Ask a Question related to ASP.NET Security, Design and Development.
-
Davide Bedin #1
Impersonation and webproxy credentials
I configured my asp.net 1.1 application to impersonate a specific user
account that has the rights to access the web through the network ISA
server.
So I tried to access a web resource, an external web service, specifying the
ISA address for the webproxy class and setting the webproxy.Credentials =
System.Net.CredentialCache.DefaultCredentials, I knew that in this scenario
the DefaultCredentials would be the credentials of the impersonated user.
Using the default credentials doesn't let me access the web service through
the ISA Server as I get a 407 Proxy Authentication Error. If I explicitly
create a new credentials object using the same user info of the impersonated
user account everything works as expected.
This sounds really strange to me, probably there is some additional setting
I might have set in a wrong way.
Thanks,
Davide
Davide Bedin Guest
-
vpn credentials
we have a c# windows application that grabs a users netowork credentails. we now need to allow users to run the application over VPN (on non domain... -
Default credentials
Hello, I have an application which calls a web service across the Internet from a client machine. The site that I have deployed the... -
.NET IIS to IIS credentials problem...
Hi, I'm writing this off the top of my head as I don't have the exact information to hand. We are attempting to set up a secure internet site... -
Remote Fax/Credentials
I am trying to use one fax modem on a networked computer in Windows XP. The help instructs to set up the fax printer that is on the server as a... -
Peferred Credentials on OEM
You might check the permissions. "James" <james.varga@mindsweep.net> wrote in message news:v1obpjjkrko966@corp.supernews.com... have... -
Davide Bedin #2 Impersonation and webproxy credentials
I configured my asp.net 1.1 application to impersonate a specific user
account that has the rights to access the web through the network ISA
server.
So I tried to access a web resource, an external web service, specifying the
ISA address for the webproxy class and setting the webproxy.Credentials =
System.Net.CredentialCache.DefaultCredentials, I knew that in this scenario
the DefaultCredentials would be the credentials of the impersonated user.
Using the default credentials doesn't let me access the web service through
the ISA Server as I get a 407 Proxy Authentication Error. If I explicitly
create a new credentials object using the same user info of the impersonated
user account everything works as expected.
This sounds really strange to me, probably there is some additional setting
I might have set in a wrong way.
Thanks,
Davide
Davide Bedin Guest
-
Alek Davis #3 Re: Impersonation and webproxy credentials
Davide,
This is expected behavior. You can only use pass-through credentials (from
computer A through computer B to computer C) only if Kerberos/delegation are
enabled on the network, which is not a recommended configuration (from
security perspective). There must be a few posts related to this issue (just
do a search on keywords such as Kerberos, delegation, NTLM, IIS, etc).
Alek
"Davide Bedin" <remove_davide@bedin.it> wrote in message
news:OZH5moPAEHA.3352@TK2MSFTNGP09.phx.gbl...the> I configured my asp.net 1.1 application to impersonate a specific user
> account that has the rights to access the web through the network ISA
> server.
>
> So I tried to access a web resource, an external web service, specifyingscenario> ISA address for the webproxy class and setting the webproxy.Credentials =
> System.Net.CredentialCache.DefaultCredentials, I knew that in thisthrough> the DefaultCredentials would be the credentials of the impersonated user.
>
> Using the default credentials doesn't let me access the web serviceimpersonated> the ISA Server as I get a 407 Proxy Authentication Error. If I explicitly
> create a new credentials object using the same user info of thesetting> user account everything works as expected.
>
> This sounds really strange to me, probably there is some additional> I might have set in a wrong way.
>
> Thanks,
> Davide
>
>
Alek Davis Guest
-
Davide Bedin #4 Re: Impersonation and webproxy credentials
Thanks for the response.
As I'm passing the credentials of the impersonated ASP.Net app account and
not of the client account I don't see how I'm passing credentials from A to
B to C. From my point of view I'm passing credentials from B to C. This is
the web.config setting:
<identity impersonate="true" userName="user" password="password"/>
So why I'm able to pass the default credentials (the credentials of the
impersonated user account) to another web service with Windows
authentication in order to be authenticated (or to access SQL Server with
integrated security) but not to pass it to the proxy?
From MSDN I read that DefaultCredentials in ASP.Net are the the default
credentials are the user credentials of the logged-in user, or the user
being impersonated
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemnetcredentialcacheclassdefaultcredentia lstopic.asp[/url]
This code will run only if Kerberos delegation in enabled even If I'm not
impersonating the client user?
Dim proxy As New System.Net.WebProxy("proxy", True)
proxy.Credentials = System.Net.CredentialCache.DefaultCredentials
System.Net.GlobalProxySelection.Select = proxy
This is quite confusing to me.
Thank you for your help,
Davide
"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> ha scritto nel
messaggio news:uXNYHbUAEHA.1032@TK2MSFTNGP10.phx.gbl...are> Davide,
>
> This is expected behavior. You can only use pass-through credentials (from
> computer A through computer B to computer C) only if Kerberos/delegation(just> enabled on the network, which is not a recommended configuration (from
> security perspective). There must be a few posts related to this issue=> do a search on keywords such as Kerberos, delegation, NTLM, IIS, etc).
>
> Alek
>
> "Davide Bedin" <remove_davide@bedin.it> wrote in message
> news:OZH5moPAEHA.3352@TK2MSFTNGP09.phx.gbl...> the> > I configured my asp.net 1.1 application to impersonate a specific user
> > account that has the rights to access the web through the network ISA
> > server.
> >
> > So I tried to access a web resource, an external web service, specifying> > ISA address for the webproxy class and setting the webproxy.Credentialsuser.> scenario> > System.Net.CredentialCache.DefaultCredentials, I knew that in this> > the DefaultCredentials would be the credentials of the impersonatedexplicitly> through> >
> > Using the default credentials doesn't let me access the web service> > the ISA Server as I get a 407 Proxy Authentication Error. If I> impersonated> > create a new credentials object using the same user info of the> setting> > user account everything works as expected.
> >
> > This sounds really strange to me, probably there is some additional>> > I might have set in a wrong way.
> >
> > Thanks,
> > Davide
> >
> >
>
Davide Bedin Guest
-
Alek Davis #5 Re: Impersonation and webproxy credentials
Oh, I see. Not sure I completely understand your configuration and I haven't
worked with ISA servers, but these are my 2 cents. Just thinking logically
(although given that APIs are not necessarily logical, so take this with a
grain of suspicion), when you specify "identity impersonate" with userName
and password, your whole ASP.NET application should run under this identity
(instead of the default ASPNET account). If you do not explicitly set
credentials info, these credentials should be passed to the outbound calls.
So if you had a SQL server somewhere, you would be able to connect to it
using the application credentials without explicitly specifying them
(assuming that SQL server allows access by impersonated user). But in your
configuration there is an ISA server and a proxy server, so I do not know
how they handle credentials info (haven't worked with ISA at all and have
limited knowledge of proxy servers). For example, it may be a case that
proxy server needs explicit credentials to pass (delegate) them to the
external site (think of it as 3 systems: your Web server - proxy server -
external Web site). As I said, I am not an expert in this particular area,
so I may be wrong here. Hopefully someone more knowledgeable can answer your
question.
Alek
"Davide Bedin" <remove_davide@bedin.it> wrote in message
news:uWX8ILcAEHA.3004@TK2MSFTNGP10.phx.gbl...to> Thanks for the response.
> As I'm passing the credentials of the impersonated ASP.Net app account and
> not of the client account I don't see how I'm passing credentials from A[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemnetcredentialcacheclassdefaultcredentia lstopic.asp[/url]> B to C. From my point of view I'm passing credentials from B to C. This is
> the web.config setting:
> <identity impersonate="true" userName="user" password="password"/>
>
> So why I'm able to pass the default credentials (the credentials of the
> impersonated user account) to another web service with Windows
> authentication in order to be authenticated (or to access SQL Server with
> integrated security) but not to pass it to the proxy?
>
> From MSDN I read that DefaultCredentials in ASP.Net are the the default
> credentials are the user credentials of the logged-in user, or the user
> being impersonated
>(from>
> This code will run only if Kerberos delegation in enabled even If I'm not
> impersonating the client user?
> Dim proxy As New System.Net.WebProxy("proxy", True)
> proxy.Credentials = System.Net.CredentialCache.DefaultCredentials
> System.Net..Select = proxy
>
> This is quite confusing to me.
> Thank you for your help,
> Davide
>
> "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> ha scritto nel
> messaggio news:uXNYHbUAEHA.1032@TK2MSFTNGP10.phx.gbl...> > Davide,
> >
> > This is expected behavior. You can only use pass-through credentialsspecifying> are> > computer A through computer B to computer C) only if Kerberos/delegation> (just> > enabled on the network, which is not a recommended configuration (from
> > security perspective). There must be a few posts related to this issue> > do a search on keywords such as Kerberos, delegation, NTLM, IIS, etc).
> >
> > Alek
> >
> > "Davide Bedin" <remove_davide@bedin.it> wrote in message
> > news:OZH5moPAEHA.3352@TK2MSFTNGP09.phx.gbl...> > > I configured my asp.net 1.1 application to impersonate a specific user
> > > account that has the rights to access the web through the network ISA
> > > server.
> > >
> > > So I tried to access a web resource, an external web service,webproxy.Credentials> > the> > > ISA address for the webproxy class and setting the> => user.> > scenario> > > System.Net.CredentialCache.DefaultCredentials, I knew that in this> > > the DefaultCredentials would be the credentials of the impersonated> explicitly> > through> > >
> > > Using the default credentials doesn't let me access the web service> > > the ISA Server as I get a 407 Proxy Authentication Error. If I>> > impersonated> > > create a new credentials object using the same user info of the> > setting> > > user account everything works as expected.
> > >
> > > This sounds really strange to me, probably there is some additional> >> > > I might have set in a wrong way.
> > >
> > > Thanks,
> > > Davide
> > >
> > >
> >
>
Alek Davis Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
