NetworkCredentials & Authentication Modules for WebProxy consumption

[E. Apapados]

Scenario:
Accessing an Internet resource through a local WebProxy (ISA 2000) that
requires authentication.

Current Findings:
Although not officially accepted (to my knowledge), it seems that there is a
bug in the current CF implementation (including SP 2) that requires the
assignment of the NetworkCredentials for the local WebProxy to the actual
HttpWebRequest.Credentials property. (I can only suspect that this is due to
the fact that CredentialCache is not supported)

This technique seems to be working fine as long as the actual requested
Internet resource does not require authentication and that the local
WebProxy will accept BASIC authentication.

By examining the AuthenticationManager.RegisteredModules enumeration, it
lists both the BASIC and DIGEST authentication modules but I still cant get
the DIGEST to work. Furthermore, what if INTEGRATED authentication is
required?

I am currently contemplating about implementing a custom authentication
module to provide INTEGRATED authentication. Is this possible? and if true,
where can I find more information about the necessary encoding scheme?

I would greatly appreciate any comments, especially from people with close
ties to Microsoft that could verify the accuracy or inaccuracy of my
findings.

 

[Mike]

I have also found that it is sometimes necessary to specify the credentials
for the proxy server on the HttpWebRequest object. See my thread here:
http://groups.google.com/groups?hl=...soft.public.dotnet.framework.compactframework

There is a free Proxy server called Proxy+. (http://www.proxyplus.cz/)

With this server, if you require authentication, you have to put the
credentials on the WebProxy object.

But with a "Raptor Firewall" at a customer location, we had to put the
credentials on the HttpWebRequest object.

So what I ended up doing is putting the credentials on BOTH objects so that
the code works with both servers. This has worked so far.

 

[E. Apapados]

Mike thank you for your reply.

Your postings were the starting point to my investigation and as a matter of
fact I was about to contact you myself.

Our application has been deployed to several sites where the http proxy of
choice is MS ISA 2000 and all my testing are based on this product.

As you point out, following the 'trick' of assigning the credentials to the
httpWebRequest object does the job.
However in my experience this only works if the authentication method
required by the proxy is 'Basic' (Base64) and only 'Basic'.

ISA 2000 also supports 'Digest' and 'Integrated' (Former NTLM and Kerberos)
and so far I had no lack with those.

The proxies that you are using (Raptor & Proxy+) do they support these
types? and if so, have you managed to successfully authenticate requests
under these types?

Furthermore by enumerating the AuthenticationManager.RegisteredModules CF
SP2 states that both 'Basic' and 'Digest' are supported but so far 'Digest'
credentials do not seem to get authenticated on the ISA.

Once again thank you for your reply and I hope that someone from Microsoft
will comment soon.

 

[Mike]

I guess we haven't run into a proxy server that requires Digest or
Integrated yet, becaue our program works at all customer sites so far.
(only about 5 sites)

I would love to have a proxy server like MS ISA 2000 so that I could do
testing with it. I'll just have to wait until we get a customer that
requires Digest or Integrated and then I'll have to find a way around it.

We are using internet "Pass Through" with Microsoft ActiveSync to connect to
the internet. It would be nice if the proxy stuff could be setup on the PC
and the Pocket PC would just use those settings.

Another problem I found in CF 1 SP2 is that trying to use https through a
proxy server that requires authentication doesn't work. This was confirmed
as a bug by Microsoft and they said it would be fixed in a future release.
See:

http://groups.google.com/groups?hl=...p=microsoft.public.dotnet.framework&lr=&hl=en