Re: Construcing NetworkCredential from WindowsIdentity?

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 06/16/05


Date: Thu, 16 Jun 2005 09:03:36 -0500

If you have a WindowsIdentity/WindowsPrincipal for the user, you should be
able to impersonate that WindowsIdentity and then use
CredentialCache.DefaultCredentials to get an ICredential. You can use that
for calling the remote resource.

The main issue here is that you will also most likely need Kerberos
delegation in this scenario in order for your credentials to hop to a remote
machine.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
http://msdn.microsoft.com/vstudio/using/building/web/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetHT05.asp?FRAME=true#ImplementKerberos

HTH,

Joe K.

"Claus Konrad" <no@spam.thanks> wrote in message
news:utO0d4mcFHA.1448@TK2MSFTNGP14.phx.gbl...
> Well - I'm using a WebApp (ASP.NET) as frontend (hosted by primary
> server).
> Here I have full access to my Identity (WindowsIdentity).
>
> Now - the frontend is calling into a business component (BC). This BC is
> therefore being called from within ASP.NET and thereby instantiated with
> the current identity (that's either ASPNET Machine account or the user
> impersonated).
>
> For the business component to acess the Exchange Server in my datatier,
> I'm using a component from IndependentSoft (WebDav.NET for Exchange). This
> requires my to connect using a ICredential interface. I do NOT have access
> the the current uses password, hence I can not create an instance of a
> NetworkCredential object.
>
> Therefore my question.
> The CredentialCache.DefaultCredentials is empty. Should the frontend be
> adding something into the cache here or what..?
>
>
> Thanks a lot!
>
> /Claus
>
>
>
>
>
> "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
> news:uXthyqacFHA.3620@TK2MSFTNGP09.phx.gbl...
>> System.Net.CredentialCache.DefaultCredentials might be what you're
>> looking for. If you don't think this would help with your scenario,
>> could you please explain how your code on the client (primary server) is
>> communicating with the target server?
>>
>>
>> "Claus Konrad" <no@spam.thanks> wrote in message
>> news:etnZHIQcFHA.1404@TK2MSFTNGP09.phx.gbl...
>>> Hi
>>>
>>> Is there any way of getting from a WindowsIdentity (or WindowsPrincipal)
>>> into a NetworkCredential?
>>> I'm forced to authenticate myself towards an second server within my
>>> network, but unfortunately this only accepts Username/password (forms)
>>> or ICredentials (aka. networkcredentials).
>>>
>>> I'm fully authenticated with Kerberos on my primary server (web app).
>>>
>>> Thanks a million!
>>> /Claus
>>>
>>
>>
>
>



Relevant Pages

  • Re: Construcing NetworkCredential from WindowsIdentity?
    ... > able to impersonate that WindowsIdentity and then use ... >> Here I have full access to my Identity (WindowsIdentity). ... >> For the business component to acess the Exchange Server in my datatier, ...
    (microsoft.public.dotnet.security)
  • Re: Under which credentials COM makes calls from another process?
    ... There are two ways our server application (server here is not ... authenticate via SSPI. ... which is used later to impersonate thread on the server ... can get some properties of these objects: client IP address and port, ...
    (microsoft.public.win2000.developer)
  • Re: Under which credentials COM makes calls from another process?
    ... There are two ways our server application (server here is not ... authenticate via SSPI. ... which is used later to impersonate thread on the server ... can get some properties of these objects: client IP address and port, ...
    (microsoft.public.platformsdk.security)
  • Re: Sql Reporting Serviced - > ASP.NET ACCESS DENIED!
    ... The account you are logging in to when on the server doesn't have the ... do you have <Impersonate> set to True? ... > Exception Details: System.UnauthorizedAccessException: Access to the path ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IsInRole always return fasle on secure remoting call (Framework 2.0)
    ... I doing remoting calls over a TCP channel set to "SECURE", ... means that on the server side the ... information about the client, and it cannot impersonate the client. ...
    (microsoft.public.dotnet.distributed_apps)