Re: Windows Auth -- double hop issue??

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 03/23/04 

Date: Tue, 23 Mar 2004 14:51:44 -0600

Given that you are using default credentials, it does look like it might be
a double hop issue.

If the current security context is an impersonation token that can't
delegate, then the credentials you supply will not hop to the other machine.
Since Windows integrated authentication creates an imperonation token, this
is very likely to be the case.

Joe K.

"Kannan" <pv_kannan@yahoo.com> wrote in message
news:b46a02f.0403231023.21b252a7@posting.google.com...
> Hi Alex,
> I am setting that in the code. Here is the code sample in VB.NET:
>
> Private Function LogonToProjectServer(ByVal projectServerUrl As
> String)
>
> Dim url As String
> Dim cookieString As String
>
> If Not projectServerUrl.EndsWith("/") Then
> projectServerUrl += "/"
> End If
>
> url = projectServerUrl + "LgnIntAu.asp"
> Dim XMLDoc As New XmlDocument
>
> Try
> Dim myReq As HttpWebRequest =
> CType(WebRequest.Create(url), HttpWebRequest)
> Dim conCookie As New CookieContainer
> myReq.CookieContainer = conCookie
> myReq.Credentials = CredentialCache.DefaultCredentials
> Dim networkCredential As NetworkCredential =
> CType(CredentialCache.DefaultCredentials, NetworkCredential)
> Dim identity As WindowsIdentity =
> WindowsIdentity.GetCurrent()
>
> Dim log As New EventLog
> log.Log = "Application"
> log.Source = "PDSHelper:LogonToProjectServer"
>
> log.WriteEntry("WindowsUser is " + identity.Name,
> EventLogEntryType.Information) ' This returns the correct username
>
> Dim myRes As HttpWebResponse = Nothing
> Dim i As Integer
> For i = 0 To 2
> Try
> myRes = CType(myReq.GetResponse(),
> HttpWebResponse)
> ' if it gets to this line it didn't error
> Exit For
> Catch e As Exception
> If i = 2 Then
> Throw e
> End If
> End Try
> Next i
>
> XMLDoc.Load(myRes.GetResponseStream())
> log.WriteEntry("Xmlcontents are " + XMLDoc.InnerText,
> EventLogEntryType.Information)
> ' Close the response to free resources.
> myRes.Close()
>
> cookieString = GetLogonStatus(XMLDoc)
> If cookieString.Length < 10 Then
> Throw New Exception("Invalid Project Server Login
> Cookie: " + cookieString)
> End If
> Catch ex As Exception
> Throw New Exception("Error occurred attempting to log
> into project server: " + url + vbCrLf + XMLDoc.InnerXml, ex)
> End Try
>
> LogonToProjectServer = cookieString
>
> End Function
>
>
>
>
> ************************************************************************
> "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
news:<OiRD1rHEEHA.3372@TK2MSFTNGP10.phx.gbl>...
> > Kannan,
> >
> > Before you call the other site, make sure that you set the default
> > credentials for your HttpWebRequest's (or whatever class you're using)
> > Credentials member. See MSDN documentation on
> > CredentialCache.DefaultCredentials for samples.
> >
> > Alek
> >
> > "Kannan" <pv_kannan@yahoo.com> wrote in message
> > news:b46a02f.0403221407.388842f1@posting.google.com...
> > > We are having a strange problem with NT credentials being lost while
> > > accessing another resource on the same server.
> > >
> > > Here is the scenario:
> > >
> > > Step 1
> > > -------------
> > > Client A makes a call to a method in a C# DLL that resides in Server A
> > > using Windows Auth (correct settings in web.config and IIS).
> > >
> > > Step 2
> > > -------------
> > > That method makes a call to an asp page that is present on a different
> > > website on the same server (Server A) to retrieve a cookie value.
> > >
> > > I notice that Windows credentials are being passed over in Step 1. It
> > > returns the correct value when I use WindowsIdentity.GetCurrent.Name.
> > > But they do not get passed over from DLL method to the site in Step 2.
> > > (LOGON_USER returns blank)
> > >
> > >
> > > Would this be a double-hop issue? Would use of delegation and kerberos
> > > help?
> > >
> > > Any help would be really appreciated.
> > >
> > > Thanks
> > > kannan

Relevant Pages

  • Re: Problem establishing SSL connection in code-behind
    ... that isn't a double hop as you have plaintext credentials for the ... If the remote resource was a web app, ... If your goal of this set up is simply to use forms-based authentication to ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Windows authentication
    ... I did not realize that going through a browser on ... the same machine as the web server would introduce the double hop. ... > credentials will not hop to 2 different machines. ...
    (microsoft.public.dotnet.security)
  • Re: Windows Auth -- double hop issue??
    ... then the credentials you supply will not hop to the other machine. ... Here is the code sample in VB.NET: ... > CType, HttpWebRequest) ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Windows Auth -- double hop issue??
    ... then the credentials you supply will not hop to the other machine. ... Here is the code sample in VB.NET: ... > CType, HttpWebRequest) ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Remote process with network access
    ... You are missing a key concept, that is the transmission of credentials. ... Let's say you have 3 machines, WinMgmtClient, WinMgmtServer, FileServer. ... The second hop is guaranteed by Kerberos via Delegation. ...
    (microsoft.public.win32.programmer.wmi)