Re: Windows Auth -- double hop issue??

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 03/26/04 

Date: Fri, 26 Mar 2004 12:08:42 +1100

Kerberos tickets work on the basis of a SPN, not a "machine boundary" don't
they? If the SPN is different (e.g. accessing a different website), then
delegation must be enabled for the user credentials.

Cheers
Ken

"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
news:%23uylZmoEEHA.3336@TK2MSFTNGP12.phx.gbl...
: I don't think this matters. As long as
identity/authentication/authorization
: sections of the Web.config file are set up correctly, anonymous access is
: disabled in IIS, and HTTP request does not leave machine boundaries,
: DefaultCredentials should be propagated. Sorry Kannan, doesn't look like
: we're helping. ;-)
:
: Alek
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:ekzHVogEEHA.1600@tk2msftngp13.phx.gbl...
: > But he is executing a new HTTP request (just the browser did
: > originally)...and the code doesn't have enough information to complete
the
: > authentication challenge that the web server will be issuing. All he has
: is
: > the token - not the username/password.
: >
: > Cheers
: > Ken
: >
: > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
: > news:%23vjNr%23cEEHA.696@TK2MSFTNGP12.phx.gbl...
: > : You are absolutely right, but what I am trying to say is that there is
: no
: > : OTHER machine. Impersonation token for Integrated Windows
Authentication
: > : should work fine on the same system. and, according to the original
: post,
: > : both resources reside on the same server, so double-hop should not be
an
: > : issue.
: > :
: > : Alek
: > :
: > : "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
: wrote
: > : in message news:O55yavcEEHA.2460@TK2MSFTNGP10.phx.gbl...
: > : > The way I read it, it works like this:
: > : >
: > : > 1. User authenticates with web server via browser using Windows
: > Integrated
: > : > authentication
: > : > 2. IIS creates a token for the authenticated user. This token is an
: > : > impersonation token since that's what IIS creates for Integrated
: > : > authentication
: > : > 3. ASP.NET code accesses DefaultCredentials to use in WebRequest.
: > : > DefaultCredentials are based on impersonation token, so they cannot
: hop
: > to
: > : > another server.
: > : >
: > : > That's my theory. Since the user's password is never passed to the
: IIS
: > : > server, the only way the token on the IIS server is going to hop to
: > : another
: > : > machine on the network is via Kerberos Delegation. If that isn't
: > : available,
: > : > then the hop won't happen (which is what it sounds like is
happening).
: > If
: > : > web authentication was Basic, then the user's plain text credentials
: are
: > : > available, so a primary token can be created and that will hop to a
: > : > different machine without delegation.
: > : >
: > : > Joe K.
: > : >
: > : > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in
message
: > : > news:uIlneDcEEHA.2640@TK2MSFTNGP09.phx.gbl...
: > : > > But Kannan said that all resources reside on the same server. How
: can
: > it
: > : > be
: > : > > the double-hop problem? Logically, it should work, but maybe there
: is
: > : > > something else we're missing.
: > : > >
: > : > > Alek
: > : > >
: > : > > "Joe Kaplan (MVP - ADSI)"
<joseph.e.kaplan@removethis.accenture.com>
: > : wrote
: > : > > in message news:eXamriREEHA.1452@TK2MSFTNGP09.phx.gbl...
: > : > > > Given that you are using default credentials, it does look like
it
: > : might
: > : > > be
: > : > > > a double hop issue.
: > : > > >
: > : > > > If the current security context is an impersonation token that
: can't
: > : > > > delegate, then the credentials you supply will not hop to the
: other
: > : > > machine.
: > : > > > Since Windows integrated authentication creates an imperonation
: > token,
: > : > > this
: > : > > > is very likely to be the case.
: > : > > >
: > : > > > Joe K.
: > : > > >
: > : > > >
: > : > > > "Kannan" <pv_kannan@yahoo.com> wrote in message
: > : > > > news:b46a02f.0403231023.21b252a7@posting.google.com...
: > : > > > > Hi Alex,
: > : > > > > I am setting that in the code. Here is the code sample in
: VB.NET:
: > : > > > >
: > : > > > > Private Function LogonToProjectServer(ByVal
: > projectServerUrl
: > : As
: > : > > > > String)
: > : > > > >
: > : > > > > Dim url As String
: > : > > > > Dim cookieString As String
: > : > > > >
: > : > > > > If Not projectServerUrl.EndsWith("/") Then
: > : > > > > projectServerUrl += "/"
: > : > > > > End If
: > : > > > >
: > : > > > > url = projectServerUrl + "LgnIntAu.asp"
: > : > > > > Dim XMLDoc As New XmlDocument
: > : > > > >
: > : > > > > Try
: > : > > > > Dim myReq As HttpWebRequest =
: > : > > > > CType(WebRequest.Create(url), HttpWebRequest)
: > : > > > > Dim conCookie As New CookieContainer
: > : > > > > myReq.CookieContainer = conCookie
: > : > > > > myReq.Credentials =
: > : CredentialCache.DefaultCredentials
: > : > > > > Dim networkCredential As NetworkCredential =
: > : > > > > CType(CredentialCache.DefaultCredentials, NetworkCredential)
: > : > > > > Dim identity As WindowsIdentity =
: > : > > > > WindowsIdentity.GetCurrent()
: > : > > > >
: > : > > > > Dim log As New EventLog
: > : > > > > log.Log = "Application"
: > : > > > > log.Source = "PDSHelper:LogonToProjectServer"
: > : > > > >
: > : > > > > log.WriteEntry("WindowsUser is " +
: identity.Name,
: > : > > > > EventLogEntryType.Information) ' This returns the correct
: > username
: > : > > > >
: > : > > > > Dim myRes As HttpWebResponse = Nothing
: > : > > > > Dim i As Integer
: > : > > > > For i = 0 To 2
: > : > > > > Try
: > : > > > > myRes = CType(myReq.GetResponse(),
: > : > > > > HttpWebResponse)
: > : > > > > ' if it gets to this line it didn't
: error
: > : > > > > Exit For
: > : > > > > Catch e As Exception
: > : > > > > If i = 2 Then
: > : > > > > Throw e
: > : > > > > End If
: > : > > > > End Try
: > : > > > > Next i
: > : > > > >
: > : > > > > XMLDoc.Load(myRes.GetResponseStream())
: > : > > > > log.WriteEntry("Xmlcontents are " +
: > : XMLDoc.InnerText,
: > : > > > > EventLogEntryType.Information)
: > : > > > > ' Close the response to free resources.
: > : > > > > myRes.Close()
: > : > > > >
: > : > > > > cookieString = GetLogonStatus(XMLDoc)
: > : > > > > If cookieString.Length < 10 Then
: > : > > > > Throw New Exception("Invalid Project
Server
: > : Login
: > : > > > > Cookie: " + cookieString)
: > : > > > > End If
: > : > > > > Catch ex As Exception
: > : > > > > Throw New Exception("Error occurred attempting
: to
: > : log
: > : > > > > into project server: " + url + vbCrLf + XMLDoc.InnerXml, ex)
: > : > > > > End Try
: > : > > > >
: > : > > > > LogonToProjectServer = cookieString
: > : > > > >
: > : > > > > End Function
: > : > > > >
: > : > > > >
: > : > > > >
: > : > > > >
: > : > > > >
: > : >
: ************************************************************************
: > : > > > > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in
: > : message
: > : > > > news:<OiRD1rHEEHA.3372@TK2MSFTNGP10.phx.gbl>...
: > : > > > > > Kannan,
: > : > > > > >
: > : > > > > > Before you call the other site, make sure that you set the
: > default
: > : > > > > > credentials for your HttpWebRequest's (or whatever class
: you're
: > : > using)
: > : > > > > > Credentials member. See MSDN documentation on
: > : > > > > > CredentialCache.DefaultCredentials for samples.
: > : > > > > >
: > : > > > > > Alek
: > : > > > > >
: > : > > > > > "Kannan" <pv_kannan@yahoo.com> wrote in message
: > : > > > > > news:b46a02f.0403221407.388842f1@posting.google.com...
: > : > > > > > > We are having a strange problem with NT credentials being
: lost
: > : > while
: > : > > > > > > accessing another resource on the same server.
: > : > > > > > >
: > : > > > > > > Here is the scenario:
: > : > > > > > >
: > : > > > > > > Step 1
: > : > > > > > > -------------
: > : > > > > > > Client A makes a call to a method in a C# DLL that resides
: in
: > : > Server
: > : > > A
: > : > > > > > > using Windows Auth (correct settings in web.config and
IIS).
: > : > > > > > >
: > : > > > > > > Step 2
: > : > > > > > > -------------
: > : > > > > > > That method makes a call to an asp page that is present on
a
: > : > > different
: > : > > > > > > website on the same server (Server A) to retrieve a cookie
: > : value.
: > : > > > > > >
: > : > > > > > > I notice that Windows credentials are being passed over in
: > Step
: > : 1.
: > : > > It
: > : > > > > > > returns the correct value when I use
: > : > > WindowsIdentity.GetCurrent.Name.
: > : > > > > > > But they do not get passed over from DLL method to the
site
: in
: > : > Step
: > : > > 2.
: > : > > > > > > (LOGON_USER returns blank)
: > : > > > > > >
: > : > > > > > >
: > : > > > > > > Would this be a double-hop issue? Would use of delegation
: and
: > : > > kerberos
: > : > > > > > > help?
: > : > > > > > >
: > : > > > > > > Any help would be really appreciated.
: > : > > > > > >
: > : > > > > > > Thanks
: > : > > > > > > kannan
: > : > > >
: > : > > >
: > : > >
: > : > >
: > : >
: > : >
: > :
: > :
: >
: >
:
:

Relevant Pages

  • Re: Windows Auth -- double hop issue??
    ... Kerberos tickets work on the basis of a SPN, ... disabled in IIS, and HTTP request does not leave machine boundaries, ... Impersonation token for Integrated Windows ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Windows Auth -- double hop issue??
    ... Kerberos tickets work on the basis of a SPN, ... disabled in IIS, and HTTP request does not leave machine boundaries, ... Impersonation token for Integrated Windows ...
    (microsoft.public.dotnet.framework.aspnet)