Re: The pest of Impersonation

On 24 Sep, 18:56, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
This sounds like a double hop issue which typically would require Kerberos
delegation to fix. What type of authentication is used on the ASP.NET site?
If it is integrated auth, then you will need to implement Kerberos
delegation to get the credentials to flow from the browser to your web site
to a web site that it calls.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--"Cliff" <J...@xxxxxxxxxxxxx> wrote in message

news:1190652183.785512.107500@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



I have an ASP Website setup which presents some data, then posts
changes to that data to another webpage (whcih is java based) by using
variables on the URL Line, the Java website trapps the user's details
and places some information against the closed call, such as who
closed it.

This works ok....and here's the code

string number = ((CloseParams)o).number;
string CloseText = ((CloseParams)o).closecomment;
WebClient wc = new WebClient();
wc.UseDefaultCredentials = true;

Uri uri = new Uri("http://callsite/getservices/
view_specific_update_action.cfm?number="
+ number + "&Resolution=" +
HttpUtility.UrlEncode(CloseText) + "&subclose=" +
HttpUtility.UrlEncode("Close Ticket"));
string result = wc.DownloadString(uri);

The website on the other side of this (callsite) is supposed to be
trapping the currently logged on user (through integrated
authentication) and placing the logged on user details on the call.

if you access the callsite through ie everything works fine.

However...by accessing my site wihch is in ASP.NET that information
does not get passed through.

If in my code I do

Debug.WriteLine(this.User.Identity.Name.ToString());

I get the username of the currently logged on user to my asp.net
site....which is what I would expect. That user should be what is
passing across to the other site....surely???

The guys who own the Java site are saying they are seeing the server
that my site is running on as the account that is closing tickets..

I've made a few changes to things

I've tried setting Impersonate = true and false in web.config.

I've tried changing the identity in the App Pool to Local Service and
Local System

I've tried changing the code to run the old fashioned way:

HttpWebRequest req =
(HttpWebRequest)WebRequest.Create(uri.ToString());
string username =
System.Security.Principal.WindowsIdentity.GetCurrent().Name;
EventLog.WriteEntry("AutoGen close tool", "User " + username +
"\n" + "Executed the URL: " +
uri.ToString());
WebResponse response = req.GetResponse();
StreamReader sr = new
StreamReader(response.GetResponseStream());
string tmp = sr.ReadToEnd();

i.e. using Webrequest instead of WebClient

I've also tried doing an explicitimpersonation

HttpWebRequest req =
(HttpWebRequest)WebRequest.Create(uri.ToString());

System.Security.Principal.WindowsImpersonationContext
impersonationContext;
impersonationContext =

((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

string username =
System.Security.Principal.WindowsIdentity.GetCurrent().Name;
EventLog.WriteEntry("AutoGen close tool", "User " + username +
"\n" + "Executed the URL: " + uri.ToString());

WebResponse response = req.GetResponse();
StreamReader sr = new
StreamReader(response.GetResponseStream());
string tmp = sr.ReadToEnd();

but none of that works!

How can I put the call across to the Callsite website using the
credentials of the user thats accessing my website?

Cliff.- Hide quoted text -

- Show quoted text -


hi. Thanks for that, I've given the server the "trusted for
Delegation" right in AD and given it a re-boot, but still no avail...

for reference: The site is set as Integrated and Digest authentication

The Application Pool has been tried under Local Service, Network
Service and Local System

The web.config file is set to <Authentication Mode="Windows"/> and
<identity impersonate="true"/>

Many thanks!

Cliff.

.

Relevant Pages

  • ASP.NET Forms Authentication Best Practices
    ... ASP.NET Forms Authentication Best Practices ... What happens if your user database is compromised? ... Listing One, where you want to use login.aspx to log users in. ... string FirstName ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: PROBLEM: ASP on IIS 5 secured via "Windows Integrated Authentication" accessing "
    ... I have two virtual directories on same server with Integrated ... If i use basic authentication, ... as .NET framework config file) as well as Delegation as specified by the ... > could do whatever you want in your ASP page on behalf of the Domain Admin. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Application Flow / security issues
    ... just disable impersonation and make sure your process identity (the app ... If you have to delegate and can't configure Kerberos delegation, ... You want to use the credentials of the authenticated web app user to ... Kerberos authentication to the web app is enabled and working ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Recommended strategy for providing access to web apps via Inte
    ... "Joe Kaplan" wrote: ... opened the firewall up for LDAP, the external entity can execute ANY LDAP ... These federated authentication protocols are designed to address these ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Access denied ( From one site to another, that is in another server)
    ... and perform Kerberos authentication. ... Web Server: ... Active Directory - Delegation: ... the Aspnet_wp.exe process runs under a computer account named ...
    (microsoft.public.dotnet.framework.aspnet.security)