Re: Problem establishing SSL connection in code-behind

On Jan 5, 4:04 am, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Actually, that isn't a double hop as you have plaintext credentials for the
user. Double hop (i.e. impersonation/delegation) is when you authenticate
the user on the front end using IWA, impersonate the authenticated user in
the front end application and then try to use that user's security context
to access a remote resource. If the remote resource was a web app, then you
would use CredentialCache.DefaultCredentials instead of creating a
NetworkCredential object. This is definitely much harder to do than what
you are trying to do.

If your goal of this set up is simply to use forms-based authentication to
prompt the user for plaintext credentials and then validate the credentials
using IWA to a remote resource, there are much easier ways to do that like
the ActiveDirectoryMembershipProvider. It is designed to allow easy creds
validation via LDAP to AD for forms auth applications. Normally people
implement a scenario like you are setting up as a way to invoke remote
functionality like a web service and get actual data from the remote
resource.

If the event log audits aren't showing anything different between a request
that generates a 401 with HttpWebRequest but gets a 200 in wfetch using the
exact same credentials, then I don't really know where else to look. If you
are using different credentials, then that might explain it as you also need
to verify that the account getting the 401 has read access to the page in
question. Otherwise I don't really have any other ideas. If you could post
the details from the event log messages for the succeeding and failing GET
request (just the 540 event), that would help. Picture isn't needed, just
the text.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
--"gnewsgroup" <gnewsgr...@xxxxxxxxx> wrote in message

Thank you for the clarification. I actually did want to directly try
Active Directory(AD) authentication. But from the documentation I
read, it looks like that we need to put into web.config the username/
password of an administrator of the target domain.

Although such credential info can be encrypted in web.config, I balk
at asking for such info from our client. That's why we would like to
go the roundabout way.

I will copy-paste the details of the logon audit on Monday.
.

Relevant Pages

  • Re: Problem establishing SSL connection in code-behind
    ... that isn't a double hop as you have plaintext credentials for the ... If the remote resource was a web app, ... If your goal of this set up is simply to use forms-based authentication to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Default credentials
    ... > comes up on my client site requires NTLM or Basic authentication? ... > a web browser - I assume it must be something they have set up ... If your receive a Dialog asking for your creds with NTLM auth ... credentials of the current security context. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Default credentials
    ... > comes up on my client site requires NTLM or Basic authentication? ... > a web browser - I assume it must be something they have set up ... If your receive a Dialog asking for your creds with NTLM auth ... credentials of the current security context. ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Default credentials
    ... > comes up on my client site requires NTLM or Basic authentication? ... > a web browser - I assume it must be something they have set up ... If your receive a Dialog asking for your creds with NTLM auth ... credentials of the current security context. ...
    (microsoft.public.dotnet.security)
  • Re: IIS6 - Integrated Authentication Probs
    ... When you use Basic authentication, ... outlined in Chapter 5 of the IIS 6 Resource Kit: ... > b) - Despite the fact these credentials are being parsed, ... > Hence - this is a general problem with the way the web server is using my ...
    (microsoft.public.inetserver.iis.security)