Windows Auth -- double hop issue??

[Kannan]

We are having a strange problem with NT credentials being lost while
accessing another resource on the same server.

Here is the scenario:

Step 1
-------------
Client A makes a call to a method in a C# DLL that resides in Server A
using Windows Auth (correct settings in web.config and IIS).

Step 2
-------------
That method makes a call to an asp page that is present on a different
website on the same server (Server A) to retrieve a cookie value.

I notice that Windows credentials are being passed over in Step 1. It
returns the correct value when I use WindowsIdentity.GetCurrent.Name.
But they do not get passed over from DLL method to the site in Step 2.
(LOGON_USER returns blank)


Would this be a double-hop issue? Would use of delegation and kerberos
help?

Any help would be really appreciated.

Thanks
kannan

 

[Joe Kaplan \(MVP - ADSI\)]

Yep, that would be a double hop issue. This is very likely the case if you
are using integrated authentication on Server A.

Joe K.

 

[Kannan Pulacode]

What would be the best way to solve this?

Would delegation solve the problem? If I use kerbores, what service on
the server should I choose to allow to delegate? I cannot delegate a
particular user in this situation since I have windows auth turned on at
the IIS level.

 

[bruce barker]

no, its not the double hop rule, you still have a valid token. more likly
you are not filling in the creditials when calling the other web site.

 

[Alek Davis]

Kannan,

Before you call the other site, make sure that you set the default
credentials for your HttpWebRequest's (or whatever class you're using)
Credentials member. See MSDN documentation on
CredentialCache.DefaultCredentials for samples.

Alek

 

[Kannan]

Hi Alex,
I am setting that in the code. Here is the code sample in VB.NET:

Private Function LogonToProjectServer(ByVal projectServerUrl As
String)

Dim url As String
Dim cookieString As String

If Not projectServerUrl.EndsWith("/") Then
projectServerUrl += "/"
End If

url = projectServerUrl + "LgnIntAu.asp"
Dim XMLDoc As New XmlDocument

Try
Dim myReq As HttpWebRequest =
CType(WebRequest.Create(url), HttpWebRequest)
Dim conCookie As New CookieContainer
myReq.CookieContainer = conCookie
myReq.Credentials = CredentialCache.DefaultCredentials
Dim networkCredential As NetworkCredential =
CType(CredentialCache.DefaultCredentials, NetworkCredential)
Dim identity As WindowsIdentity =
WindowsIdentity.GetCurrent()

Dim log As New EventLog
log.Log = "Application"
log.Source = "PDSHelper:LogonToProjectServer"

log.WriteEntry("WindowsUser is " + identity.Name,
EventLogEntryType.Information) ' This returns the correct username

Dim myRes As HttpWebResponse = Nothing
Dim i As Integer
For i = 0 To 2
Try
myRes = CType(myReq.GetResponse(),
HttpWebResponse)
' if it gets to this line it didn't error
Exit For
Catch e As Exception
If i = 2 Then
Throw e
End If
End Try
Next i

XMLDoc.Load(myRes.GetResponseStream())
log.WriteEntry("Xmlcontents are " + XMLDoc.InnerText,
EventLogEntryType.Information)
' Close the response to free resources.
myRes.Close()

cookieString = GetLogonStatus(XMLDoc)
If cookieString.Length < 10 Then
Throw New Exception("Invalid Project Server Login
Cookie: " + cookieString)
End If
Catch ex As Exception
Throw New Exception("Error occurred attempting to log
into project server: " + url + vbCrLf + XMLDoc.InnerXml, ex)
End Try

LogonToProjectServer = cookieString

End Function




************************************************************************

 

[Joe Kaplan \(MVP - ADSI\)]

Given that you are using default credentials, it does look like it might be
a double hop issue.

If the current security context is an impersonation token that can't
delegate, then the credentials you supply will not hop to the other machine.
Since Windows integrated authentication creates an imperonation token, this
is very likely to be the case.

Joe K.

 

[Alek Davis]

But Kannan said that all resources reside on the same server. How can it be
the double-hop problem? Logically, it should work, but maybe there is
something else we're missing.

Alek

 

[Joe Kaplan \(MVP - ADSI\)]

The way I read it, it works like this:

1. User authenticates with web server via browser using Windows Integrated
authentication
2. IIS creates a token for the authenticated user. This token is an
impersonation token since that's what IIS creates for Integrated
authentication
3. ASP.NET code accesses DefaultCredentials to use in WebRequest.
DefaultCredentials are based on impersonation token, so they cannot hop to
another server.

That's my theory. Since the user's password is never passed to the IIS
server, the only way the token on the IIS server is going to hop to another
machine on the network is via Kerberos Delegation. If that isn't available,
then the hop won't happen (which is what it sounds like is happening). If
web authentication was Basic, then the user's plain text credentials are
available, so a primary token can be created and that will hop to a
different machine without delegation.

Joe K.

 

[Alek Davis]

You are absolutely right, but what I am trying to say is that there is no
OTHER machine. Impersonation token for Integrated Windows Authentication
should work fine on the same system. and, according to the original post,
both resources reside on the same server, so double-hop should not be an
issue.

Alek

 

[Joe Kaplan \(MVP - ADSI\)]

Ah, I must have missed that part. I misread his statement "different
website on server A". I thought he meant different server.

However, if the request goes through HTTP and back into IIS through a
different vroot, does that count as a hop or not? I'm not sure about how it
works in that particular case. Does it make a difference whether he uses
localhost in the URL or the DNS name of the site?

Based on his description, it sounds like it is not. It would be easy to
check by replacing the DefaultCredentials with some known good hard-coded
credentials in a new NetworkCredential object and see if that fixes it.

Most of the time I am diagnosing these issues for connections to AD or SQL
where the case is more clear cut.

Joe K.

 

[Kannan Pulacode]

That was my understanding too. But it does not look to work that way.

This would be a product and we are concerned that the network admins at
all our client installations might not be very willing to set the server
up for delegation.

Thanks

 

[Ken Schaefer]

But he is executing a new HTTP request (just the browser did
originally)...and the code doesn't have enough information to complete the
authentication challenge that the web server will be issuing. All he has is
the token - not the username/password.

Cheers
Ken

"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
: You are absolutely right, but what I am trying to say is that there is no
: OTHER machine. Impersonation token for Integrated Windows Authentication
: should work fine on the same system. and, according to the original post,
: both resources reside on the same server, so double-hop should not be an
: issue.
:
: Alek
:
: in message : > The way I read it, it works like this:
: >
: > 1. User authenticates with web server via browser using Windows
Integrated
: > authentication
: > 2. IIS creates a token for the authenticated user. This token is an
: > impersonation token since that's what IIS creates for Integrated
: > authentication
: > 3. ASP.NET code accesses DefaultCredentials to use in WebRequest.
: > DefaultCredentials are based on impersonation token, so they cannot hop
to
: > another server.
: >
: > That's my theory. Since the user's password is never passed to the IIS
: > server, the only way the token on the IIS server is going to hop to
: another
: > machine on the network is via Kerberos Delegation. If that isn't
: available,
: > then the hop won't happen (which is what it sounds like is happening).
If
: > web authentication was Basic, then the user's plain text credentials are
: > available, so a primary token can be created and that will hop to a
: > different machine without delegation.
: >
: > Joe K.
: >
: > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
: > : > > But Kannan said that all resources reside on the same server. How can
it
: > be
: > > the double-hop problem? Logically, it should work, but maybe there is
: > > something else we're missing.
: > >
: > > Alek
: > >
: > > "Joe Kaplan (MVP - ADSI)" <[email protected]>
: wrote
: > > in message : > > > Given that you are using default credentials, it does look like it
: might
: > > be
: > > > a double hop issue.
: > > >
: > > > If the current security context is an impersonation token that can't
: > > > delegate, then the credentials you supply will not hop to the other
: > > machine.
: > > > Since Windows integrated authentication creates an imperonation
token,
: > > this
: > > > is very likely to be the case.
: > > >
: > > > Joe K.
: > > >
: > > >
: > > > : > > > > Hi Alex,
: > > > > I am setting that in the code. Here is the code sample in VB.NET:
: > > > >
: > > > > Private Function LogonToProjectServer(ByVal
projectServerUrl
: As
: > > > > String)
: > > > >
: > > > > Dim url As String
: > > > > Dim cookieString As String
: > > > >
: > > > > If Not projectServerUrl.EndsWith("/") Then
: > > > > projectServerUrl += "/"
: > > > > End If
: > > > >
: > > > > url = projectServerUrl + "LgnIntAu.asp"
: > > > > Dim XMLDoc As New XmlDocument
: > > > >
: > > > > Try
: > > > > Dim myReq As HttpWebRequest =
: > > > > CType(WebRequest.Create(url), HttpWebRequest)
: > > > > Dim conCookie As New CookieContainer
: > > > > myReq.CookieContainer = conCookie
: > > > > myReq.Credentials =
: CredentialCache.DefaultCredentials
: > > > > Dim networkCredential As NetworkCredential =
: > > > > CType(CredentialCache.DefaultCredentials, NetworkCredential)
: > > > > Dim identity As WindowsIdentity =
: > > > > WindowsIdentity.GetCurrent()
: > > > >
: > > > > Dim log As New EventLog
: > > > > log.Log = "Application"
: > > > > log.Source = "PDSHelper:LogonToProjectServer"
: > > > >
: > > > > log.WriteEntry("WindowsUser is " + identity.Name,
: > > > > EventLogEntryType.Information) ' This returns the correct
username
: > > > >
: > > > > Dim myRes As HttpWebResponse = Nothing
: > > > > Dim i As Integer
: > > > > For i = 0 To 2
: > > > > Try
: > > > > myRes = CType(myReq.GetResponse(),
: > > > > HttpWebResponse)
: > > > > ' if it gets to this line it didn't error
: > > > > Exit For
: > > > > Catch e As Exception
: > > > > If i = 2 Then
: > > > > Throw e
: > > > > End If
: > > > > End Try
: > > > > Next i
: > > > >
: > > > > XMLDoc.Load(myRes.GetResponseStream())
: > > > > log.WriteEntry("Xmlcontents are " +
: XMLDoc.InnerText,
: > > > > EventLogEntryType.Information)
: > > > > ' Close the response to free resources.
: > > > > myRes.Close()
: > > > >
: > > > > cookieString = GetLogonStatus(XMLDoc)
: > > > > If cookieString.Length < 10 Then
: > > > > Throw New Exception("Invalid Project Server
: Login
: > > > > Cookie: " + cookieString)
: > > > > End If
: > > > > Catch ex As Exception
: > > > > Throw New Exception("Error occurred attempting to
: log
: > > > > into project server: " + url + vbCrLf + XMLDoc.InnerXml, ex)
: > > > > End Try
: > > > >
: > > > > LogonToProjectServer = cookieString
: > > > >
: > > > > End Function
: > > > >
: > > > >
: > > > >
: > > > >
: > > > >
: > ************************************************************************
: > > > > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in
: message
: > > > : > > > > > Kannan,
: > > > > >
: > > > > > Before you call the other site, make sure that you set the
default
: > > > > > credentials for your HttpWebRequest's (or whatever class you're
: > using)
: > > > > > Credentials member. See MSDN documentation on
: > > > > > CredentialCache.DefaultCredentials for samples.
: > > > > >
: > > > > > Alek
: > > > > >
: > > > > > : > > > > > > We are having a strange problem with NT credentials being lost
: > while
: > > > > > > accessing another resource on the same server.
: > > > > > >
: > > > > > > Here is the scenario:
: > > > > > >
: > > > > > > Step 1
: > > > > > > -------------
: > > > > > > Client A makes a call to a method in a C# DLL that resides in
: > Server
: > > A
: > > > > > > using Windows Auth (correct settings in web.config and IIS).
: > > > > > >
: > > > > > > Step 2
: > > > > > > -------------
: > > > > > > That method makes a call to an asp page that is present on a
: > > different
: > > > > > > website on the same server (Server A) to retrieve a cookie
: value.
: > > > > > >
: > > > > > > I notice that Windows credentials are being passed over in
Step
: 1.
: > > It
: > > > > > > returns the correct value when I use
: > > WindowsIdentity.GetCurrent.Name.
: > > > > > > But they do not get passed over from DLL method to the site in
: > Step
: > > 2.
: > > > > > > (LOGON_USER returns blank)
: > > > > > >
: > > > > > >
: > > > > > > Would this be a double-hop issue? Would use of delegation and
: > > kerberos
: > > > > > > help?
: > > > > > >
: > > > > > > Any help would be really appreciated.
: > > > > > >
: > > > > > > Thanks
: > > > > > > kannan
: > > >
: > > >
: > >
: > >
: >
: >
:
:

 

[Alek Davis]

I don't think this matters. As long as identity/authentication/authorization
sections of the Web.config file are set up correctly, anonymous access is
disabled in IIS, and HTTP request does not leave machine boundaries,
DefaultCredentials should be propagated. Sorry Kannan, doesn't look like
we're helping. ;-)

Alek

 

[Ken Schaefer]

Kerberos tickets work on the basis of a SPN, not a "machine boundary" don't
they? If the SPN is different (e.g. accessing a different website), then
delegation must be enabled for the user credentials.

Cheers
Ken

"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
: I don't think this matters. As long as
identity/authentication/authorization
: sections of the Web.config file are set up correctly, anonymous access is
: disabled in IIS, and HTTP request does not leave machine boundaries,
: DefaultCredentials should be propagated. Sorry Kannan, doesn't look like
: we're helping. ;-)
:
: Alek
:
: : > But he is executing a new HTTP request (just the browser did
: > originally)...and the code doesn't have enough information to complete
the
: > authentication challenge that the web server will be issuing. All he has
: is
: > the token - not the username/password.
: >
: > Cheers
: > Ken
: >
: > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
: > : > : You are absolutely right, but what I am trying to say is that there is
: no
: > : OTHER machine. Impersonation token for Integrated Windows
Authentication
: > : should work fine on the same system. and, according to the original
: post,
: > : both resources reside on the same server, so double-hop should not be
an
: > : issue.
: > :
: > : Alek
: > :
: > : "Joe Kaplan (MVP - ADSI)" <[email protected]>
: wrote
: > : in message : > : > The way I read it, it works like this:
: > : >
: > : > 1. User authenticates with web server via browser using Windows
: > Integrated
: > : > authentication
: > : > 2. IIS creates a token for the authenticated user. This token is an
: > : > impersonation token since that's what IIS creates for Integrated
: > : > authentication
: > : > 3. ASP.NET code accesses DefaultCredentials to use in WebRequest.
: > : > DefaultCredentials are based on impersonation token, so they cannot
: hop
: > to
: > : > another server.
: > : >
: > : > That's my theory. Since the user's password is never passed to the
: IIS
: > : > server, the only way the token on the IIS server is going to hop to
: > : another
: > : > machine on the network is via Kerberos Delegation. If that isn't
: > : available,
: > : > then the hop won't happen (which is what it sounds like is
happening).
: > If
: > : > web authentication was Basic, then the user's plain text credentials
: are
: > : > available, so a primary token can be created and that will hop to a
: > : > different machine without delegation.
: > : >
: > : > Joe K.
: > : >
: > : > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in
message
: > : > : > : > > But Kannan said that all resources reside on the same server. How
: can
: > it
: > : > be
: > : > > the double-hop problem? Logically, it should work, but maybe there
: is
: > : > > something else we're missing.
: > : > >
: > : > > Alek
: > : > >
: > : > > "Joe Kaplan (MVP - ADSI)"
<[email protected]>
: > : wrote
: > : > > in message : > : > > > Given that you are using default credentials, it does look like
it
: > : might
: > : > > be
: > : > > > a double hop issue.
: > : > > >
: > : > > > If the current security context is an impersonation token that
: can't
: > : > > > delegate, then the credentials you supply will not hop to the
: other
: > : > > machine.
: > : > > > Since Windows integrated authentication creates an imperonation
: > token,
: > : > > this
: > : > > > is very likely to be the case.
: > : > > >
: > : > > > Joe K.
: > : > > >
: > : > > >
: > : > > > : > : > > > > Hi Alex,
: > : > > > > I am setting that in the code. Here is the code sample in
: VB.NET:
: > : > > > >
: > : > > > > Private Function LogonToProjectServer(ByVal
: > projectServerUrl
: > : As
: > : > > > > String)
: > : > > > >
: > : > > > > Dim url As String
: > : > > > > Dim cookieString As String
: > : > > > >
: > : > > > > If Not projectServerUrl.EndsWith("/") Then
: > : > > > > projectServerUrl += "/"
: > : > > > > End If
: > : > > > >
: > : > > > > url = projectServerUrl + "LgnIntAu.asp"
: > : > > > > Dim XMLDoc As New XmlDocument
: > : > > > >
: > : > > > > Try
: > : > > > > Dim myReq As HttpWebRequest =
: > : > > > > CType(WebRequest.Create(url), HttpWebRequest)
: > : > > > > Dim conCookie As New CookieContainer
: > : > > > > myReq.CookieContainer = conCookie
: > : > > > > myReq.Credentials =
: > : CredentialCache.DefaultCredentials
: > : > > > > Dim networkCredential As NetworkCredential =
: > : > > > > CType(CredentialCache.DefaultCredentials, NetworkCredential)
: > : > > > > Dim identity As WindowsIdentity =
: > : > > > > WindowsIdentity.GetCurrent()
: > : > > > >
: > : > > > > Dim log As New EventLog
: > : > > > > log.Log = "Application"
: > : > > > > log.Source = "PDSHelper:LogonToProjectServer"
: > : > > > >
: > : > > > > log.WriteEntry("WindowsUser is " +
: identity.Name,
: > : > > > > EventLogEntryType.Information) ' This returns the correct
: > username
: > : > > > >
: > : > > > > Dim myRes As HttpWebResponse = Nothing
: > : > > > > Dim i As Integer
: > : > > > > For i = 0 To 2
: > : > > > > Try
: > : > > > > myRes = CType(myReq.GetResponse(),
: > : > > > > HttpWebResponse)
: > : > > > > ' if it gets to this line it didn't
: error
: > : > > > > Exit For
: > : > > > > Catch e As Exception
: > : > > > > If i = 2 Then
: > : > > > > Throw e
: > : > > > > End If
: > : > > > > End Try
: > : > > > > Next i
: > : > > > >
: > : > > > > XMLDoc.Load(myRes.GetResponseStream())
: > : > > > > log.WriteEntry("Xmlcontents are " +
: > : XMLDoc.InnerText,
: > : > > > > EventLogEntryType.Information)
: > : > > > > ' Close the response to free resources.
: > : > > > > myRes.Close()
: > : > > > >
: > : > > > > cookieString = GetLogonStatus(XMLDoc)
: > : > > > > If cookieString.Length < 10 Then
: > : > > > > Throw New Exception("Invalid Project
Server
: > : Login
: > : > > > > Cookie: " + cookieString)
: > : > > > > End If
: > : > > > > Catch ex As Exception
: > : > > > > Throw New Exception("Error occurred attempting
: to
: > : log
: > : > > > > into project server: " + url + vbCrLf + XMLDoc.InnerXml, ex)
: > : > > > > End Try
: > : > > > >
: > : > > > > LogonToProjectServer = cookieString
: > : > > > >
: > : > > > > End Function
: > : > > > >
: > : > > > >
: > : > > > >
: > : > > > >
: > : > > > >
: > : >
: ************************************************************************
: > : > > > > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in
: > : message
: > : > > > : > : > > > > > Kannan,
: > : > > > > >
: > : > > > > > Before you call the other site, make sure that you set the
: > default
: > : > > > > > credentials for your HttpWebRequest's (or whatever class
: you're
: > : > using)
: > : > > > > > Credentials member. See MSDN documentation on
: > : > > > > > CredentialCache.DefaultCredentials for samples.
: > : > > > > >
: > : > > > > > Alek
: > : > > > > >
: > : > > > > > : > : > > > > > > We are having a strange problem with NT credentials being
: lost
: > : > while
: > : > > > > > > accessing another resource on the same server.
: > : > > > > > >
: > : > > > > > > Here is the scenario:
: > : > > > > > >
: > : > > > > > > Step 1
: > : > > > > > > -------------
: > : > > > > > > Client A makes a call to a method in a C# DLL that resides
: in
: > : > Server
: > : > > A
: > : > > > > > > using Windows Auth (correct settings in web.config and
IIS).
: > : > > > > > >
: > : > > > > > > Step 2
: > : > > > > > > -------------
: > : > > > > > > That method makes a call to an asp page that is present on
a
: > : > > different
: > : > > > > > > website on the same server (Server A) to retrieve a cookie
: > : value.
: > : > > > > > >
: > : > > > > > > I notice that Windows credentials are being passed over in
: > Step
: > : 1.
: > : > > It
: > : > > > > > > returns the correct value when I use
: > : > > WindowsIdentity.GetCurrent.Name.
: > : > > > > > > But they do not get passed over from DLL method to the
site
: in
: > : > Step
: > : > > 2.
: > : > > > > > > (LOGON_USER returns blank)
: > : > > > > > >
: > : > > > > > >
: > : > > > > > > Would this be a double-hop issue? Would use of delegation
: and
: > : > > kerberos
: > : > > > > > > help?
: > : > > > > > >
: > : > > > > > > Any help would be really appreciated.
: > : > > > > > >
: > : > > > > > > Thanks
: > : > > > > > > kannan
: > : > > >
: > : > > >
: > : > >
: > : > >
: > : >
: > : >
: > :
: > :
: >
: >
:
:

 

[Alek Davis]

But we are not talking about Kerberos, are we? Maybe I am confusing
something, but I think that Integrated Windows authentication (NTLM) does
not require Kerberos, so it's a moot point. I don't think that to access a
resource on the same machine using NTLM, you need to enable delegation. It
does not make much sense. Whether resource resides on a different Web site
should not matter as long as it on the same physical server. Think about it:
using NTLM you can pass through user's credentials to a SQL Server (on the
same machine). It is not much different from accessing a different Web site
(on the same machine), or is it?

Alek

 

[Ken Schaefer]

I think we're getting a little confused here.

Integrated Windows Authentication covers two separate authentication
mechanisms:
a) NTLM v2 -and-
b) Kerberos

NTLM v2 is for legacy clients (e.g. IE before IE v5, Mozilla etc), and for
non-AD domain environments.
Kerberos is the preferred method of IWA, and is supported by IE v5 and
above.

When using Kerberos Authethentication, the user's credentials can be
delegated, so the webserver can access another service (i.e. another SPN)
using the users credentials. NTLM v2 can not be natively delegated. If you
are using a Windows 2003 Domain, there is something called "Protocol
Transition", that allows the user to authenticate to the webserver using
NTLM v2, and then have a Kerberos ticket issued to the web server service,
which can be used to access a remote service.

Cheers
Ken

"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
: But we are not talking about Kerberos, are we? Maybe I am confusing
: something, but I think that Integrated Windows authentication (NTLM) does
: not require Kerberos, so it's a moot point. I don't think that to access a
: resource on the same machine using NTLM, you need to enable delegation. It
: does not make much sense. Whether resource resides on a different Web site
: should not matter as long as it on the same physical server. Think about
it:
: using NTLM you can pass through user's credentials to a SQL Server (on the
: same machine). It is not much different from accessing a different Web
site
: (on the same machine), or is it?
:
: Alek
:
: : > Kerberos tickets work on the basis of a SPN, not a "machine boundary"
: don't
: > they? If the SPN is different (e.g. accessing a different website), then
: > delegation must be enabled for the user credentials.
: >
: > Cheers
: > Ken
: >
: > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
: > : > : I don't think this matters. As long as
: > identity/authentication/authorization
: > : sections of the Web.config file are set up correctly, anonymous access
: is
: > : disabled in IIS, and HTTP request does not leave machine boundaries,
: > : DefaultCredentials should be propagated. Sorry Kannan, doesn't look
like
: > : we're helping. ;-)
: > :
: > : Alek
: > :
: > : : > : > But he is executing a new HTTP request (just the browser did
: > : > originally)...and the code doesn't have enough information to
complete
: > the
: > : > authentication challenge that the web server will be issuing. All he
: has
: > : is
: > : > the token - not the username/password.
: > : >
: > : > Cheers
: > : > Ken
: > : >
: > : > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in
message
: > : > : > : > : You are absolutely right, but what I am trying to say is that
there
: is
: > : no
: > : > : OTHER machine. Impersonation token for Integrated Windows
: > Authentication
: > : > : should work fine on the same system. and, according to the
original
: > : post,
: > : > : both resources reside on the same server, so double-hop should not
: be
: > an
: > : > : issue.
: > : > :
: > : > : Alek
: > : > :
: > : > : "Joe Kaplan (MVP - ADSI)"
<[email protected]>
: > : wrote
: > : > : in message : > : > : > The way I read it, it works like this:
: > : > : >
: > : > : > 1. User authenticates with web server via browser using Windows
: > : > Integrated
: > : > : > authentication
: > : > : > 2. IIS creates a token for the authenticated user. This token
is
: an
: > : > : > impersonation token since that's what IIS creates for Integrated
: > : > : > authentication
: > : > : > 3. ASP.NET code accesses DefaultCredentials to use in
WebRequest.
: > : > : > DefaultCredentials are based on impersonation token, so they
: cannot
: > : hop
: > : > to
: > : > : > another server.
: > : > : >
: > : > : > That's my theory. Since the user's password is never passed to
: the
: > : IIS
: > : > : > server, the only way the token on the IIS server is going to hop
: to
: > : > : another
: > : > : > machine on the network is via Kerberos Delegation. If that
isn't
: > : > : available,
: > : > : > then the hop won't happen (which is what it sounds like is
: > happening).
: > : > If
: > : > : > web authentication was Basic, then the user's plain text
: credentials
: > : are
: > : > : > available, so a primary token can be created and that will hop
to
: a
: > : > : > different machine without delegation.
: > : > : >
: > : > : > Joe K.
: > : > : >
: > : > : > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in
: > message
: > : > : > : > : > : > > But Kannan said that all resources reside on the same server.
: How
: > : can
: > : > it
: > : > : > be
: > : > : > > the double-hop problem? Logically, it should work, but maybe
: there
: > : is
: > : > : > > something else we're missing.
: > : > : > >
: > : > : > > Alek
: > : > : > >
: > : > : > > "Joe Kaplan (MVP - ADSI)"
: > <[email protected]>
: > : > : wrote
: > : > : > > in message : > : > : > > > Given that you are using default credentials, it does look
: like
: > it
: > : > : might
: > : > : > > be
: > : > : > > > a double hop issue.
: > : > : > > >
: > : > : > > > If the current security context is an impersonation token
that
: > : can't
: > : > : > > > delegate, then the credentials you supply will not hop to
the
: > : other
: > : > : > > machine.
: > : > : > > > Since Windows integrated authentication creates an
: imperonation
: > : > token,
: > : > : > > this
: > : > : > > > is very likely to be the case.
: > : > : > > >
: > : > : > > > Joe K.
: > : > : > > >
: > : > : > > >
: > : > : > > > : > : > : > > > > Hi Alex,
: > : > : > > > > I am setting that in the code. Here is the code sample in
: > : VB.NET:
: > : > : > > > >
: > : > : > > > > Private Function LogonToProjectServer(ByVal
: > : > projectServerUrl
: > : > : As
: > : > : > > > > String)
: > : > : > > > >
: > : > : > > > > Dim url As String
: > : > : > > > > Dim cookieString As String
: > : > : > > > >
: > : > : > > > > If Not projectServerUrl.EndsWith("/") Then
: > : > : > > > > projectServerUrl += "/"
: > : > : > > > > End If
: > : > : > > > >
: > : > : > > > > url = projectServerUrl + "LgnIntAu.asp"
: > : > : > > > > Dim XMLDoc As New XmlDocument
: > : > : > > > >
: > : > : > > > > Try
: > : > : > > > > Dim myReq As HttpWebRequest =
: > : > : > > > > CType(WebRequest.Create(url), HttpWebRequest)
: > : > : > > > > Dim conCookie As New CookieContainer
: > : > : > > > > myReq.CookieContainer = conCookie
: > : > : > > > > myReq.Credentials =
: > : > : CredentialCache.DefaultCredentials
: > : > : > > > > Dim networkCredential As NetworkCredential
=
: > : > : > > > > CType(CredentialCache.DefaultCredentials,
NetworkCredential)
: > : > : > > > > Dim identity As WindowsIdentity =
: > : > : > > > > WindowsIdentity.GetCurrent()
: > : > : > > > >
: > : > : > > > > Dim log As New EventLog
: > : > : > > > > log.Log = "Application"
: > : > : > > > > log.Source =
: "PDSHelper:LogonToProjectServer"
: > : > : > > > >
: > : > : > > > > log.WriteEntry("WindowsUser is " +
: > : identity.Name,
: > : > : > > > > EventLogEntryType.Information) ' This returns the
correct
: > : > username
: > : > : > > > >
: > : > : > > > > Dim myRes As HttpWebResponse = Nothing
: > : > : > > > > Dim i As Integer
: > : > : > > > > For i = 0 To 2
: > : > : > > > > Try
: > : > : > > > > myRes = CType(myReq.GetResponse(),
: > : > : > > > > HttpWebResponse)
: > : > : > > > > ' if it gets to this line it
didn't
: > : error
: > : > : > > > > Exit For
: > : > : > > > > Catch e As Exception
: > : > : > > > > If i = 2 Then
: > : > : > > > > Throw e
: > : > : > > > > End If
: > : > : > > > > End Try
: > : > : > > > > Next i
: > : > : > > > >
: > : > : > > > > XMLDoc.Load(myRes.GetResponseStream())
: > : > : > > > > log.WriteEntry("Xmlcontents are " +
: > : > : XMLDoc.InnerText,
: > : > : > > > > EventLogEntryType.Information)
: > : > : > > > > ' Close the response to free resources.
: > : > : > > > > myRes.Close()
: > : > : > > > >
: > : > : > > > > cookieString = GetLogonStatus(XMLDoc)
: > : > : > > > > If cookieString.Length < 10 Then
: > : > : > > > > Throw New Exception("Invalid Project
: > Server
: > : > : Login
: > : > : > > > > Cookie: " + cookieString)
: > : > : > > > > End If
: > : > : > > > > Catch ex As Exception
: > : > : > > > > Throw New Exception("Error occurred
: attempting
: > : to
: > : > : log
: > : > : > > > > into project server: " + url + vbCrLf + XMLDoc.InnerXml,
ex)
: > : > : > > > > End Try
: > : > : > > > >
: > : > : > > > > LogonToProjectServer = cookieString
: > : > : > > > >
: > : > : > > > > End Function
: > : > : > > > >
: > : > : > > > >
: > : > : > > > >
: > : > : > > > >
: > : > : > > > >
: > : > : >
: > :
************************************************************************
: > : > : > > > > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote
: in
: > : > : message
: > : > : > > > : > : > : > > > > > Kannan,
: > : > : > > > > >
: > : > : > > > > > Before you call the other site, make sure that you set
the
: > : > default
: > : > : > > > > > credentials for your HttpWebRequest's (or whatever class
: > : you're
: > : > : > using)
: > : > : > > > > > Credentials member. See MSDN documentation on
: > : > : > > > > > CredentialCache.DefaultCredentials for samples.
: > : > : > > > > >
: > : > : > > > > > Alek
: > : > : > > > > >
: > : > : > > > > > : > : > : > > > > > > We are having a strange problem with NT credentials
: being
: > : lost
: > : > : > while
: > : > : > > > > > > accessing another resource on the same server.
: > : > : > > > > > >
: > : > : > > > > > > Here is the scenario:
: > : > : > > > > > >
: > : > : > > > > > > Step 1
: > : > : > > > > > > -------------
: > : > : > > > > > > Client A makes a call to a method in a C# DLL that
: resides
: > : in
: > : > : > Server
: > : > : > > A
: > : > : > > > > > > using Windows Auth (correct settings in web.config and
: > IIS).
: > : > : > > > > > >
: > : > : > > > > > > Step 2
: > : > : > > > > > > -------------
: > : > : > > > > > > That method makes a call to an asp page that is
present
: on
: > a
: > : > : > > different
: > : > : > > > > > > website on the same server (Server A) to retrieve a
: cookie
: > : > : value.
: > : > : > > > > > >
: > : > : > > > > > > I notice that Windows credentials are being passed
over
: in
: > : > Step
: > : > : 1.
: > : > : > > It
: > : > : > > > > > > returns the correct value when I use
: > : > : > > WindowsIdentity.GetCurrent.Name.
: > : > : > > > > > > But they do not get passed over from DLL method to the
: > site
: > : in
: > : > : > Step
: > : > : > > 2.
: > : > : > > > > > > (LOGON_USER returns blank)
: > : > : > > > > > >
: > : > : > > > > > >
: > : > : > > > > > > Would this be a double-hop issue? Would use of
: delegation
: > : and
: > : > : > > kerberos
: > : > : > > > > > > help?
: > : > : > > > > > >
: > : > : > > > > > > Any help would be really appreciated.
: > : > : > > > > > >
: > : > : > > > > > > Thanks
: > : > : > > > > > > kannan
: > : > : > > >
: > : > : > > >
: > : > : > >
: > : > : > >
: > : > : >
: > : > : >
: > : > :
: > : > :
: > : >
: > : >
: > :
: > :
: >
: >
:
: