Re: Windows Auth -- double hop issue??
From: Alek Davis (alek_xDOTx_davis_xATx_intel_xDOTx_com)
Date: 03/25/04
- Previous message: Lee Gillie: "Re: Spawning console EXE from Windows Service"
- In reply to: Ken Schaefer: "Re: Windows Auth -- double hop issue??"
- Next in thread: Ken Schaefer: "Re: Windows Auth -- double hop issue??"
- Reply: Ken Schaefer: "Re: Windows Auth -- double hop issue??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Mar 2004 08:52:43 -0800
I don't think this matters. As long as identity/authentication/authorization
sections of the Web.config file are set up correctly, anonymous access is
disabled in IIS, and HTTP request does not leave machine boundaries,
DefaultCredentials should be propagated. Sorry Kannan, doesn't look like
we're helping. ;-)
Alek
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:ekzHVogEEHA.1600@tk2msftngp13.phx.gbl...
> But he is executing a new HTTP request (just the browser did
> originally)...and the code doesn't have enough information to complete the
> authentication challenge that the web server will be issuing. All he has
is
> the token - not the username/password.
>
> Cheers
> Ken
>
> "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
> news:%23vjNr%23cEEHA.696@TK2MSFTNGP12.phx.gbl...
> : You are absolutely right, but what I am trying to say is that there is
no
> : OTHER machine. Impersonation token for Integrated Windows Authentication
> : should work fine on the same system. and, according to the original
post,
> : both resources reside on the same server, so double-hop should not be an
> : issue.
> :
> : Alek
> :
> : "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
wrote
> : in message news:O55yavcEEHA.2460@TK2MSFTNGP10.phx.gbl...
> : > The way I read it, it works like this:
> : >
> : > 1. User authenticates with web server via browser using Windows
> Integrated
> : > authentication
> : > 2. IIS creates a token for the authenticated user. This token is an
> : > impersonation token since that's what IIS creates for Integrated
> : > authentication
> : > 3. ASP.NET code accesses DefaultCredentials to use in WebRequest.
> : > DefaultCredentials are based on impersonation token, so they cannot
hop
> to
> : > another server.
> : >
> : > That's my theory. Since the user's password is never passed to the
IIS
> : > server, the only way the token on the IIS server is going to hop to
> : another
> : > machine on the network is via Kerberos Delegation. If that isn't
> : available,
> : > then the hop won't happen (which is what it sounds like is happening).
> If
> : > web authentication was Basic, then the user's plain text credentials
are
> : > available, so a primary token can be created and that will hop to a
> : > different machine without delegation.
> : >
> : > Joe K.
> : >
> : > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
> : > news:uIlneDcEEHA.2640@TK2MSFTNGP09.phx.gbl...
> : > > But Kannan said that all resources reside on the same server. How
can
> it
> : > be
> : > > the double-hop problem? Logically, it should work, but maybe there
is
> : > > something else we're missing.
> : > >
> : > > Alek
> : > >
> : > > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
> : wrote
> : > > in message news:eXamriREEHA.1452@TK2MSFTNGP09.phx.gbl...
> : > > > Given that you are using default credentials, it does look like it
> : might
> : > > be
> : > > > a double hop issue.
> : > > >
> : > > > If the current security context is an impersonation token that
can't
> : > > > delegate, then the credentials you supply will not hop to the
other
> : > > machine.
> : > > > Since Windows integrated authentication creates an imperonation
> token,
> : > > this
> : > > > is very likely to be the case.
> : > > >
> : > > > Joe K.
> : > > >
> : > > >
> : > > > "Kannan" <pv_kannan@yahoo.com> wrote in message
> : > > > news:b46a02f.0403231023.21b252a7@posting.google.com...
> : > > > > Hi Alex,
> : > > > > I am setting that in the code. Here is the code sample in
VB.NET:
> : > > > >
> : > > > > Private Function LogonToProjectServer(ByVal
> projectServerUrl
> : As
> : > > > > String)
> : > > > >
> : > > > > Dim url As String
> : > > > > Dim cookieString As String
> : > > > >
> : > > > > If Not projectServerUrl.EndsWith("/") Then
> : > > > > projectServerUrl += "/"
> : > > > > End If
> : > > > >
> : > > > > url = projectServerUrl + "LgnIntAu.asp"
> : > > > > Dim XMLDoc As New XmlDocument
> : > > > >
> : > > > > Try
> : > > > > Dim myReq As HttpWebRequest =
> : > > > > CType(WebRequest.Create(url), HttpWebRequest)
> : > > > > Dim conCookie As New CookieContainer
> : > > > > myReq.CookieContainer = conCookie
> : > > > > myReq.Credentials =
> : CredentialCache.DefaultCredentials
> : > > > > Dim networkCredential As NetworkCredential =
> : > > > > CType(CredentialCache.DefaultCredentials, NetworkCredential)
> : > > > > Dim identity As WindowsIdentity =
> : > > > > WindowsIdentity.GetCurrent()
> : > > > >
> : > > > > Dim log As New EventLog
> : > > > > log.Log = "Application"
> : > > > > log.Source = "PDSHelper:LogonToProjectServer"
> : > > > >
> : > > > > log.WriteEntry("WindowsUser is " +
identity.Name,
> : > > > > EventLogEntryType.Information) ' This returns the correct
> username
> : > > > >
> : > > > > Dim myRes As HttpWebResponse = Nothing
> : > > > > Dim i As Integer
> : > > > > For i = 0 To 2
> : > > > > Try
> : > > > > myRes = CType(myReq.GetResponse(),
> : > > > > HttpWebResponse)
> : > > > > ' if it gets to this line it didn't
error
> : > > > > Exit For
> : > > > > Catch e As Exception
> : > > > > If i = 2 Then
> : > > > > Throw e
> : > > > > End If
> : > > > > End Try
> : > > > > Next i
> : > > > >
> : > > > > XMLDoc.Load(myRes.GetResponseStream())
> : > > > > log.WriteEntry("Xmlcontents are " +
> : XMLDoc.InnerText,
> : > > > > EventLogEntryType.Information)
> : > > > > ' Close the response to free resources.
> : > > > > myRes.Close()
> : > > > >
> : > > > > cookieString = GetLogonStatus(XMLDoc)
> : > > > > If cookieString.Length < 10 Then
> : > > > > Throw New Exception("Invalid Project Server
> : Login
> : > > > > Cookie: " + cookieString)
> : > > > > End If
> : > > > > Catch ex As Exception
> : > > > > Throw New Exception("Error occurred attempting
to
> : log
> : > > > > into project server: " + url + vbCrLf + XMLDoc.InnerXml, ex)
> : > > > > End Try
> : > > > >
> : > > > > LogonToProjectServer = cookieString
> : > > > >
> : > > > > End Function
> : > > > >
> : > > > >
> : > > > >
> : > > > >
> : > > > >
> : >
************************************************************************
> : > > > > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in
> : message
> : > > > news:<OiRD1rHEEHA.3372@TK2MSFTNGP10.phx.gbl>...
> : > > > > > Kannan,
> : > > > > >
> : > > > > > Before you call the other site, make sure that you set the
> default
> : > > > > > credentials for your HttpWebRequest's (or whatever class
you're
> : > using)
> : > > > > > Credentials member. See MSDN documentation on
> : > > > > > CredentialCache.DefaultCredentials for samples.
> : > > > > >
> : > > > > > Alek
> : > > > > >
> : > > > > > "Kannan" <pv_kannan@yahoo.com> wrote in message
> : > > > > > news:b46a02f.0403221407.388842f1@posting.google.com...
> : > > > > > > We are having a strange problem with NT credentials being
lost
> : > while
> : > > > > > > accessing another resource on the same server.
> : > > > > > >
> : > > > > > > Here is the scenario:
> : > > > > > >
> : > > > > > > Step 1
> : > > > > > > -------------
> : > > > > > > Client A makes a call to a method in a C# DLL that resides
in
> : > Server
> : > > A
> : > > > > > > using Windows Auth (correct settings in web.config and IIS).
> : > > > > > >
> : > > > > > > Step 2
> : > > > > > > -------------
> : > > > > > > That method makes a call to an asp page that is present on a
> : > > different
> : > > > > > > website on the same server (Server A) to retrieve a cookie
> : value.
> : > > > > > >
> : > > > > > > I notice that Windows credentials are being passed over in
> Step
> : 1.
> : > > It
> : > > > > > > returns the correct value when I use
> : > > WindowsIdentity.GetCurrent.Name.
> : > > > > > > But they do not get passed over from DLL method to the site
in
> : > Step
> : > > 2.
> : > > > > > > (LOGON_USER returns blank)
> : > > > > > >
> : > > > > > >
> : > > > > > > Would this be a double-hop issue? Would use of delegation
and
> : > > kerberos
> : > > > > > > help?
> : > > > > > >
> : > > > > > > Any help would be really appreciated.
> : > > > > > >
> : > > > > > > Thanks
> : > > > > > > kannan
> : > > >
> : > > >
> : > >
> : > >
> : >
> : >
> :
> :
>
>
- Previous message: Lee Gillie: "Re: Spawning console EXE from Windows Service"
- In reply to: Ken Schaefer: "Re: Windows Auth -- double hop issue??"
- Next in thread: Ken Schaefer: "Re: Windows Auth -- double hop issue??"
- Reply: Ken Schaefer: "Re: Windows Auth -- double hop issue??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
