Passing windows credentials from server to server.

[Wade Wegner]

Hello,

I have been desperately trying to programmatically authenticate a windows
user, create their credentials, and then redirect them to a different server
while passing the credentials at the same time so that they don't have to
login again.

Specifically, I have two webservers in the same domain. When I have a user
go to Webserver A (which uses basic authentication) I programmatically
create either a user credential or impersonate a user context (for now it's
hardcoded, but in the future it would be entered in forms). Then, I want to
let that user access a page on Webserver B (which uses basic
authentication), but I don't want them to have to login again -- rather, I
want to use the user context that I programmatically created on Webserver A.

For instance, here is an example of the code I use to create the user
credentials:

Dim strURI = "http://www.whatever.com"
Dim myCred As New NetworkCredential("userid", "password", "domain")
Dim myURI As New Uri(strURI)
Dim myCache As New CredentialCache
myCache.Add(myURI, "Basic", myCred)

From this, I have attempted to use WebRequests and WebResponses to somehow
allow me to direct the browser to a different page, and use the credential I
have generated. The most I can do, however, is create the request and
receive the response:

Dim myWebRequest As System.Net.WebRequest =
System.Net.WebRequest.Create(strURI)
myWebRequest.Credentials = myCache
Dim myWebResponse As WebResponse = myWebRequest.GetResponse()

If only I could use the response.redirect method, and somehow pass the
credentials with the redirection (like you can with the webrequest), it
could work!

I have also attempted to use the LogonUser API (from the advapi32.dll), and
impersonate a user based on the proper logon information -- this works, and
I'm able to successfully impersonate the user, but again, I don't know how
to pass along the user context to a different page.

I know that many people will say "just use form based authentication," but
this will not work for me, as I want this to work with tools like Outlook
Web Access, which requires windows authentication.

Any help would be greatly appreciated. Thank you!!

Wade

 

[Rad]

while your only option is to use redirect to
http://username:[email protected] (if using basic), I wouldn't do that
either.

anything else -- can't do.

 

[Brian Henry]

if they are your own servers, you could set up a webservice to transfer
session info back and forth...

 

[Wade Wegner]

Huh!

I never you could do that to pass login information to a site with basic
authentication. Is there a name for that? Something that would allow me to
look it up in MSDN? I wonder what the security considerations are. If used
with SSL, is it safe? Etc.

Thanks for the idea, though ... I'll look into it some more.

Wade

 

[Wade Wegner]

Okay, as I've been playing with the method you mentioned, I've noted the
following.

If I create a login form, and then programmatically create a URL string, and
then redirect to that URL, it prompts me to login. However, if I register a
vbscript that uses window.location to redirect the user to this script, it
doesn't. Does the response.redirect not work?

For example, this is what I use for the response.redirect:

Dim strURL as string
strURL = "http://" & txtUserID.Text & ":" & txtPassword.Text &
"@mydomain.com"

response.redirect(strURL)

That doesn't work, and it prompts me to login.

However, I can get the following to work fine:

Dim strURL as string
strURL = "http://" & txtUserID.Text & ":" & txtPassword.Text &
"@mydomain.com"

Dim txtScript as new System.Text.StringBuilder
txtScript.Append(vbCr & "<script language=vbscript>")
txtScript.Append(vbCr & "window.location = """ & strURL & """")
txtScript.Append(vbCr & "</script>" & vbCr & vbCr)

Page.RegisterStartupScript("redirect", txtScript.ToString)

When I redirect from the client, this works fine. Additionally, if I simply
type in the address into the browser, it works properly.

Any ideas? Will I have to do this from the client?

Thanks,

Wade

 

[Rad]

I don't like this approach (of passing credentials like this) at all.. it's
visible in the address bar.. so I'm not sure this is really a good idea.

it's an HTTP thingie.. so you would want to look at it there.. MSDN may have
it.. but may not...

 

[Wade Wegner]

See, I do not experience it displaying in the address bar. I have not been
able to find anything in MSDN concerning this, but I started to think that
all this method does is mimic what basic authentication does -- I mean,
basic authentication is unencrypted, clear text. Is employing this method
any different than using basic authentication? In both cases, obviously, it
would be worthwhile to encrypt using SSL.

I still wish I understood why this solution would not work if redirected
from the server, via response.redirect, but will if it is redirected at the
client. Even if this isn't a good solution, I'd like to know the answer to
that.

 

[Rad]

Look at HTTP specs... see what it says for 302 (that's what
response.redirect really is)...

as I said, all this is http stuff.. so MSDN may not have it (just like they
dont' have http specs there...) you'd probably want to start looking at
w3c's site