWebRequest) ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Windows Auth -- double hop issue??
    ... the double-hop problem? ... > Given that you are using default credentials, it does look like it might ... > a double hop issue. ... >> CType, HttpWebRequest) ...
    (microsoft.public.dotnet.framework.aspnet)