Re: Windows Auth -- double hop issue??
From: Alek Davis (alek_xDOTx_davis_xATx_intel_xDOTx_com)
Date: 03/26/04
- Next message: Paul: "Navigating a RS on the Client?"
- Previous message: Hernan de Lahitte: "Re: w3wp.exe Account"
- In reply to: Ken Schaefer: "Re: Windows Auth -- double hop issue??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 26 Mar 2004 10:51:51 -0800
But we are not talking about Kerberos, are we? Maybe I am confusing
something, but I think that Integrated Windows authentication (NTLM) does
not require Kerberos, so it's a moot point. I don't think that to access a
resource on the same machine using NTLM, you need to enable delegation. It
does not make much sense. Whether resource resides on a different Web site
should not matter as long as it on the same physical server. Think about it:
using NTLM you can pass through user's credentials to a SQL Server (on the
same machine). It is not much different from accessing a different Web site
(on the same machine), or is it?
Alek
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:en5Jl7sEEHA.624@TK2MSFTNGP10.phx.gbl...
> Kerberos tickets work on the basis of a SPN, not a "machine boundary"
don't
> they? If the SPN is different (e.g. accessing a different website), then
> delegation must be enabled for the user credentials.
>
> Cheers
> Ken
>
> "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
> news:%23uylZmoEEHA.3336@TK2MSFTNGP12.phx.gbl...
> : I don't think this matters. As long as
> identity/authentication/authorization
> : sections of the Web.config file are set up correctly, anonymous access
is
> : disabled in IIS, and HTTP request does not leave machine boundaries,
> : DefaultCredentials should be propagated. Sorry Kannan, doesn't look like
> : we're helping. ;-)
> :
> : Alek
> :
> : "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> : news:ekzHVogEEHA.1600@tk2msftngp13.phx.gbl...
> : > But he is executing a new HTTP request (just the browser did
> : > originally)...and the code doesn't have enough information to complete
> the
> : > authentication challenge that the web server will be issuing. All he
has
> : is
> : > the token - not the username/password.
> : >
> : > Cheers
> : > Ken
> : >
> : > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
> : > news:%23vjNr%23cEEHA.696@TK2MSFTNGP12.phx.gbl...
> : > : You are absolutely right, but what I am trying to say is that there
is
> : no
> : > : OTHER machine. Impersonation token for Integrated Windows
> Authentication
> : > : should work fine on the same system. and, according to the original
> : post,
> : > : both resources reside on the same server, so double-hop should not
be
> an
> : > : issue.
> : > :
> : > : Alek
> : > :
> : > : "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
> : wrote
> : > : in message news:O55yavcEEHA.2460@TK2MSFTNGP10.phx.gbl...
> : > : > The way I read it, it works like this:
> : > : >
> : > : > 1. User authenticates with web server via browser using Windows
> : > Integrated
> : > : > authentication
> : > : > 2. IIS creates a token for the authenticated user. This token is
an
> : > : > impersonation token since that's what IIS creates for Integrated
> : > : > authentication
> : > : > 3. ASP.NET code accesses DefaultCredentials to use in WebRequest.
> : > : > DefaultCredentials are based on impersonation token, so they
cannot
> : hop
> : > to
> : > : > another server.
> : > : >
> : > : > That's my theory. Since the user's password is never passed to
the
> : IIS
> : > : > server, the only way the token on the IIS server is going to hop
to
> : > : another
> : > : > machine on the network is via Kerberos Delegation. If that isn't
> : > : available,
> : > : > then the hop won't happen (which is what it sounds like is
> happening).
> : > If
> : > : > web authentication was Basic, then the user's plain text
credentials
> : are
> : > : > available, so a primary token can be created and that will hop to
a
> : > : > different machine without delegation.
> : > : >
> : > : > Joe K.
> : > : >
> : > : > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in
> message
> : > : > news:uIlneDcEEHA.2640@TK2MSFTNGP09.phx.gbl...
> : > : > > But Kannan said that all resources reside on the same server.
How
> : can
> : > it
> : > : > be
> : > : > > the double-hop problem? Logically, it should work, but maybe
there
> : is
> : > : > > something else we're missing.
> : > : > >
> : > : > > Alek
> : > : > >
> : > : > > "Joe Kaplan (MVP - ADSI)"
> <joseph.e.kaplan@removethis.accenture.com>
> : > : wrote
> : > : > > in message news:eXamriREEHA.1452@TK2MSFTNGP09.phx.gbl...
> : > : > > > Given that you are using default credentials, it does look
like
> it
> : > : might
> : > : > > be
> : > : > > > a double hop issue.
> : > : > > >
> : > : > > > If the current security context is an impersonation token that
> : can't
> : > : > > > delegate, then the credentials you supply will not hop to the
> : other
> : > : > > machine.
> : > : > > > Since Windows integrated authentication creates an
imperonation
> : > token,
> : > : > > this
> : > : > > > is very likely to be the case.
> : > : > > >
> : > : > > > Joe K.
> : > : > > >
> : > : > > >
> : > : > > > "Kannan" <pv_kannan@yahoo.com> wrote in message
> : > : > > > news:b46a02f.0403231023.21b252a7@posting.google.com...
> : > : > > > > Hi Alex,
> : > : > > > > I am setting that in the code. Here is the code sample in
> : VB.NET:
> : > : > > > >
> : > : > > > > Private Function LogonToProjectServer(ByVal
> : > projectServerUrl
> : > : As
> : > : > > > > String)
> : > : > > > >
> : > : > > > > Dim url As String
> : > : > > > > Dim cookieString As String
> : > : > > > >
> : > : > > > > If Not projectServerUrl.EndsWith("/") Then
> : > : > > > > projectServerUrl += "/"
> : > : > > > > End If
> : > : > > > >
> : > : > > > > url = projectServerUrl + "LgnIntAu.asp"
> : > : > > > > Dim XMLDoc As New XmlDocument
> : > : > > > >
> : > : > > > > Try
> : > : > > > > Dim myReq As HttpWebRequest =
> : > : > > > > CType(WebRequest.Create(url), HttpWebRequest)
> : > : > > > > Dim conCookie As New CookieContainer
> : > : > > > > myReq.CookieContainer = conCookie
> : > : > > > > myReq.Credentials =
> : > : CredentialCache.DefaultCredentials
> : > : > > > > Dim networkCredential As NetworkCredential =
> : > : > > > > CType(CredentialCache.DefaultCredentials, NetworkCredential)
> : > : > > > > Dim identity As WindowsIdentity =
> : > : > > > > WindowsIdentity.GetCurrent()
> : > : > > > >
> : > : > > > > Dim log As New EventLog
> : > : > > > > log.Log = "Application"
> : > : > > > > log.Source =
"PDSHelper:LogonToProjectServer"
> : > : > > > >
> : > : > > > > log.WriteEntry("WindowsUser is " +
> : identity.Name,
> : > : > > > > EventLogEntryType.Information) ' This returns the correct
> : > username
> : > : > > > >
> : > : > > > > Dim myRes As HttpWebResponse = Nothing
> : > : > > > > Dim i As Integer
> : > : > > > > For i = 0 To 2
> : > : > > > > Try
> : > : > > > > myRes = CType(myReq.GetResponse(),
> : > : > > > > HttpWebResponse)
> : > : > > > > ' if it gets to this line it didn't
> : error
> : > : > > > > Exit For
> : > : > > > > Catch e As Exception
> : > : > > > > If i = 2 Then
> : > : > > > > Throw e
> : > : > > > > End If
> : > : > > > > End Try
> : > : > > > > Next i
> : > : > > > >
> : > : > > > > XMLDoc.Load(myRes.GetResponseStream())
> : > : > > > > log.WriteEntry("Xmlcontents are " +
> : > : XMLDoc.InnerText,
> : > : > > > > EventLogEntryType.Information)
> : > : > > > > ' Close the response to free resources.
> : > : > > > > myRes.Close()
> : > : > > > >
> : > : > > > > cookieString = GetLogonStatus(XMLDoc)
> : > : > > > > If cookieString.Length < 10 Then
> : > : > > > > Throw New Exception("Invalid Project
> Server
> : > : Login
> : > : > > > > Cookie: " + cookieString)
> : > : > > > > End If
> : > : > > > > Catch ex As Exception
> : > : > > > > Throw New Exception("Error occurred
attempting
> : to
> : > : log
> : > : > > > > into project server: " + url + vbCrLf + XMLDoc.InnerXml, ex)
> : > : > > > > End Try
> : > : > > > >
> : > : > > > > LogonToProjectServer = cookieString
> : > : > > > >
> : > : > > > > End Function
> : > : > > > >
> : > : > > > >
> : > : > > > >
> : > : > > > >
> : > : > > > >
> : > : >
> : ************************************************************************
> : > : > > > > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote
in
> : > : message
> : > : > > > news:<OiRD1rHEEHA.3372@TK2MSFTNGP10.phx.gbl>...
> : > : > > > > > Kannan,
> : > : > > > > >
> : > : > > > > > Before you call the other site, make sure that you set the
> : > default
> : > : > > > > > credentials for your HttpWebRequest's (or whatever class
> : you're
> : > : > using)
> : > : > > > > > Credentials member. See MSDN documentation on
> : > : > > > > > CredentialCache.DefaultCredentials for samples.
> : > : > > > > >
> : > : > > > > > Alek
> : > : > > > > >
> : > : > > > > > "Kannan" <pv_kannan@yahoo.com> wrote in message
> : > : > > > > > news:b46a02f.0403221407.388842f1@posting.google.com...
> : > : > > > > > > We are having a strange problem with NT credentials
being
> : lost
> : > : > while
> : > : > > > > > > accessing another resource on the same server.
> : > : > > > > > >
> : > : > > > > > > Here is the scenario:
> : > : > > > > > >
> : > : > > > > > > Step 1
> : > : > > > > > > -------------
> : > : > > > > > > Client A makes a call to a method in a C# DLL that
resides
> : in
> : > : > Server
> : > : > > A
> : > : > > > > > > using Windows Auth (correct settings in web.config and
> IIS).
> : > : > > > > > >
> : > : > > > > > > Step 2
> : > : > > > > > > -------------
> : > : > > > > > > That method makes a call to an asp page that is present
on
> a
> : > : > > different
> : > : > > > > > > website on the same server (Server A) to retrieve a
cookie
> : > : value.
> : > : > > > > > >
> : > : > > > > > > I notice that Windows credentials are being passed over
in
> : > Step
> : > : 1.
> : > : > > It
> : > : > > > > > > returns the correct value when I use
> : > : > > WindowsIdentity.GetCurrent.Name.
> : > : > > > > > > But they do not get passed over from DLL method to the
> site
> : in
> : > : > Step
> : > : > > 2.
> : > : > > > > > > (LOGON_USER returns blank)
> : > : > > > > > >
> : > : > > > > > >
> : > : > > > > > > Would this be a double-hop issue? Would use of
delegation
> : and
> : > : > > kerberos
> : > : > > > > > > help?
> : > : > > > > > >
> : > : > > > > > > Any help would be really appreciated.
> : > : > > > > > >
> : > : > > > > > > Thanks
> : > : > > > > > > kannan
> : > : > > >
> : > : > > >
> : > : > >
> : > : > >
> : > : >
> : > : >
> : > :
> : > :
> : >
> : >
> :
> :
>
>
- Next message: Paul: "Navigating a RS on the Client?"
- Previous message: Hernan de Lahitte: "Re: w3wp.exe Account"
- In reply to: Ken Schaefer: "Re: Windows Auth -- double hop issue??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
