Re: Please help Passing Credentials

The code is fine. I don't need to see that again. Using DefaultCredentials
is all there really is from a coding standpoint as long as you are using IWA
auth in IIS and have impersonate set to true.

A few things here:
- "Negotiate" in the headers does not mean that you WILL get Kerberos auth,
it just means that you CAN. The security event log on the web server will
tell you for sure what actually happened.
- In order for the web server to delegate to the other web server, the
account running the web server must be "trusted for delegation" in AD. This
account is usually the machine account of the server if you are running IIS
6 with the defaults for the app pool identity (Network Service). If you are
running as something else, then that account must be changed. If you are
running as a local machine account, it won't work. If you don't have the
rights to change this in AD yourself, your domain admins will have to do it
for you.
- The other web site must also be accessible with Kerberos authentication,
so you should check that the same way you check the front end server.
- In order for the front end web server to do Kerberos authentication to
the backend server, the host name in the URL must have the right service
principal name (SPN) in AD for the account running that web server. In your
code, it is "http://server2";, so the SPN should be either HOST/server2 or
HTTP/server2. If the actual value is different, then it should match that.
You can check the SPNs for an account with an LDAP query tool like ADSI
Edit, ldp.exe or adfind.exe from (different Joe...).

There are potentially some other steps you need to do if you are planning to
use protocol transition (S4U) and/or constrained delegation. It is
definitely a good idea to read the big TechNet docs on this stuff to gain
more detailed insight.

Best of luck,

Joe K.

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
"JOS" <JeremiahOSullivan@xxxxxxxxx> wrote in message
Hi Joe,

Thanks for the tip, I am trying to wade through all the info on google

I installed the tool from and authentication seems o.k it
returns negotiate for all requests.
However I still get the 401 error when constructing the HttpWebRequest
(see code below)

What should I be looking for next?

Thanks in advance

HttpWebRequest Req = (HttpWebRequest)
Req.Credentials = System.Net.CredentialCache.DefaultCredentials;
Req.ContentLength = byteArray.Length;
Stream newStream = Req.GetRequestStream();

HttpWebResponse response = (HttpWebResponse)Req.GetResponse();
StreamReader responseStream = new
string Res = processResponse(responseStream.ReadToEnd());
return Res;

Joe Kaplan wrote:
Double hops are solved by implementing Kerberos delegation. I'd suggest
doing some reading on that. There are lots of good papers on the various
websites explaining it and I've answered the question in detail on this
other newsgroups too. In fact, there is another thread that was just
started a few days ago that already launches into the details. Google is
your friend...

Joe K.

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
"JOS" <JeremiahOSullivan@xxxxxxxxx> wrote in message

I am having problems passing Windows credentials to a HTTPRequest
object using ASP.NET 1.1

Here is my set up
Server 1
* ASP.NET 1.1 application
* Integrated Authentication Security
* <identity impersonate = true>
Server 2
* ASP Page
* Integrated Autentication Security

I am creating a HTTPRequest object in Server 1 and passing credentials
using System.NET.DefaultCredentials. The HTTPRequest object is calling
an ASP page on server 2 to submit some XML

If I log on to Server1 as a windows user, browse to the web application
and submit the page it works ok

If I log on to Server 2 as the same windows user, browse to the web
application on Server 1 and submit the page I get a 401 access denied

It looks like I am have problems with the double hop of the

How can I get this to work, I have basic knowledge of Windows
networking so the simpler the better:)

Any help gratefully recevied