Re: Windows Auth -- double hop issue??

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 03/24/04 

Date: Wed, 24 Mar 2004 12:14:23 -0600

The way I read it, it works like this:

1. User authenticates with web server via browser using Windows Integrated
authentication
2. IIS creates a token for the authenticated user. This token is an
impersonation token since that's what IIS creates for Integrated
authentication
3. ASP.NET code accesses DefaultCredentials to use in WebRequest.
DefaultCredentials are based on impersonation token, so they cannot hop to
another server.

That's my theory. Since the user's password is never passed to the IIS
server, the only way the token on the IIS server is going to hop to another
machine on the network is via Kerberos Delegation. If that isn't available,
then the hop won't happen (which is what it sounds like is happening). If
web authentication was Basic, then the user's plain text credentials are
available, so a primary token can be created and that will hop to a
different machine without delegation.

Joe K.

"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
news:uIlneDcEEHA.2640@TK2MSFTNGP09.phx.gbl...
> But Kannan said that all resources reside on the same server. How can it
be
> the double-hop problem? Logically, it should work, but maybe there is
> something else we're missing.
>
> Alek
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:eXamriREEHA.1452@TK2MSFTNGP09.phx.gbl...
> > Given that you are using default credentials, it does look like it might
> be
> > a double hop issue.
> >
> > If the current security context is an impersonation token that can't
> > delegate, then the credentials you supply will not hop to the other
> machine.
> > Since Windows integrated authentication creates an imperonation token,
> this
> > is very likely to be the case.
> >
> > Joe K.
> >
> >
> > "Kannan" <pv_kannan@yahoo.com> wrote in message
> > news:b46a02f.0403231023.21b252a7@posting.google.com...
> > > Hi Alex,
> > > I am setting that in the code. Here is the code sample in VB.NET:
> > >
> > > Private Function LogonToProjectServer(ByVal projectServerUrl As
> > > String)
> > >
> > > Dim url As String
> > > Dim cookieString As String
> > >
> > > If Not projectServerUrl.EndsWith("/") Then
> > > projectServerUrl += "/"
> > > End If
> > >
> > > url = projectServerUrl + "LgnIntAu.asp"
> > > Dim XMLDoc As New XmlDocument
> > >
> > > Try
> > > Dim myReq As HttpWebRequest =
> > > CType(WebRequest.Create(url), HttpWebRequest)
> > > Dim conCookie As New CookieContainer
> > > myReq.CookieContainer = conCookie
> > > myReq.Credentials = CredentialCache.DefaultCredentials
> > > Dim networkCredential As NetworkCredential =
> > > CType(CredentialCache.DefaultCredentials, NetworkCredential)
> > > Dim identity As WindowsIdentity =
> > > WindowsIdentity.GetCurrent()
> > >
> > > Dim log As New EventLog
> > > log.Log = "Application"
> > > log.Source = "PDSHelper:LogonToProjectServer"
> > >
> > > log.WriteEntry("WindowsUser is " + identity.Name,
> > > EventLogEntryType.Information) ' This returns the correct username
> > >
> > > Dim myRes As HttpWebResponse = Nothing
> > > Dim i As Integer
> > > For i = 0 To 2
> > > Try
> > > myRes = CType(myReq.GetResponse(),
> > > HttpWebResponse)
> > > ' if it gets to this line it didn't error
> > > Exit For
> > > Catch e As Exception
> > > If i = 2 Then
> > > Throw e
> > > End If
> > > End Try
> > > Next i
> > >
> > > XMLDoc.Load(myRes.GetResponseStream())
> > > log.WriteEntry("Xmlcontents are " + XMLDoc.InnerText,
> > > EventLogEntryType.Information)
> > > ' Close the response to free resources.
> > > myRes.Close()
> > >
> > > cookieString = GetLogonStatus(XMLDoc)
> > > If cookieString.Length < 10 Then
> > > Throw New Exception("Invalid Project Server Login
> > > Cookie: " + cookieString)
> > > End If
> > > Catch ex As Exception
> > > Throw New Exception("Error occurred attempting to log
> > > into project server: " + url + vbCrLf + XMLDoc.InnerXml, ex)
> > > End Try
> > >
> > > LogonToProjectServer = cookieString
> > >
> > > End Function
> > >
> > >
> > >
> > >
> > >
************************************************************************
> > > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
> > news:<OiRD1rHEEHA.3372@TK2MSFTNGP10.phx.gbl>...
> > > > Kannan,
> > > >
> > > > Before you call the other site, make sure that you set the default
> > > > credentials for your HttpWebRequest's (or whatever class you're
using)
> > > > Credentials member. See MSDN documentation on
> > > > CredentialCache.DefaultCredentials for samples.
> > > >
> > > > Alek
> > > >
> > > > "Kannan" <pv_kannan@yahoo.com> wrote in message
> > > > news:b46a02f.0403221407.388842f1@posting.google.com...
> > > > > We are having a strange problem with NT credentials being lost
while
> > > > > accessing another resource on the same server.
> > > > >
> > > > > Here is the scenario:
> > > > >
> > > > > Step 1
> > > > > -------------
> > > > > Client A makes a call to a method in a C# DLL that resides in
Server
> A
> > > > > using Windows Auth (correct settings in web.config and IIS).
> > > > >
> > > > > Step 2
> > > > > -------------
> > > > > That method makes a call to an asp page that is present on a
> different
> > > > > website on the same server (Server A) to retrieve a cookie value.
> > > > >
> > > > > I notice that Windows credentials are being passed over in Step 1.
> It
> > > > > returns the correct value when I use
> WindowsIdentity.GetCurrent.Name.
> > > > > But they do not get passed over from DLL method to the site in
Step
> 2.
> > > > > (LOGON_USER returns blank)
> > > > >
> > > > >
> > > > > Would this be a double-hop issue? Would use of delegation and
> kerberos
> > > > > help?
> > > > >
> > > > > Any help would be really appreciated.
> > > > >
> > > > > Thanks
> > > > > kannan
> >
> >
>
>

Relevant Pages

  • Re: WM5 can not sync to exchange
    ... I checked all the authentication settings and they are as you requested. ... After running the internet connection wizard I had to uncheck the Require ... On the SBS 2003 Server open the Server Management console. ... Open IIS Manager ...
    (microsoft.public.windows.server.sbs)
  • RE: WM5 can not sync to exchange
    ... code 85010014 during ActiveSync with SBS. ... On the SBS 2003 Server open the Server Management console. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ...
    (microsoft.public.windows.server.sbs)
  • Re: WM5 can not sync to exchange
    ... On the SBS 2003 Server open the Server Management console. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ... Collect the IIS metabase on Exchange Server and send to me: ...
    (microsoft.public.windows.server.sbs)
  • Re: Nokia E50 ActiveSync problem with SBS2003 SP2
    ... Open IIS Manager ... Open properties of virtual directory OMA ... Click Start on your SBS server, ... And then please verify Authentication settings by the following steps. ...
    (microsoft.public.windows.server.sbs)
  • RE: Confusion on standard security methodologies.
    ... Application will talk to a back-end SQL ... By "back-end," I assume you mean on a different box from IIS? ... If SQL is on a separate box, you won't be able to use NT authentication ... impersonations (meaning that once passed to the IIS server, ...
    (microsoft.public.inetserver.iis.security)