Re: Problem establishing SSL connection in code-behind

Actually, that isn't a double hop as you have plaintext credentials for the
user. Double hop (i.e. impersonation/delegation) is when you authenticate
the user on the front end using IWA, impersonate the authenticated user in
the front end application and then try to use that user's security context
to access a remote resource. If the remote resource was a web app, then you
would use CredentialCache.DefaultCredentials instead of creating a
NetworkCredential object. This is definitely much harder to do than what
you are trying to do.

If your goal of this set up is simply to use forms-based authentication to
prompt the user for plaintext credentials and then validate the credentials
using IWA to a remote resource, there are much easier ways to do that like
the ActiveDirectoryMembershipProvider. It is designed to allow easy creds
validation via LDAP to AD for forms auth applications. Normally people
implement a scenario like you are setting up as a way to invoke remote
functionality like a web service and get actual data from the remote
resource.

If the event log audits aren't showing anything different between a request
that generates a 401 with HttpWebRequest but gets a 200 in wfetch using the
exact same credentials, then I don't really know where else to look. If you
are using different credentials, then that might explain it as you also need
to verify that the account getting the 401 has read access to the page in
question. Otherwise I don't really have any other ideas. If you could post
the details from the event log messages for the succeeding and failing GET
request (just the 540 event), that would help. Picture isn't needed, just
the text.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"gnewsgroup" <gnewsgroup@xxxxxxxxx> wrote in message
news:d758f1b0-7fce-4cd4-b1db-1dd6dd9cd9af@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Reading your posts in this group, I got to know something called
"double hop".

My understanding of the so-called "double hop" is still pretty
vague. Is my situation double hop? Here is the background of my
situation (just in case):

1. Users of my web application will provide their Windows username,
password and domain to get authenticated. My login page looks like so:

Username: [ ]
Password: [ ]
Domain: [ ] <--- This is a dropdown.

2. I collect these credential fields and send them to a dummy web site
on a remote server. This dummy web site uses Windows Integrated
Authentication (WIA) only and has only one page that says "hola
amigo".

3. We check the response of the dummy website. If it contains "hola
amigo", the user is considered authenticated.

Is this a typical double hop (or delegation)? It sounds like it is.


.

Relevant Pages

  • Re: Problem establishing SSL connection in code-behind
    ... On Jan 5, 4:04 am, "Joe Kaplan" ... If the remote resource was a web app, ... If your goal of this set up is simply to use forms-based authentication to ... prompt the user for plaintext credentials and then validate the credentials ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Urgent: Connecting to active directory using cached credentials
    ... The problem you are probably facing is the one hop limit of NTLM ... The user's credentials make one hop from the browser ... to the web server, and the web server can use those credentials ... >authentication. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Default credentials
    ... > comes up on my client site requires NTLM or Basic authentication? ... > a web browser - I assume it must be something they have set up ... If your receive a Dialog asking for your creds with NTLM auth ... credentials of the current security context. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Default credentials
    ... > comes up on my client site requires NTLM or Basic authentication? ... > a web browser - I assume it must be something they have set up ... If your receive a Dialog asking for your creds with NTLM auth ... credentials of the current security context. ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Default credentials
    ... > comes up on my client site requires NTLM or Basic authentication? ... > a web browser - I assume it must be something they have set up ... If your receive a Dialog asking for your creds with NTLM auth ... credentials of the current security context. ...
    (microsoft.public.dotnet.security)