Avoiding Identity Impersonate

G

Guest

Hey folks,

I'm trying to use the HttpWebResponse object in an ASP application, but I
get a 401 unauthorized error on this line:
HttpWebResponse response = (HttpWebResponse)webRequest.GetResponse();

I have:
identity impersonate = true
authentication mode = windows
IIS set to use windows authentication
and I set: webRequest.Credentials = CredentialCache.DefaultCredentials;

This works when I run the page from the server, but from a remote machine it
gives me the unauthorized error. However, if in the web config file I
specify identity impersonate = true with a username and password, then it
works fine. I don't want to do this however.

Is there any way to avoid specifying a username and password in the
web.config and without setting up delegation on the server (not an option)?

Thanks!
 
W

woutervu

Hi John,

can you tell me whether you are using NTFS in your domain? NTFS is only
able to make 1 'hop' using impersonation. This is due to the fact that
there are no credentials passed, only tokens.
You probably have the following scenario (3 distinct machines):

Client ---> WebServer ---> Database server

As you can see, this setup takes two hops and will not work using
impersonation. If you switch to Kerberos for authentication this will
work. But I do believe this isn't used to mutch...

Hope it helps,

Grtz, Wouter van Vugt
Info Support - Netherlands
www.infosupport.com
blogs.infosupport.com/wouterv

John Smith schreef:
 
J

jay

I'm guessing you don't want to put it in the config for security
reasons. I wouldn't want to either! You can store the username and
password as encrypted values in the registry. You then point the
web.config file to look in the registry for the values.

This site explains the process of using aspnet_setreg.exe to encrypt
the values in the registry as well as how to reference them in your
web.config file.

http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

If you are running Windows 2000 as your server environment there is an
additional step; the ASPNET account (the account which the Aspnet
process runs under) needs to have something called TCB (Trusted
Computing Base) or what is more commonly known as "Act as part of the
operating system." privileges. These privileges are pretty powerful and
it's not recommended to grant them to any account.

Note: From what I gather, the above requirement only applies to the
..NET Framework 1.0 on Windows 2000. Windows XP and .NET 1.1 don't
require this.

This is one way to use impersonation securely.

Experts please correct my inaccuracies. :)

-Jay
 
G

Guest

Thanks for the link. If there's no other way of doing it, then I'll do this.

I'm still just confused on why it's not impersonating the logged in user and
why I have to specify a new username and password.
 
G

Guest

I'm using the logged in credentials to connect to our database server and it
works fine.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Erron on Web.config identity impersonate 4
HttpWebRequest with SSL URI 2
Error while trying to run project [.Net 1.1] 4
NTLM failure 3
web.config and Anonymous Authentication problems ??? 0
identity impersonate - in a windows app? 2
C# Basic Authentication when redirecting 0
using HTTP to download files from a secure (or unsecure) directory 3

Top