Re: Forward Credentials from ASP.NET Web-application to ASP.NET Web-Service?

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 06/30/04 

Date: Wed, 30 Jun 2004 08:56:13 -0500

Yes, for Basic auth, the authorization header will contain a string like:

Basic dXNlcjpwYXNzd29yZA==

The string after "Basic" are the Base64 encoded credentials in the form
user:password. That is the easiest way to get the user's password to create
a network credential.

If you had the string "Negotiate" in there, you were using Integrated auth
which uses NTLM or Kerberos. In that protocol, there is no plain-text
password for you to recover (which is why you can use that protocol safely
without SSL!).

You can definitely get the Default Credentials thing to work as well using
impersonation, but you will likely need Delegation in that scenario (thus
Kerberos) in order for those credentials to work on a different machine on
the network.

Joe K.

"Sean Dowling" <nyq2000@hotmail.com> wrote in message
news:606b339b.0406300522.7e3e8085@posting.google.com...
> Hi,
> Thanks for the insight... I will look into Kerberos. I was sort of
> hoping for something where I could construct the credentials based on
> the Security Principal but I guess that's not possible.
> Just so I understand - when you're talking about getting the username
> and password from Basic authentication, are you referring to base64
> decoding the Authorization header? I did try that and just got back a
> small string that wasn't the username or password. I think I may have
> had it configured incorrectly because the word "basic" wasn't in there
> anywhere which I believe it is supposed to be...
>
> Thanks again,
> Sean
>
> "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@removethis.accenture.com>
wrote in message news:<O6y9XnAWEHA.3524@TK2MSFTNGP12.phx.gbl>...
> > Using Windows Integrated authentication in the ASP.NET application, this
can
> > be done if you use impersonation in the ASP.NET app and enabled Kerberos
> > delegation. Kerberos delegation allows the token that IIS generates on
the
> > ASP.NET box to hop to the machine on the web services box.
> >
> > There are a bunch of references to Kerberos delegation in the MS
Knowledge
> > Base. Kerberos can be tricky, so I suggest you read up on it.
> >
> > Also, if you use Basic Authentication in the ASP.NET application, it is
> > trivially easy to get the user's username and password directly from the
> > request headers or server variables and pass those directly to your
proxy
> > class.
> >
> > HTH,
> >
> > Joe K.
> >

Relevant Pages

  • RE: kfw-3.2-beta2 is available
    ... The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to ... The use of ellipsis on menu items now follows the Windows ... The alternate is to open the new credentials ... Network Identity Manager Kerberos v5 Support ...
    (comp.protocols.kerberos)
  • Re: kfw-3.1-beta-2 is available
    ... the use of NIM to obtain credentials for principals whose password ... Improvements to the Network Identity Manager ... User selected font support ... Kerberos 5 Realm editor has been added ...
    (comp.protocols.kerberos)
  • kfw-3.2-beta1 is available - corrected MSI
    ... The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to ... The use of ellipsis on menu items now follows the Windows ... The alternate is to open the new credentials ... Support per-realm settings. ...
    (comp.protocols.kerberos)
  • kfw-3.2-beta2 is available
    ... The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to ... The use of ellipsis on menu items now follows the Windows ... The alternate is to open the new credentials ...
    (comp.protocols.kerberos)
  • kfw-3.2-beta3 is available
    ... The MIT Kerberos Development Team and Secure Endpoints Inc. are proud to ... The use of ellipsis on menu items now follows the Windows ... The alternate is to open the new credentials ...
    (comp.protocols.kerberos)