Passing windows credentials from server to server.

[Wade Wegner]

Hello,

I have been desperately trying to programmatically authenticate a windows
user, create their credentials, and then redirect them to a different server
while passing the credentials at the same time so that they don't have to
login again.

Specifically, I have two webservers in the same domain. When I have a user
go to Webserver A (which uses basic authentication) I programmatically
create either a user credential or impersonate a user context (for now it's
hardcoded, but in the future it would be entered in forms). Then, I want to
let that user access a page on Webserver B (which uses basic
authentication), but I don't want them to have to login again -- rather, I
want to use the user context that I programmatically created on Webserver A.

For instance, here is an example of the code I use to create the user
credentials:

Dim strURI = "http://www.whatever.com"
Dim myCred As New NetworkCredential("userid", "password", "domain")
Dim myURI As New Uri(strURI)
Dim myCache As New CredentialCache
myCache.Add(myURI, "Basic", myCred)

From this, I have attempted to use WebRequests and WebResponses to somehow
allow me to direct the browser to a different page, and use the credential I
have generated. The most I can do, however, is create the request and
receive the response:

Dim myWebRequest As System.Net.WebRequest =
System.Net.WebRequest.Create(strURI)
myWebRequest.Credentials = myCache
Dim myWebResponse As WebResponse = myWebRequest.GetResponse()

If only I could use the response.redirect method, and somehow pass the
credentials with the redirection (like you can with the webrequest), it
could work!

I have also attempted to use the LogonUser API (from the advapi32.dll), and
impersonate a user based on the proper logon information -- this works, and
I'm able to successfully impersonate the user, but again, I don't know how
to pass along the user context to a different page.

I know that many people will say "just use form based authentication," but
this will not work for me, as I want this to work with tools like Outlook
Web Access, which requires windows authentication.

Any help would be greatly appreciated. Thank you!!

Wade

[Andrea D'Onofrio [MSFT]]

Hi,
can you set on server B windows authentication? If yes, you can easily solve
your problem by turning on impersonation in server A's web.config.

HtH,
Andrea

"Wade Wegner" <wwegner23@hotmail.com> wrote in message
news:OEOFuaKzDHA.1196@TK2MSFTNGP12.phx.gbl...

> Hello,
>
> I have been desperately trying to programmatically authenticate a windows
> user, create their credentials, and then redirect them to a different

server

> while passing the credentials at the same time so that they don't have to
> login again.
>
> Specifically, I have two webservers in the same domain. When I have a

user

> go to Webserver A (which uses basic authentication) I programmatically
> create either a user credential or impersonate a user context (for now

it's

> hardcoded, but in the future it would be entered in forms). Then, I want

to

> let that user access a page on Webserver B (which uses basic
> authentication), but I don't want them to have to login again -- rather, I
> want to use the user context that I programmatically created on Webserver

A.

>
> For instance, here is an example of the code I use to create the user
> credentials:
>
> Dim strURI = "http://www.whatever.com"
> Dim myCred As New NetworkCredential("userid", "password", "domain")
> Dim myURI As New Uri(strURI)
> Dim myCache As New CredentialCache
> myCache.Add(myURI, "Basic", myCred)
>
> From this, I have attempted to use WebRequests and WebResponses to somehow
> allow me to direct the browser to a different page, and use the credential

I

> have generated. The most I can do, however, is create the request and
> receive the response:
>
> Dim myWebRequest As System.Net.WebRequest =
> System.Net.WebRequest.Create(strURI)
> myWebRequest.Credentials = myCache
> Dim myWebResponse As WebResponse = myWebRequest.GetResponse()
>
> If only I could use the response.redirect method, and somehow pass the
> credentials with the redirection (like you can with the webrequest), it
> could work!
>
> I have also attempted to use the LogonUser API (from the advapi32.dll),

and

> impersonate a user based on the proper logon information -- this works,

and

> I'm able to successfully impersonate the user, but again, I don't know how
> to pass along the user context to a different page.
>
> I know that many people will say "just use form based authentication,"

but

> this will not work for me, as I want this to work with tools like Outlook
> Web Access, which requires windows authentication.
>
> Any help would be greatly appreciated. Thank you!!
>
> Wade
>
>
>

[Wade Wegner]

I would be very interested to hear your explanation, and know how to do
it -- especially if it's easily solved.

FYI - below I did specify that Server B uses windows authentication.

Thanks,

Wade


"Andrea D'Onofrio [MSFT]" <andreado@online.microsoft.com> wrote in message
news:%23yYg8OszDHA.1676@TK2MSFTNGP12.phx.gbl...

> Hi,
> can you set on server B windows authentication? If yes, you can easily

solve

> your problem by turning on impersonation in server A's web.config.
>
> HtH,
> Andrea
>
> "Wade Wegner" <wwegner23@hotmail.com> wrote in message
> news:OEOFuaKzDHA.1196@TK2MSFTNGP12.phx.gbl...

> > Hello,
> >
> > I have been desperately trying to programmatically authenticate a

windows

> > user, create their credentials, and then redirect them to a different

> server

> > while passing the credentials at the same time so that they don't have

to

> > login again.
> >
> > Specifically, I have two webservers in the same domain. When I have a

> user

> > go to Webserver A (which uses basic authentication) I programmatically
> > create either a user credential or impersonate a user context (for now

> it's

> > hardcoded, but in the future it would be entered in forms). Then, I

want

> to

> > let that user access a page on Webserver B (which uses basic
> > authentication), but I don't want them to have to login again -- rather,

I

> > want to use the user context that I programmatically created on

Webserver

> A.

> >
> > For instance, here is an example of the code I use to create the user
> > credentials:
> >
> > Dim strURI = "http://www.whatever.com"
> > Dim myCred As New NetworkCredential("userid", "password", "domain")
> > Dim myURI As New Uri(strURI)
> > Dim myCache As New CredentialCache
> > myCache.Add(myURI, "Basic", myCred)
> >
> > From this, I have attempted to use WebRequests and WebResponses to

somehow

> > allow me to direct the browser to a different page, and use the

credential

> I

> > have generated. The most I can do, however, is create the request and
> > receive the response:
> >
> > Dim myWebRequest As System.Net.WebRequest =
> > System.Net.WebRequest.Create(strURI)
> > myWebRequest.Credentials = myCache
> > Dim myWebResponse As WebResponse = myWebRequest.GetResponse()
> >
> > If only I could use the response.redirect method, and somehow pass the
> > credentials with the redirection (like you can with the webrequest), it
> > could work!
> >
> > I have also attempted to use the LogonUser API (from the advapi32.dll),

> and

> > impersonate a user based on the proper logon information -- this works,

> and

> > I'm able to successfully impersonate the user, but again, I don't know

how

> > to pass along the user context to a different page.
> >
> > I know that many people will say "just use form based authentication,"

> but

> > this will not work for me, as I want this to work with tools like

Outlook

> > Web Access, which requires windows authentication.
> >
> > Any help would be greatly appreciated. Thank you!!
> >
> > Wade
> >
> >
> >

>
>

[Andrea D'Onofrio [MSFT]]

Hi,

> I would be very interested to hear your explanation, and know how to do
> it -- especially if it's easily solved.

ServerA -> Basic Authentication
ServerB -> Windows Integrated
You must turn on impersonation in ServerA web.config:
<authentication mode="Windows" />

<identity impersonate="true"></identity>

If you have a code like Response.Redirect([url]http://serverB/default.aspx[/url]) in a
ServerA page, IIS (automatically) succesfully authenticate the user (the
user must be a valid user for both serverA and ServerB) and you don't need
to write any additional code.

You will find more details about the issue in these articles:
283201 HOWTO: Use Delegation in Windows 2000 with COM+
[url]http://support.microsoft.com/?id=283201[/url]

287537 Using Basic Authentication to Generate Kerberos Tokens
[url]http://support.microsoft.com/?id=287537[/url]

> FYI - below I did specify that Server B uses windows authentication.
>

FYI, extracted from your original post:
....access a page on Webserver B (which uses basic
authentication), but I don't want them to have to login again ...

> Thanks,
> Wade

HtH,
Andrea

[Wade Wegner]

I have always thought that using the termi "windows authentication" referred
to the fact that you were authenticating to a windows account, and that it
qualified for both basic and NTLM. If I was incorrect, then I apologize.

Now ...

I have tried your suggestion, and I can get it to work under one context,
but not another. For isntance, when I authenticate the user on Server A,
and then have them click a button that redirects them to Server B, I get
prompted for login credentials. However, if I use a client-side vbScript to
redirect the user (window.location = "path.aspx"), then it works correctly.

Am I doing something incorrectly, or will this not work for response
redirect?

Thankis,

Wade

"Andrea D'Onofrio [MSFT]" <andreado@online.microsoft.com> wrote in message
news:uOu%230GvzDHA.1684@TK2MSFTNGP12.phx.gbl...

> Hi,

> > I would be very interested to hear your explanation, and know how to do
> > it -- especially if it's easily solved.

> ServerA -> Basic Authentication
> ServerB -> Windows Integrated
> You must turn on impersonation in ServerA web.config:
> <authentication mode="Windows" />
>
> <identity impersonate="true"></identity>
>
> If you have a code like Response.Redirect([url]http://serverB/default.aspx[/url]) in

a

> ServerA page, IIS (automatically) succesfully authenticate the user (the
> user must be a valid user for both serverA and ServerB) and you don't need
> to write any additional code.
>
> You will find more details about the issue in these articles:
> 283201 HOWTO: Use Delegation in Windows 2000 with COM+
> [url]http://support.microsoft.com/?id=283201[/url]
>
> 287537 Using Basic Authentication to Generate Kerberos Tokens
> [url]http://support.microsoft.com/?id=287537[/url]
>

> > FYI - below I did specify that Server B uses windows authentication.
> >

> FYI, extracted from your original post:
> ...access a page on Webserver B (which uses basic
> authentication), but I don't want them to have to login again ...
>

> > Thanks,
> > Wade

> HtH,
> Andrea
>
>
>
>

[Andrea D'Onofrio [MSFT]]

I've tested the scenario I suggested you on IIS 5.1 (both on ServerA and
ServerB) and all works fine with Response.Redirect (then server side code).
I don't know which servers there are in your scenario, but I think that, in
this context, there are no differences with IIS 5.0 or IIS 6.0. Try to
check:
- ServerA -> Basic Authentication and ServerB -> Windows Integrated are the
only options flagged
- the Enabled Integrated Windows Authentication in the Advenced IE options
is checked

HtH,
Andrea

"Wade Wegner" <wwegner23@hotmail.com> wrote in message
news:%23PbZGUxzDHA.1524@TK2MSFTNGP10.phx.gbl...

> I have always thought that using the termi "windows authentication"

referred

> to the fact that you were authenticating to a windows account, and that it
> qualified for both basic and NTLM. If I was incorrect, then I apologize.
>
> Now ...
>
> I have tried your suggestion, and I can get it to work under one context,
> but not another. For isntance, when I authenticate the user on Server A,
> and then have them click a button that redirects them to Server B, I get
> prompted for login credentials. However, if I use a client-side vbScript

to

> redirect the user (window.location = "path.aspx"), then it works

correctly.

>
> Am I doing something incorrectly, or will this not work for response
> redirect?
>
> Thankis,
>
> Wade
>
> "Andrea D'Onofrio [MSFT]" <andreado@online.microsoft.com> wrote in message
> news:uOu%230GvzDHA.1684@TK2MSFTNGP12.phx.gbl...

> > Hi,

> > > I would be very interested to hear your explanation, and know how to

do

> > > it -- especially if it's easily solved.

> > ServerA -> Basic Authentication
> > ServerB -> Windows Integrated
> > You must turn on impersonation in ServerA web.config:
> > <authentication mode="Windows" />
> >
> > <identity impersonate="true"></identity>
> >
> > If you have a code like Response.Redirect([url]http://serverB/default.aspx[/url])

in

> a

> > ServerA page, IIS (automatically) succesfully authenticate the user (the
> > user must be a valid user for both serverA and ServerB) and you don't

need

> > to write any additional code.
> >
> > You will find more details about the issue in these articles:
> > 283201 HOWTO: Use Delegation in Windows 2000 with COM+
> > [url]http://support.microsoft.com/?id=283201[/url]
> >
> > 287537 Using Basic Authentication to Generate Kerberos Tokens
> > [url]http://support.microsoft.com/?id=287537[/url]
> >

> > > FYI - below I did specify that Server B uses windows authentication.
> > >

> > FYI, extracted from your original post:
> > ...access a page on Webserver B (which uses basic
> > authentication), but I don't want them to have to login again ...
> >

> > > Thanks,
> > > Wade

> > HtH,
> > Andrea
> >
> >
> >
> >

>
>