Integrated windows authentication and NetworkCredential

[sorpor]

Hi,

I have my asp.net webpage configured to use the integrated windows
authentication in IIS. I need to use NetworkCredential object to get access
to a webservice and I want to retrieve the authenticated user information to
create it so user doesn't have to re-enter password. How can I do that?

Thanks a lot!
-sorpor

[Paul Glavich [MVP - ASP.NET]]

This sounds like you want to pass an already authenticated user on your
server to another server. You cannot easily do this (its called delegation)
without specifically enabling this for the specific user account to be
delegated. Note that this only applies to Windows Integrated auth (as this
"limitation" is actually a security feature and the scenario you describe is
termed a "double hop" issue with security credentials.

Basic auth does not ehibit this behaviour as the security credentials are
embedded as part of the Http header and so are easily extracted and passed
on.

HTH

--
- Paul Glavich
Microsoft MVP - ASP.NET


"sorpor" <anonymous@discussions.microsoft.com> wrote in message
news:uzui#UxLEHA.2500@TK2MSFTNGP12.phx.gbl...

> Hi,
>
> I have my asp.net webpage configured to use the integrated windows
> authentication in IIS. I need to use NetworkCredential object to get

access

> to a webservice and I want to retrieve the authenticated user information

to

> create it so user doesn't have to re-enter password. How can I do that?
>
> Thanks a lot!
> -sorpor
>
>

[Joe Kaplan \(MVP - ADSI\)]

That said, if delegation is properly configured AND you are impersonating
the user who authenticated, you can get a valid credential object via:

System.Net.CredentialCache.DefaultCredentials

Delegating user's credentials is one of the most often asked about, hardest
to get working things that people try to do. You should find lots of
answers via Google searches.

Joe K.

"Paul Glavich [MVP - ASP.NET]" <glav@aspalliance.com-NOSPAM> wrote in
message news:OxWQ9HEMEHA.2584@TK2MSFTNGP12.phx.gbl...

> This sounds like you want to pass an already authenticated user on your
> server to another server. You cannot easily do this (its called

delegation)

> without specifically enabling this for the specific user account to be
> delegated. Note that this only applies to Windows Integrated auth (as this
> "limitation" is actually a security feature and the scenario you describe

is

> termed a "double hop" issue with security credentials.
>
> Basic auth does not ehibit this behaviour as the security credentials are
> embedded as part of the Http header and so are easily extracted and passed
> on.
>
> HTH
>
> --
> - Paul Glavich
> Microsoft MVP - ASP.NET
>
>
> "sorpor" <anonymous@discussions.microsoft.com> wrote in message
> news:uzui#UxLEHA.2500@TK2MSFTNGP12.phx.gbl...

> > Hi,
> >
> > I have my asp.net webpage configured to use the integrated windows
> > authentication in IIS. I need to use NetworkCredential object to get

> access

> > to a webservice and I want to retrieve the authenticated user

information

> to

> > create it so user doesn't have to re-enter password. How can I do that?
> >
> > Thanks a lot!
> > -sorpor
> >
> >

>
>

[Paul Glavich [MVP - ASP.NET]]

I should also point out (thanks to the clarification by Ken Shafer), that if
Kerberos is used, then delegation is possible, however if NTLM is used, then
delegation is not possible. This is a limitation with the NTLM protocol.

--
- Paul Glavich
Microsoft MVP - ASP.NET


"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:uPBzhyFMEHA.3348@TK2MSFTNGP09.phx.gbl...

> That said, if delegation is properly configured AND you are impersonating
> the user who authenticated, you can get a valid credential object via:
>
> System.Net.CredentialCache.DefaultCredentials
>
> Delegating user's credentials is one of the most often asked about,

hardest

> to get working things that people try to do. You should find lots of
> answers via Google searches.
>
> Joe K.
>
> "Paul Glavich [MVP - ASP.NET]" <glav@aspalliance.com-NOSPAM> wrote in
> message news:OxWQ9HEMEHA.2584@TK2MSFTNGP12.phx.gbl...

> > This sounds like you want to pass an already authenticated user on your
> > server to another server. You cannot easily do this (its called

> delegation)

> > without specifically enabling this for the specific user account to be
> > delegated. Note that this only applies to Windows Integrated auth (as

this

> > "limitation" is actually a security feature and the scenario you

describe

> is

> > termed a "double hop" issue with security credentials.
> >
> > Basic auth does not ehibit this behaviour as the security credentials

are

> > embedded as part of the Http header and so are easily extracted and

passed

> > on.
> >
> > HTH
> >
> > --
> > - Paul Glavich
> > Microsoft MVP - ASP.NET
> >
> >
> > "sorpor" <anonymous@discussions.microsoft.com> wrote in message
> > news:uzui#UxLEHA.2500@TK2MSFTNGP12.phx.gbl...

> > > Hi,
> > >
> > > I have my asp.net webpage configured to use the integrated windows
> > > authentication in IIS. I need to use NetworkCredential object to get

> > access

> > > to a webservice and I want to retrieve the authenticated user

> information

> > to

> > > create it so user doesn't have to re-enter password. How can I do

that?

> > >
> > > Thanks a lot!
> > > -sorpor
> > >
> > >

> >
> >

>
>