Ask a Question related to ASP.NET Security, Design and Development.
-
Thomas Mueller-Lynch #1
Impersonation with NTLM
I want to use impersonation within a second thread of an httpwebrequest.
While configuring IIS with basic authentication everything works fine.
Changing to Intergrated Windows Authentication the thread (which should return a secure web-page) returns the http status code 401.
My web.config looks like:
.....
<identity impersonate="true"/><authentication mode="Windows" />
.....
My Testpage looks like:
dim url as String = "https://server/secure/index.html"
dim Req as HttpWebRequest = DirectCast(WebRequest.Create(url), HttpWebRequest)
Req.Method = "GET"
Req.ContentType = "application/x-www-form-urlencoded;charset=iso-8859-1"
Req.PreAuthenticate = true
if Request.ServerVariables("AUTH_TYPE") = "Basic"
Req.Credentials = new System.Net.NetworkCredential(Request.ServerVariabl es("AUTH_USER"),Request.ServerVariables("AUTH_PASS WORD"))
else
Req.Credentials = CredentialCache.DefaultCredentials
' Should impersonate the user in case of NTLM, shouldn't it???
end if
dim Resp as HttpWebResponse = DirectCast(req.GetResponse(),HttpWebResponse)
dim Reader as StreamReader
Reader = new StreamReader(Resp.GetResponseStream())
while Reader.Peek() > -1
strLine = Reader.ReadLine()
Trace.write(strLine)
end while
Reader.Close()
Resp.Close()
The included thread should impersonate the logged-on user (NTLM or Basic).
What did I do wrong?
Thomas
Thomas Mueller-Lynch Guest
-
NTLM API Authentication
Hi, I'm totally novice when it comes to authentication protocols. Here is what is needed to be done: Create a web service which calls the NTLM API... -
NTLM & Load Balancing
It does not seem to be possible to host an NTLM (or Kerberos) authenticated web service without enabling HTTP Keep-Alives (to enable the... -
NTLM Authentication Across Forests
I have a problem that I've spent a considerable amount of time researching and still haven't quite found the answer. I have an intranet web... -
NTLM Login
Hi, I'm using NTLM/NTFS security for users to login to a site with ASP on W2K. Is there a way I can log a user out with script when he hits a... -
NTLM Username?
sVar = Request.SErvervariables("LOGON_USER") Ray at work "Rob Wiltbank" <wynder@warcry.com> wrote in message... -
Paul Glavich #2 Re: Impersonation with NTLM
At a guess, you are trying to do a "double hop" in that, you have used
windows auth/NTLM to logon to your web app, then that same security token to
go to another web site on another machine. Using NTLM, you cannot
impersonate a user, then use that impersonation to authenticate to another
machine (this is the double hop). Basic works because the credentials are
propagated in clear text as part of the Http header. NTLM used a security
token and cannot propagate the same token and be valid.
Kerberos can do it, but you still need to mark the user account as
"Delegateable". (Win2000+)
--
- Paul Glavich
"Thomas Mueller-Lynch" <thomas.mueller-lynch(remove)@siemens.com> wrote in
message news:D73319EC-F94A-4EFF-871A-E3D15F4909A8@microsoft.com...return a secure web-page) returns the http status code 401.> I want to use impersonation within a second thread of an httpwebrequest.
> While configuring IIS with basic authentication everything works fine.
> Changing to Intergrated Windows Authentication the thread (which shouldHttpWebRequest)>
> My web.config looks like:
> ...
> <identity impersonate="true"/><authentication mode="Windows" />
> ...
>
>
> My Testpage looks like:
>
> dim url as String = "https://server/secure/index.html"
> dim Req as HttpWebRequest = DirectCast(WebRequest.Create(url),System.Net.NetworkCredential(Request.ServerVariabl es("AUTH_USER"),Request.Se>
> Req.Method = "GET"
> Req.ContentType = "application/x-www-form-urlencoded;charset=iso-8859-1"
> Req.PreAuthenticate = true
>
> if Request.ServerVariables("AUTH_TYPE") = "Basic"
> Req.Credentials = new
rverVariables("AUTH_PASSWORD"))DirectCast(req.GetResponse(),HttpWebResponse)> else
> Req.Credentials = CredentialCache.DefaultCredentials
> ' Should impersonate the user in case of NTLM, shouldn't it???
> end if
>
> dim Resp as HttpWebResponse => dim Reader as StreamReader
>
> Reader = new StreamReader(Resp.GetResponseStream())
>
> while Reader.Peek() > -1
> strLine = Reader.ReadLine()
> Trace.write(strLine)
> end while
>
> Reader.Close()
> Resp.Close()
>
> The included thread should impersonate the logged-on user (NTLM or Basic).
>
> What did I do wrong?
>
> Thomas
Paul Glavich Guest
-
Paul Glavich #3 Re: Impersonation with NTLM
It may still be suffering the "double hop" syndrome if it thinks that the
page you are trying to access (even though its on the same machine) is on
another machine. when you specify the "host" part of the URL is it as you
specified below (ie. [url]https://server/[/url]....) or does it contain periods (eg.
[url]https://my.server/...)?[/url]
Also, try it without using SSL (ie. [url]http://server/[/url]....) to see what happens.
--
- Paul Glavich
"Thomas Mueller-Lynch" <thomas.mueller-lynch(remove)@siemens.com> wrote in
message news:C6C4D26E-9B93-4326-97F3-B78534E7EFA2@microsoft.com...the same server.> In this case I have only one server.
> the aspx page which is running on my server is executing another page onused>
> Any ideas? Thanks in advance
>
> Thomas Mueller-Lynch
>
> ----- Paul Glavich wrote: -----
>
> At a guess, you are trying to do a "double hop" in that, you havetoken to> windows auth/NTLM to logon to your web app, then that same securityanother> go to another web site on another machine. Using NTLM, you cannot
> impersonate a user, then use that impersonation to authenticate toare> machine (this is the double hop). Basic works because the credentialssecurity> propagated in clear text as part of the Http header. NTLM used awrote in> token and cannot propagate the same token and be valid.
>
> Kerberos can do it, but you still need to mark the user account as
> "Delegateable". (Win2000+)
> --
> - Paul Glavich
>
>
> "Thomas Mueller-Lynch" <thomas.mueller-lynch(remove)@siemens.com>httpwebrequest.> message news:D73319EC-F94A-4EFF-871A-E3D15F4909A8@microsoft.com...> > I want to use impersonation within a second thread of anfine.> > While configuring IIS with basic authentication everything worksshould> > Changing to Intergrated Windows Authentication the thread (which"application/x-www-form-urlencoded;charset=iso-8859-1"> return a secure web-page) returns the http status code 401.> HttpWebRequest)> > ...> >> My web.config looks like:
> ><identity impersonate="true"/><authentication mode="Windows" />> ...> > dim Req as HttpWebRequest = DirectCast(WebRequest.Create(url),> >>> My Testpage looks like:
> >> dim url as String = "https://server/secure/index.html"> > Req.ContentType => >> Req.Method = "GET"System.Net.NetworkCredential(Request.ServerVariabl es("AUTH_USER"),Request.Se>> > Req.PreAuthenticate = true> > Req.Credentials = new> >> if Request.ServerVariables("AUTH_TYPE") = "Basic"Basic).> rverVariables("AUTH_PASSWORD"))> DirectCast(req.GetResponse(),HttpWebResponse)> > else
> > Req.Credentials = CredentialCache.DefaultCredentials
> > ' Should impersonate the user in case of NTLM, shouldn't it???
> > end if> >> dim Resp as HttpWebResponse => > dim Reader as StreamReader> > strLine = Reader.ReadLine()> >> Reader = new StreamReader(Resp.GetResponseStream())
> >> while Reader.Peek() > -1
> > Trace.write(strLine)
> > end while> > Resp.Close()> >> Reader.Close()> >> The included thread should impersonate the logged-on user (NTLM or>> >> What did I do wrong?
> >> Thomas
>
>
Paul Glavich Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
