Re: Please help Passing Credentials



The code is fine. I don't need to see that again. Using DefaultCredentials
is all there really is from a coding standpoint as long as you are using IWA
auth in IIS and have impersonate set to true.

A few things here:
- "Negotiate" in the headers does not mean that you WILL get Kerberos auth,
it just means that you CAN. The security event log on the web server will
tell you for sure what actually happened.
- In order for the web server to delegate to the other web server, the
account running the web server must be "trusted for delegation" in AD. This
account is usually the machine account of the server if you are running IIS
6 with the defaults for the app pool identity (Network Service). If you are
running as something else, then that account must be changed. If you are
running as a local machine account, it won't work. If you don't have the
rights to change this in AD yourself, your domain admins will have to do it
for you.
- The other web site must also be accessible with Kerberos authentication,
so you should check that the same way you check the front end server.
- In order for the front end web server to do Kerberos authentication to
the backend server, the host name in the URL must have the right service
principal name (SPN) in AD for the account running that web server. In your
code, it is "http://server2";, so the SPN should be either HOST/server2 or
HTTP/server2. If the actual value is different, then it should match that.
You can check the SPNs for an account with an LDAP query tool like ADSI
Edit, ldp.exe or adfind.exe from www.joeware.net (different Joe...).

There are potentially some other steps you need to do if you are planning to
use protocol transition (S4U) and/or constrained delegation. It is
definitely a good idea to read the big TechNet docs on this stuff to gain
more detailed insight.

Best of luck,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"JOS" <JeremiahOSullivan@xxxxxxxxx> wrote in message
news:1164148359.437766.195220@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Joe,

Thanks for the tip, I am trying to wade through all the info on google
now!

I installed the tool from blunck.info and authentication seems o.k it
returns negotiate for all requests.
However I still get the 401 error when constructing the HttpWebRequest
(see code below)

What should I be looking for next?

Thanks in advance
Jerry


HttpWebRequest Req = (HttpWebRequest)
WebRequest.Create(http://server2/MyWebApp/ExternalXMLSubmit.asp);
Req.Credentials = System.Net.CredentialCache.DefaultCredentials;
Req.ContentType="text/xml;charset=UTF-8";
Req.Method="POST";
Req.ContentLength = byteArray.Length;
Stream newStream = Req.GetRequestStream();
newStream.Write(byteArray,0,byteArray.Length);
newStream.Close();

//GetResponse
HttpWebResponse response = (HttpWebResponse)Req.GetResponse();
StreamReader responseStream = new
StreamReader(response.GetResponseStream());
string Res = processResponse(responseStream.ReadToEnd());
return Res;

Joe Kaplan wrote:
Double hops are solved by implementing Kerberos delegation. I'd suggest
doing some reading on that. There are lots of good papers on the various
MS
websites explaining it and I've answered the question in detail on this
and
other newsgroups too. In fact, there is another thread that was just
started a few days ago that already launches into the details. Google is
your friend...

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"JOS" <JeremiahOSullivan@xxxxxxxxx> wrote in message
news:1164137895.231827.206100@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I am having problems passing Windows credentials to a HTTPRequest
object using ASP.NET 1.1

Here is my set up
Server 1
* ASP.NET 1.1 application
* Integrated Authentication Security
* <identity impersonate = true>
Server 2
* ASP Page
* Integrated Autentication Security

I am creating a HTTPRequest object in Server 1 and passing credentials
using System.NET.DefaultCredentials. The HTTPRequest object is calling
an ASP page on server 2 to submit some XML

If I log on to Server1 as a windows user, browse to the web application
and submit the page it works ok

If I log on to Server 2 as the same windows user, browse to the web
application on Server 1 and submit the page I get a 401 access denied
error

It looks like I am have problems with the double hop of the
credentials.

How can I get this to work, I have basic knowledge of Windows
networking so the simpler the better:)

Any help gratefully recevied




.



Relevant Pages

  • IIS 6 Directory Services Mapping ACL Problems
    ... We are trying to configure certificate based logins using the ... When I authenticate on our web server with my certificate I my domain ... account username shows up in the web log. ... The files are stored on another server in the domain. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Please help Passing Credentials
    ... How do I set the Network Service account to be 'trusted for ... In order for the web server to delegate to the other web server, ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Windows (Trusted) Authentication and SQL Server
    ... The account whose credentials are being delegated must be a domain account ... The computer on which the delegation takes place ... Server) does not need to be marked as trusted. ... in to play is when an IE client connects to a web server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Double hop
    ... between the browser and the web server. ... When the server is allowing Kerberos auth, it will send back a 401 response ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: write with cURL
    ... execute permissions. ... This is assuming that the PHP script runs ... of potential security risks from other users on the same server. ... web server itself is part of the group. ...
    (alt.php)