Professional Web Applications Themes

Windows authentication for web service client?? - ASP.NET Web Services

hi all got a question here, a web service secure mode is set to "windows", on the client side when supplying the credentials, it's like this: somewebservice.Authentication ssoAuth = new somewebservice.Authentication(); ssoAuth.PreAuthenticate = true; ssoAuth.Credentials = System.Net.CredentialCache.DefaultCredentials; from the info here [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp[/url] the defaultcredential should supply the current security context that the client is running, but in my case the client is another web service running on another server, now by default the account that the client(the calling web service) is running under ASPNET account, so on the host(somewebservice), I should add the clientdomain\ASPNET account into the windows account?...

  1. #1

    Default Windows authentication for web service client??

    hi all

    got a question here, a web service secure mode is set to "windows", on the
    client side

    when supplying the credentials, it's like this:

    somewebservice.Authentication ssoAuth = new somewebservice.Authentication();

    ssoAuth.PreAuthenticate = true;

    ssoAuth.Credentials = System.Net.CredentialCache.DefaultCredentials;

    from the info here

    [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp[/url]

    the defaultcredential should supply the current security context that the
    client is running, but in my case the client is another web service running

    on another server, now by default the account that the client(the calling
    web service) is running under ASPNET account,

    so on the host(somewebservice), I should add the clientdomain\ASPNET account
    into the windows account?






    Kevin Yu Guest

  2. #2

    Default Re: Windows authentication for web service client??

    The ASPNET account is a local account, so the other machine or domain wouldn't
    know about it. You can either run you web app under a different account,
    but that affects the rest of the code in there too. The other approach is
    to have a dedicated account (instead of using the current identity of ASPNET)
    that you can use to do the authentication and then use those credentials
    from the client.

    -Brock
    DevelopMentor
    [url]http://staff.develop.com/ballen[/url]


    > hi all
    >
    > got a question here, a web service secure mode is set to "windows", on
    > the client side
    >
    > when supplying the credentials, it's like this:
    >
    > somewebservice.Authentication ssoAuth = new
    > somewebservice.Authentication();
    >
    > ssoAuth.PreAuthenticate = true;
    >
    > ssoAuth.Credentials = System.Net.CredentialCache.DefaultCredentials;
    >
    > from the info here
    >
    > [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref[/url]
    > /html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp
    >
    > the defaultcredential should supply the current security context that
    > the client is running, but in my case the client is another web
    > service running
    >
    > on another server, now by default the account that the client(the
    > calling web service) is running under ASPNET account,
    >
    > so on the host(somewebservice), I should add the clientdomain\ASPNET
    > account into the windows account?
    >


    Brock Allen Guest

  3. #3

    Default Re: Windows authentication for web service client??

    I think impersonation will do , enable impersonation but don't specified the
    user, use code call the web service with a different username/password.



    "Brock Allen" <ballenNOSPAMdevelop.com> wrote in message
    news:453919632490103600068528msnews.microsoft.com ...
    > The ASPNET account is a local account, so the other machine or domain
    > wouldn't know about it. You can either run you web app under a different
    > account, but that affects the rest of the code in there too. The other
    > approach is to have a dedicated account (instead of using the current
    > identity of ASPNET) that you can use to do the authentication and then use
    > those credentials from the client.
    >
    > -Brock
    > DevelopMentor
    > [url]http://staff.develop.com/ballen[/url]
    >
    >
    >
    >> hi all
    >>
    >> got a question here, a web service secure mode is set to "windows", on
    >> the client side
    >>
    >> when supplying the credentials, it's like this:
    >>
    >> somewebservice.Authentication ssoAuth = new
    >> somewebservice.Authentication();
    >>
    >> ssoAuth.PreAuthenticate = true;
    >>
    >> ssoAuth.Credentials = System.Net.CredentialCache.DefaultCredentials;
    >>
    >> from the info here
    >>
    >> [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref[/url]
    >> /html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp
    >>
    >> the defaultcredential should supply the current security context that
    >> the client is running, but in my case the client is another web
    >> service running
    >>
    >> on another server, now by default the account that the client(the
    >> calling web service) is running under ASPNET account,
    >>
    >> so on the host(somewebservice), I should add the clientdomain\ASPNET
    >> account into the windows account?
    >>
    >
    >
    >

    Kevin Yu Guest

  4. #4

    Default Re: Windows authentication for web service client??

    but the problem with impersonation in the code is after LogonUser() win32
    call, will the defaultcredentials be set to the new credentials then?





    "Kevin Yu" <koo9hotmail.com> wrote in message
    news:OEbaAMIQFHA.2356TK2MSFTNGP14.phx.gbl...
    >I think impersonation will do , enable impersonation but don't specified
    >the user, use code call the web service with a different username/password.
    >
    >
    >
    > "Brock Allen" <ballenNOSPAMdevelop.com> wrote in message
    > news:453919632490103600068528msnews.microsoft.com ...
    >> The ASPNET account is a local account, so the other machine or domain
    >> wouldn't know about it. You can either run you web app under a different
    >> account, but that affects the rest of the code in there too. The other
    >> approach is to have a dedicated account (instead of using the current
    >> identity of ASPNET) that you can use to do the authentication and then
    >> use those credentials from the client.
    >>
    >> -Brock
    >> DevelopMentor
    >> [url]http://staff.develop.com/ballen[/url]
    >>
    >>
    >>
    >>> hi all
    >>>
    >>> got a question here, a web service secure mode is set to "windows", on
    >>> the client side
    >>>
    >>> when supplying the credentials, it's like this:
    >>>
    >>> somewebservice.Authentication ssoAuth = new
    >>> somewebservice.Authentication();
    >>>
    >>> ssoAuth.PreAuthenticate = true;
    >>>
    >>> ssoAuth.Credentials = System.Net.CredentialCache.DefaultCredentials;
    >>>
    >>> from the info here
    >>>
    >>> [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref[/url]
    >>> /html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp
    >>>
    >>> the defaultcredential should supply the current security context that
    >>> the client is running, but in my case the client is another web
    >>> service running
    >>>
    >>> on another server, now by default the account that the client(the
    >>> calling web service) is running under ASPNET account,
    >>>
    >>> so on the host(somewebservice), I should add the clientdomain\ASPNET
    >>> account into the windows account?
    >>>
    >>
    >>
    >>
    >
    >

    Kevin Yu Guest

  5. #5

    Default Re: Windows authentication for web service client??

    I'm having a similar problem

    I have a web service that make a webDav request to Exchange.

    I have impersonation on but when I use the defaultCredentials in the web
    services to make the webdav reqeust I get an Unauthorized 401 error. My
    credentials have rights to make this request and I'm at my wits end trying
    to figure it out.

    The service works if I hard code my Network credentials in the service but
    does not otherwise.

    Any help with this would also be appreciated.

    Thanks,
    Dan


    "Kevin Yu" <koo9hotmail.com> wrote in message
    news:eOariLKQFHA.1476TK2MSFTNGP09.phx.gbl...
    > but the problem with impersonation in the code is after LogonUser() win32
    > call, will the defaultcredentials be set to the new credentials then?
    >
    >
    >
    >
    >
    > "Kevin Yu" <koo9hotmail.com> wrote in message
    > news:OEbaAMIQFHA.2356TK2MSFTNGP14.phx.gbl...
    >>I think impersonation will do , enable impersonation but don't specified
    >>the user, use code call the web service with a different
    >>username/password.
    >>
    >>
    >>
    >> "Brock Allen" <ballenNOSPAMdevelop.com> wrote in message
    >> news:453919632490103600068528msnews.microsoft.com ...
    >>> The ASPNET account is a local account, so the other machine or domain
    >>> wouldn't know about it. You can either run you web app under a different
    >>> account, but that affects the rest of the code in there too. The other
    >>> approach is to have a dedicated account (instead of using the current
    >>> identity of ASPNET) that you can use to do the authentication and then
    >>> use those credentials from the client.
    >>>
    >>> -Brock
    >>> DevelopMentor
    >>> [url]http://staff.develop.com/ballen[/url]
    >>>
    >>>
    >>>
    >>>> hi all
    >>>>
    >>>> got a question here, a web service secure mode is set to "windows", on
    >>>> the client side
    >>>>
    >>>> when supplying the credentials, it's like this:
    >>>>
    >>>> somewebservice.Authentication ssoAuth = new
    >>>> somewebservice.Authentication();
    >>>>
    >>>> ssoAuth.PreAuthenticate = true;
    >>>>
    >>>> ssoAuth.Credentials = System.Net.CredentialCache.DefaultCredentials;
    >>>>
    >>>> from the info here
    >>>>
    >>>> [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref[/url]
    >>>> /html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp
    >>>>
    >>>> the defaultcredential should supply the current security context that
    >>>> the client is running, but in my case the client is another web
    >>>> service running
    >>>>
    >>>> on another server, now by default the account that the client(the
    >>>> calling web service) is running under ASPNET account,
    >>>>
    >>>> so on the host(somewebservice), I should add the clientdomain\ASPNET
    >>>> account into the windows account?
    >>>>
    >>>
    >>>
    >>>
    >>
    >>
    >
    >

    solex Guest

  6. #6

    Default Re: Windows authentication for web service client??



    "solex" <solexsomewhere.com> wrote in message
    news:%23sSDjOSQFHA.244TK2MSFTNGP12.phx.gbl...
    > I'm having a similar problem
    >
    > I have a web service that make a webDav request to Exchange.
    >
    > I have impersonation on but when I use the defaultCredentials in the web
    > services to make the webdav reqeust I get an Unauthorized 401 error. My
    > credentials have rights to make this request and I'm at my wits end trying
    > to figure it out.
    >
    > The service works if I hard code my Network credentials in the service but
    > does not otherwise.
    Hardcoded into your code? create a credential instead of using the
    defaultcredentials?

    I thought one can only create credential for "basic" or "digest"
    authentication mode.

    I try implicit impersonation, it won't work, even if you are impersonating,
    the web service has to
    put the credential on the soap message in order for it to be authenticated,
    because that's
    all the hosting service see when interacting with each other. don't want to
    do explicit impersonation.


    in .net 2.0, there will be a better support or even WSE 2.0, but this is not
    my options here.
    since if we were to use WSE 2.0, there will be a long process of paper work
    and testing and questioning.....




    >
    > Any help with this would also be appreciated.
    >
    > Thanks,
    > Dan
    >
    >
    > "Kevin Yu" <koo9hotmail.com> wrote in message
    > news:eOariLKQFHA.1476TK2MSFTNGP09.phx.gbl...
    > > but the problem with impersonation in the code is after LogonUser()
    win32
    > > call, will the defaultcredentials be set to the new credentials then?
    > >
    > >
    > >
    > >
    > >
    > > "Kevin Yu" <koo9hotmail.com> wrote in message
    > > news:OEbaAMIQFHA.2356TK2MSFTNGP14.phx.gbl...
    > >>I think impersonation will do , enable impersonation but don't specified
    > >>the user, use code call the web service with a different
    > >>username/password.
    > >>
    > >>
    > >>
    > >> "Brock Allen" <ballenNOSPAMdevelop.com> wrote in message
    > >> news:453919632490103600068528msnews.microsoft.com ...
    > >>> The ASPNET account is a local account, so the other machine or domain
    > >>> wouldn't know about it. You can either run you web app under a
    different
    > >>> account, but that affects the rest of the code in there too. The other
    > >>> approach is to have a dedicated account (instead of using the current
    > >>> identity of ASPNET) that you can use to do the authentication and then
    > >>> use those credentials from the client.
    > >>>
    > >>> -Brock
    > >>> DevelopMentor
    > >>> [url]http://staff.develop.com/ballen[/url]
    > >>>
    > >>>
    > >>>
    > >>>> hi all
    > >>>>
    > >>>> got a question here, a web service secure mode is set to "windows",
    on
    > >>>> the client side
    > >>>>
    > >>>> when supplying the credentials, it's like this:
    > >>>>
    > >>>> somewebservice.Authentication ssoAuth = new
    > >>>> somewebservice.Authentication();
    > >>>>
    > >>>> ssoAuth.PreAuthenticate = true;
    > >>>>
    > >>>> ssoAuth.Credentials = System.Net.CredentialCache.DefaultCredentials;
    > >>>>
    > >>>> from the info here
    > >>>>
    > >>>>
    [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref[/url]
    > >>>> /html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp
    > >>>>
    > >>>> the defaultcredential should supply the current security context that
    > >>>> the client is running, but in my case the client is another web
    > >>>> service running
    > >>>>
    > >>>> on another server, now by default the account that the client(the
    > >>>> calling web service) is running under ASPNET account,
    > >>>>
    > >>>> so on the host(somewebservice), I should add the clientdomain\ASPNET
    > >>>> account into the windows account?
    > >>>>
    > >>>
    > >>>
    > >>>
    > >>
    > >>
    > >
    > >
    >
    >

    Kevin Yu Guest

  7. #7

    Default Re: Windows authentication for web service client??

    Kevin,
    Thanks for responding, if you (or anyone) sees anything obviously wrong
    with the below summary please let me know.

    Thanks,
    Dan

    I have the following settings
    Web config:
    <authentication mode="Windows" />
    <identity impersonate="true" />

    IIS:
    Anonymous access has been disabled and Integraged Security is the
    only access that is enabled.

    Client:
    When calling the web service I make sure that I am passing the
    defaultCredentials from the CredentialCache.

    I hardcoded a credential using the following code and it works

    Dim Response As System.Net.HttpWebResponse
    Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    HttpWebRequest)
    Dim MyCredentialCache = New System.Net.CredentialCache
    MyCredentialCache.Add(New System.Uri(URI), "NTLM", _
    New System.Net.NetworkCredential("myUserID", "myPassword", "myDomain"))

    Request.Credentials = MyCredentialCache

    make my http WEBDAV request here ...

    Return (Response)

    But this does not work:

    Dim Response As System.Net.HttpWebResponse
    Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    HttpWebRequest)

    Request.Credentials = CredentialCache.DefaultCredentials
    make my http WEBDAV request here ...

    Return (Response)

    Nor does this:

    Dim impersonationContext As
    System.Security.Principal.WindowsImpersonationCont ext
    Dim currentWindowsIdentity As System.Security.Principal.WindowsIdentity

    currentWindowsIdentity = CType(mobjUser.Identity,
    System.Security.Principal.WindowsIdentity)
    impersonationContext = currentWindowsIdentity.Impersonate()

    Request.Credentials = CredentialCache.DefaultCredentials
    Dim Response As System.Net.HttpWebResponse
    Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    HttpWebRequest)

    Request.Credentials = CredentialCache.DefaultCredentials

    make my http WEBDAV request here ...

    impersonationContext.Undo()

    Return (Response)



    "Kevin Yu" <koo9hotmail.com> wrote in message
    news:u0yUSScQFHA.580TK2MSFTNGP15.phx.gbl...
    >
    >
    > "solex" <solexsomewhere.com> wrote in message
    > news:%23sSDjOSQFHA.244TK2MSFTNGP12.phx.gbl...
    >> I'm having a similar problem
    >>
    >> I have a web service that make a webDav request to Exchange.
    >>
    >> I have impersonation on but when I use the defaultCredentials in the web
    >> services to make the webdav reqeust I get an Unauthorized 401 error. My
    >> credentials have rights to make this request and I'm at my wits end
    >> trying
    >> to figure it out.
    >>
    >> The service works if I hard code my Network credentials in the service
    >> but
    >> does not otherwise.
    >
    > Hardcoded into your code? create a credential instead of using the
    > defaultcredentials?
    >
    > I thought one can only create credential for "basic" or "digest"
    > authentication mode.
    >
    > I try implicit impersonation, it won't work, even if you are
    > impersonating,
    > the web service has to
    > put the credential on the soap message in order for it to be
    > authenticated,
    > because that's
    > all the hosting service see when interacting with each other. don't want
    > to
    > do explicit impersonation.
    >
    >
    > in .net 2.0, there will be a better support or even WSE 2.0, but this is
    > not
    > my options here.
    > since if we were to use WSE 2.0, there will be a long process of paper
    > work
    > and testing and questioning.....
    >
    >
    >
    >
    >
    >>
    >> Any help with this would also be appreciated.
    >>
    >> Thanks,
    >> Dan
    >>
    >>
    >> "Kevin Yu" <koo9hotmail.com> wrote in message
    >> news:eOariLKQFHA.1476TK2MSFTNGP09.phx.gbl...
    >> > but the problem with impersonation in the code is after LogonUser()
    > win32
    >> > call, will the defaultcredentials be set to the new credentials then?
    >> >
    >> >
    >> >
    >> >
    >> >
    >> > "Kevin Yu" <koo9hotmail.com> wrote in message
    >> > news:OEbaAMIQFHA.2356TK2MSFTNGP14.phx.gbl...
    >> >>I think impersonation will do , enable impersonation but don't
    >> >>specified
    >> >>the user, use code call the web service with a different
    >> >>username/password.
    >> >>
    >> >>
    >> >>
    >> >> "Brock Allen" <ballenNOSPAMdevelop.com> wrote in message
    >> >> news:453919632490103600068528msnews.microsoft.com ...
    >> >>> The ASPNET account is a local account, so the other machine or domain
    >> >>> wouldn't know about it. You can either run you web app under a
    > different
    >> >>> account, but that affects the rest of the code in there too. The
    >> >>> other
    >> >>> approach is to have a dedicated account (instead of using the current
    >> >>> identity of ASPNET) that you can use to do the authentication and
    >> >>> then
    >> >>> use those credentials from the client.
    >> >>>
    >> >>> -Brock
    >> >>> DevelopMentor
    >> >>> [url]http://staff.develop.com/ballen[/url]
    >> >>>
    >> >>>
    >> >>>
    >> >>>> hi all
    >> >>>>
    >> >>>> got a question here, a web service secure mode is set to "windows",
    > on
    >> >>>> the client side
    >> >>>>
    >> >>>> when supplying the credentials, it's like this:
    >> >>>>
    >> >>>> somewebservice.Authentication ssoAuth = new
    >> >>>> somewebservice.Authentication();
    >> >>>>
    >> >>>> ssoAuth.PreAuthenticate = true;
    >> >>>>
    >> >>>> ssoAuth.Credentials = System.Net.CredentialCache.DefaultCredentials;
    >> >>>>
    >> >>>> from the info here
    >> >>>>
    >> >>>>
    > [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref[/url]
    >> >>>> /html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp
    >> >>>>
    >> >>>> the defaultcredential should supply the current security context
    >> >>>> that
    >> >>>> the client is running, but in my case the client is another web
    >> >>>> service running
    >> >>>>
    >> >>>> on another server, now by default the account that the client(the
    >> >>>> calling web service) is running under ASPNET account,
    >> >>>>
    >> >>>> so on the host(somewebservice), I should add the clientdomain\ASPNET
    >> >>>> account into the windows account?
    >> >>>>
    >> >>>
    >> >>>
    >> >>>
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >
    >

    solex Guest

  8. #8

    Default Re: Windows authentication for web service client??


    "solex" <solexsomewhere.com> wrote in message
    news:%23wMk7BdQFHA.3076tk2msftngp13.phx.gbl...
    > Kevin,
    > Thanks for responding, if you (or anyone) sees anything obviously wrong
    > with the below summary please let me know.
    >
    > Thanks,
    > Dan
    >
    > I have the following settings
    > Web config:
    > <authentication mode="Windows" />
    > <identity impersonate="true" />
    >
    > IIS:
    > Anonymous access has been disabled and Integraged Security is the
    > only access that is enabled.
    >
    > Client:
    > When calling the web service I make sure that I am passing the
    > defaultCredentials from the CredentialCache.
    >
    > I hardcoded a credential using the following code and it works
    >
    > Dim Response As System.Net.HttpWebResponse
    > Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    > HttpWebRequest)
    > Dim MyCredentialCache = New System.Net.CredentialCache
    > MyCredentialCache.Add(New System.Uri(URI), "NTLM", _
    > New System.Net.NetworkCredential("myUserID", "myPassword",
    "myDomain"))
    >
    > Request.Credentials = MyCredentialCache
    >
    > make my http WEBDAV request here ...
    >
    > Return (Response)
    >
    > But this does not work:
    >
    > Dim Response As System.Net.HttpWebResponse
    > Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    > HttpWebRequest)
    >
    > Request.Credentials = CredentialCache.DefaultCredentials
    > make my http WEBDAV request here ...
    >
    > Return (Response)
    >
    ok. CredentialCache.DefaultCredentials will return the credentials that
    client is running under.
    so it doens't matter what you set before the line:

    Request.Credentials = CredentialCache.DefaultCredentials

    it will always return the default credential for the request, but in the
    working code, since you set
    credentials in the credentialscache for that particular request URI, so that
    when the client making
    calls to the destinated service, it will use that credential for the
    request, that's why it works.

    > Nor does this:
    >
    > Dim impersonationContext As
    > System.Security.Principal.WindowsImpersonationCont ext
    > Dim currentWindowsIdentity As
    System.Security.Principal.WindowsIdentity
    >
    > currentWindowsIdentity = CType(mobjUser.Identity,
    > System.Security.Principal.WindowsIdentity)
    > impersonationContext = currentWindowsIdentity.Impersonate()
    >
    > Request.Credentials = CredentialCache.DefaultCredentials
    > Dim Response As System.Net.HttpWebResponse
    > Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    > HttpWebRequest)
    >
    > Request.Credentials = CredentialCache.DefaultCredentials
    >
    > make my http WEBDAV request here ...
    >
    > impersonationContext.Undo()
    >
    > Return (Response)
    >
    I have try the same approach using implicity impersonation, what you are
    doing here
    is the same as using this line: Request.Credentials =
    CredentialCache.DefaultCredentials
    since you use this call to get the current identity: currentWindowsIdentity
    = CType(mobjUser.Identity,
    > System.Security.Principal.WindowsIdentity), then you do this:
    Request.Credentials = CredentialCache.DefaultCredentials
    thus in fact you are doing the same thing twice.

    it seems that doing impersonation won't change the
    defaultcredential, Request.Credentials = CredentialCache.DefaultCredentials
    will always return the credentials that the client is running under as I
    mentioned
    above.

    I use this code from msdn to do impersonation:

    #region Public Methods

    public bool ImpersonateValidUser()

    {

    WindowsIdentity tempWindowsIdentity;

    IntPtr token = IntPtr.Zero;

    IntPtr tokenDuplicate = IntPtr.Zero;

    if(RevertToSelf())

    {

    if(LogonUserA(_userName, _domain, _password, LOGON32_LOGON_INTERACTIVE,

    LOGON32_PROVIDER_DEFAULT, ref token) != 0)

    {

    if(DuplicateToken(token, 2, ref tokenDuplicate) != 0)

    {

    tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);

    impersonationContext = tempWindowsIdentity.Impersonate();

    if (impersonationContext != null)

    {

    CloseHandle(token);

    CloseHandle(tokenDuplicate);

    return true;

    }

    }

    }

    }

    if(token!= IntPtr.Zero)

    CloseHandle(token);

    if(tokenDuplicate!=IntPtr.Zero)

    CloseHandle(tokenDuplicate);

    return false;

    }

    //reverse the security context

    public void UndoImpersonation()

    {

    if(impersonationContext!=null)

    impersonationContext.Undo();

    }

    #endregion


    #region Win32 calls

    [DllImport("advapi32.dll")]

    private static extern int LogonUserA(String lpszUserName,

    String lpszDomain,

    String lpszPassword,

    int dwLogonType,

    int dwLogonProvider,

    ref IntPtr phToken);

    [DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]

    private static extern int DuplicateToken(IntPtr hToken,

    int impersonationLevel,

    ref IntPtr hNewToken);

    [DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]

    private static extern bool RevertToSelf();

    [DllImport("kernel32.dll", Cht=Cht.Auto)]

    private static extern bool CloseHandle(IntPtr handle);

    #endregion


    }

    in conclusion, only when the correct credential in the credentialsCache for
    that
    request (that particular URI), it request have access permission.

    thanks for your code. I will give it a try.



    >
    >
    > "Kevin Yu" <koo9hotmail.com> wrote in message
    > news:u0yUSScQFHA.580TK2MSFTNGP15.phx.gbl...
    > >
    > >
    > > "solex" <solexsomewhere.com> wrote in message
    > > news:%23sSDjOSQFHA.244TK2MSFTNGP12.phx.gbl...
    > >> I'm having a similar problem
    > >>
    > >> I have a web service that make a webDav request to Exchange.
    > >>
    > >> I have impersonation on but when I use the defaultCredentials in the
    web
    > >> services to make the webdav reqeust I get an Unauthorized 401 error.
    My
    > >> credentials have rights to make this request and I'm at my wits end
    > >> trying
    > >> to figure it out.
    > >>
    > >> The service works if I hard code my Network credentials in the service
    > >> but
    > >> does not otherwise.
    > >
    > > Hardcoded into your code? create a credential instead of using the
    > > defaultcredentials?
    > >
    > > I thought one can only create credential for "basic" or "digest"
    > > authentication mode.
    > >
    > > I try implicit impersonation, it won't work, even if you are
    > > impersonating,
    > > the web service has to
    > > put the credential on the soap message in order for it to be
    > > authenticated,
    > > because that's
    > > all the hosting service see when interacting with each other. don't want
    > > to
    > > do explicit impersonation.
    > >
    > >
    > > in .net 2.0, there will be a better support or even WSE 2.0, but this is
    > > not
    > > my options here.
    > > since if we were to use WSE 2.0, there will be a long process of paper
    > > work
    > > and testing and questioning.....
    > >
    > >
    > >
    > >
    > >
    > >>
    > >> Any help with this would also be appreciated.
    > >>
    > >> Thanks,
    > >> Dan
    > >>
    > >>
    > >> "Kevin Yu" <koo9hotmail.com> wrote in message
    > >> news:eOariLKQFHA.1476TK2MSFTNGP09.phx.gbl...
    > >> > but the problem with impersonation in the code is after LogonUser()
    > > win32
    > >> > call, will the defaultcredentials be set to the new credentials then?
    > >> >
    > >> >
    > >> >
    > >> >
    > >> >
    > >> > "Kevin Yu" <koo9hotmail.com> wrote in message
    > >> > news:OEbaAMIQFHA.2356TK2MSFTNGP14.phx.gbl...
    > >> >>I think impersonation will do , enable impersonation but don't
    > >> >>specified
    > >> >>the user, use code call the web service with a different
    > >> >>username/password.
    > >> >>
    > >> >>
    > >> >>
    > >> >> "Brock Allen" <ballenNOSPAMdevelop.com> wrote in message
    > >> >> news:453919632490103600068528msnews.microsoft.com ...
    > >> >>> The ASPNET account is a local account, so the other machine or
    domain
    > >> >>> wouldn't know about it. You can either run you web app under a
    > > different
    > >> >>> account, but that affects the rest of the code in there too. The
    > >> >>> other
    > >> >>> approach is to have a dedicated account (instead of using the
    current
    > >> >>> identity of ASPNET) that you can use to do the authentication and
    > >> >>> then
    > >> >>> use those credentials from the client.
    > >> >>>
    > >> >>> -Brock
    > >> >>> DevelopMentor
    > >> >>> [url]http://staff.develop.com/ballen[/url]
    > >> >>>
    > >> >>>
    > >> >>>
    > >> >>>> hi all
    > >> >>>>
    > >> >>>> got a question here, a web service secure mode is set to
    "windows",
    > > on
    > >> >>>> the client side
    > >> >>>>
    > >> >>>> when supplying the credentials, it's like this:
    > >> >>>>
    > >> >>>> somewebservice.Authentication ssoAuth = new
    > >> >>>> somewebservice.Authentication();
    > >> >>>>
    > >> >>>> ssoAuth.PreAuthenticate = true;
    > >> >>>>
    > >> >>>> ssoAuth.Credentials =
    System.Net.CredentialCache.DefaultCredentials;
    > >> >>>>
    > >> >>>> from the info here
    > >> >>>>
    > >> >>>>
    > > [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref[/url]
    > >> >>>>
    /html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp
    > >> >>>>
    > >> >>>> the defaultcredential should supply the current security context
    > >> >>>> that
    > >> >>>> the client is running, but in my case the client is another web
    > >> >>>> service running
    > >> >>>>
    > >> >>>> on another server, now by default the account that the client(the
    > >> >>>> calling web service) is running under ASPNET account,
    > >> >>>>
    > >> >>>> so on the host(somewebservice), I should add the
    clientdomain\ASPNET
    > >> >>>> account into the windows account?
    > >> >>>>
    > >> >>>
    > >> >>>
    > >> >>>
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >

    Kevin Yu Guest

  9. #9

    Default Re: Windows authentication for web service client??

    Kevin,

    My problem is that the DefaultCredentials is NOT working. If I hard code
    the credentials using my uid/password and domain it works fine as shown in
    my first example.

    Ideally I want the web service and a subsequent call to Exchange (via
    WebDAV) to run completely under the users id.

    Thanks,
    Dan


    "Kevin Yu" <koo9hotmail.com> wrote in message
    news:etWV4kCRFHA.508TK2MSFTNGP12.phx.gbl...
    >
    > "solex" <solexsomewhere.com> wrote in message
    > news:%23wMk7BdQFHA.3076tk2msftngp13.phx.gbl...
    >> Kevin,
    >> Thanks for responding, if you (or anyone) sees anything obviously wrong
    >> with the below summary please let me know.
    >>
    >> Thanks,
    >> Dan
    >>
    >> I have the following settings
    >> Web config:
    >> <authentication mode="Windows" />
    >> <identity impersonate="true" />
    >>
    >> IIS:
    >> Anonymous access has been disabled and Integraged Security is the
    >> only access that is enabled.
    >>
    >> Client:
    >> When calling the web service I make sure that I am passing the
    >> defaultCredentials from the CredentialCache.
    >>
    >> I hardcoded a credential using the following code and it works
    >>
    >> Dim Response As System.Net.HttpWebResponse
    >> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    >> HttpWebRequest)
    >> Dim MyCredentialCache = New System.Net.CredentialCache
    >> MyCredentialCache.Add(New System.Uri(URI), "NTLM", _
    >> New System.Net.NetworkCredential("myUserID", "myPassword",
    > "myDomain"))
    >>
    >> Request.Credentials = MyCredentialCache
    >>
    >> make my http WEBDAV request here ...
    >>
    >> Return (Response)
    >>
    >> But this does not work:
    >>
    >> Dim Response As System.Net.HttpWebResponse
    >> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    >> HttpWebRequest)
    >>
    >> Request.Credentials = CredentialCache.DefaultCredentials
    >> make my http WEBDAV request here ...
    >>
    >> Return (Response)
    >>
    >
    > ok. CredentialCache.DefaultCredentials will return the credentials that
    > client is running under.
    > so it doens't matter what you set before the line:
    >
    > Request.Credentials = CredentialCache.DefaultCredentials
    >
    > it will always return the default credential for the request, but in the
    > working code, since you set
    > credentials in the credentialscache for that particular request URI, so
    > that
    > when the client making
    > calls to the destinated service, it will use that credential for the
    > request, that's why it works.
    >
    >
    >> Nor does this:
    >>
    >> Dim impersonationContext As
    >> System.Security.Principal.WindowsImpersonationCont ext
    >> Dim currentWindowsIdentity As
    > System.Security.Principal.WindowsIdentity
    >>
    >> currentWindowsIdentity = CType(mobjUser.Identity,
    >> System.Security.Principal.WindowsIdentity)
    >> impersonationContext = currentWindowsIdentity.Impersonate()
    >>
    >> Request.Credentials = CredentialCache.DefaultCredentials
    >> Dim Response As System.Net.HttpWebResponse
    >> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    >> HttpWebRequest)
    >>
    >> Request.Credentials = CredentialCache.DefaultCredentials
    >>
    >> make my http WEBDAV request here ...
    >>
    >> impersonationContext.Undo()
    >>
    >> Return (Response)
    >>
    >
    > I have try the same approach using implicity impersonation, what you are
    > doing here
    > is the same as using this line: Request.Credentials =
    > CredentialCache.DefaultCredentials
    > since you use this call to get the current identity:
    > currentWindowsIdentity
    > = CType(mobjUser.Identity,
    >> System.Security.Principal.WindowsIdentity), then you do this:
    > Request.Credentials = CredentialCache.DefaultCredentials
    > thus in fact you are doing the same thing twice.
    >
    > it seems that doing impersonation won't change the
    > defaultcredential, Request.Credentials =
    > CredentialCache.DefaultCredentials
    > will always return the credentials that the client is running under as I
    > mentioned
    > above.
    >
    > I use this code from msdn to do impersonation:
    >
    > #region Public Methods
    >
    > public bool ImpersonateValidUser()
    >
    > {
    >
    > WindowsIdentity tempWindowsIdentity;
    >
    > IntPtr token = IntPtr.Zero;
    >
    > IntPtr tokenDuplicate = IntPtr.Zero;
    >
    > if(RevertToSelf())
    >
    > {
    >
    > if(LogonUserA(_userName, _domain, _password, LOGON32_LOGON_INTERACTIVE,
    >
    > LOGON32_PROVIDER_DEFAULT, ref token) != 0)
    >
    > {
    >
    > if(DuplicateToken(token, 2, ref tokenDuplicate) != 0)
    >
    > {
    >
    > tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
    >
    > impersonationContext = tempWindowsIdentity.Impersonate();
    >
    > if (impersonationContext != null)
    >
    > {
    >
    > CloseHandle(token);
    >
    > CloseHandle(tokenDuplicate);
    >
    > return true;
    >
    > }
    >
    > }
    >
    > }
    >
    > }
    >
    > if(token!= IntPtr.Zero)
    >
    > CloseHandle(token);
    >
    > if(tokenDuplicate!=IntPtr.Zero)
    >
    > CloseHandle(tokenDuplicate);
    >
    > return false;
    >
    > }
    >
    > //reverse the security context
    >
    > public void UndoImpersonation()
    >
    > {
    >
    > if(impersonationContext!=null)
    >
    > impersonationContext.Undo();
    >
    > }
    >
    > #endregion
    >
    >
    > #region Win32 calls
    >
    > [DllImport("advapi32.dll")]
    >
    > private static extern int LogonUserA(String lpszUserName,
    >
    > String lpszDomain,
    >
    > String lpszPassword,
    >
    > int dwLogonType,
    >
    > int dwLogonProvider,
    >
    > ref IntPtr phToken);
    >
    > [DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]
    >
    > private static extern int DuplicateToken(IntPtr hToken,
    >
    > int impersonationLevel,
    >
    > ref IntPtr hNewToken);
    >
    > [DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]
    >
    > private static extern bool RevertToSelf();
    >
    > [DllImport("kernel32.dll", Cht=Cht.Auto)]
    >
    > private static extern bool CloseHandle(IntPtr handle);
    >
    > #endregion
    >
    >
    > }
    >
    > in conclusion, only when the correct credential in the credentialsCache
    > for
    > that
    > request (that particular URI), it request have access permission.
    >
    > thanks for your code. I will give it a try.
    >
    >
    >
    >
    >>
    >>
    >> "Kevin Yu" <koo9hotmail.com> wrote in message
    >> news:u0yUSScQFHA.580TK2MSFTNGP15.phx.gbl...
    >> >
    >> >
    >> > "solex" <solexsomewhere.com> wrote in message
    >> > news:%23sSDjOSQFHA.244TK2MSFTNGP12.phx.gbl...
    >> >> I'm having a similar problem
    >> >>
    >> >> I have a web service that make a webDav request to Exchange.
    >> >>
    >> >> I have impersonation on but when I use the defaultCredentials in the
    > web
    >> >> services to make the webdav reqeust I get an Unauthorized 401 error.
    > My
    >> >> credentials have rights to make this request and I'm at my wits end
    >> >> trying
    >> >> to figure it out.
    >> >>
    >> >> The service works if I hard code my Network credentials in the service
    >> >> but
    >> >> does not otherwise.
    >> >
    >> > Hardcoded into your code? create a credential instead of using the
    >> > defaultcredentials?
    >> >
    >> > I thought one can only create credential for "basic" or "digest"
    >> > authentication mode.
    >> >
    >> > I try implicit impersonation, it won't work, even if you are
    >> > impersonating,
    >> > the web service has to
    >> > put the credential on the soap message in order for it to be
    >> > authenticated,
    >> > because that's
    >> > all the hosting service see when interacting with each other. don't
    >> > want
    >> > to
    >> > do explicit impersonation.
    >> >
    >> >
    >> > in .net 2.0, there will be a better support or even WSE 2.0, but this
    >> > is
    >> > not
    >> > my options here.
    >> > since if we were to use WSE 2.0, there will be a long process of paper
    >> > work
    >> > and testing and questioning.....
    >> >
    >> >
    >> >
    >> >
    >> >
    >> >>
    >> >> Any help with this would also be appreciated.
    >> >>
    >> >> Thanks,
    >> >> Dan
    >> >>
    >> >>
    >> >> "Kevin Yu" <koo9hotmail.com> wrote in message
    >> >> news:eOariLKQFHA.1476TK2MSFTNGP09.phx.gbl...
    >> >> > but the problem with impersonation in the code is after LogonUser()
    >> > win32
    >> >> > call, will the defaultcredentials be set to the new credentials
    >> >> > then?
    >> >> >
    >> >> >
    >> >> >
    >> >> >
    >> >> >
    >> >> > "Kevin Yu" <koo9hotmail.com> wrote in message
    >> >> > news:OEbaAMIQFHA.2356TK2MSFTNGP14.phx.gbl...
    >> >> >>I think impersonation will do , enable impersonation but don't
    >> >> >>specified
    >> >> >>the user, use code call the web service with a different
    >> >> >>username/password.
    >> >> >>
    >> >> >>
    >> >> >>
    >> >> >> "Brock Allen" <ballenNOSPAMdevelop.com> wrote in message
    >> >> >> news:453919632490103600068528msnews.microsoft.com ...
    >> >> >>> The ASPNET account is a local account, so the other machine or
    > domain
    >> >> >>> wouldn't know about it. You can either run you web app under a
    >> > different
    >> >> >>> account, but that affects the rest of the code in there too. The
    >> >> >>> other
    >> >> >>> approach is to have a dedicated account (instead of using the
    > current
    >> >> >>> identity of ASPNET) that you can use to do the authentication and
    >> >> >>> then
    >> >> >>> use those credentials from the client.
    >> >> >>>
    >> >> >>> -Brock
    >> >> >>> DevelopMentor
    >> >> >>> [url]http://staff.develop.com/ballen[/url]
    >> >> >>>
    >> >> >>>
    >> >> >>>
    >> >> >>>> hi all
    >> >> >>>>
    >> >> >>>> got a question here, a web service secure mode is set to
    > "windows",
    >> > on
    >> >> >>>> the client side
    >> >> >>>>
    >> >> >>>> when supplying the credentials, it's like this:
    >> >> >>>>
    >> >> >>>> somewebservice.Authentication ssoAuth = new
    >> >> >>>> somewebservice.Authentication();
    >> >> >>>>
    >> >> >>>> ssoAuth.PreAuthenticate = true;
    >> >> >>>>
    >> >> >>>> ssoAuth.Credentials =
    > System.Net.CredentialCache.DefaultCredentials;
    >> >> >>>>
    >> >> >>>> from the info here
    >> >> >>>>
    >> >> >>>>
    >> > [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref[/url]
    >> >> >>>>
    > /html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp
    >> >> >>>>
    >> >> >>>> the defaultcredential should supply the current security context
    >> >> >>>> that
    >> >> >>>> the client is running, but in my case the client is another web
    >> >> >>>> service running
    >> >> >>>>
    >> >> >>>> on another server, now by default the account that the client(the
    >> >> >>>> calling web service) is running under ASPNET account,
    >> >> >>>>
    >> >> >>>> so on the host(somewebservice), I should add the
    > clientdomain\ASPNET
    >> >> >>>> account into the windows account?
    >> >> >>>>
    >> >> >>>
    >> >> >>>
    >> >> >>>
    >> >> >>
    >> >> >>
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >
    >

    solex Guest

  10. #10

    Default Re: Windows authentication for web service client??

    Dan

    The bottom line is when enable integrated windows authentication for a
    service (web app, web service etc)
    the client need to supply proper credential to the service. now as I
    memtion, DefaultCredentials will always
    return the credential that the client is running under. so by default, the
    web service is running ASPNET account.
    you can however config the web service(I assume that's the client) to run
    under a different account.

    I am not sure what you mean "users id" here, if you mean the login users,
    then you can set the impersonate=true
    in the web.config file. so that calls to the WebDAV will use the login
    users' credentials.

    HTH

    Kevin



    "solex" <solexsomewhere.com> wrote in message
    news:%2373WxyDRFHA.2736TK2MSFTNGP09.phx.gbl...
    > Kevin,
    >
    > My problem is that the DefaultCredentials is NOT working. If I hard code
    > the credentials using my uid/password and domain it works fine as shown in
    > my first example.
    >
    > Ideally I want the web service and a subsequent call to Exchange (via
    > WebDAV) to run completely under the users id.
    >
    > Thanks,
    > Dan
    >
    >
    > "Kevin Yu" <koo9hotmail.com> wrote in message
    > news:etWV4kCRFHA.508TK2MSFTNGP12.phx.gbl...
    > >
    > > "solex" <solexsomewhere.com> wrote in message
    > > news:%23wMk7BdQFHA.3076tk2msftngp13.phx.gbl...
    > >> Kevin,
    > >> Thanks for responding, if you (or anyone) sees anything obviously
    wrong
    > >> with the below summary please let me know.
    > >>
    > >> Thanks,
    > >> Dan
    > >>
    > >> I have the following settings
    > >> Web config:
    > >> <authentication mode="Windows" />
    > >> <identity impersonate="true" />
    > >>
    > >> IIS:
    > >> Anonymous access has been disabled and Integraged Security is
    the
    > >> only access that is enabled.
    > >>
    > >> Client:
    > >> When calling the web service I make sure that I am passing the
    > >> defaultCredentials from the CredentialCache.
    > >>
    > >> I hardcoded a credential using the following code and it works
    > >>
    > >> Dim Response As System.Net.HttpWebResponse
    > >> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    > >> HttpWebRequest)
    > >> Dim MyCredentialCache = New System.Net.CredentialCache
    > >> MyCredentialCache.Add(New System.Uri(URI), "NTLM", _
    > >> New System.Net.NetworkCredential("myUserID", "myPassword",
    > > "myDomain"))
    > >>
    > >> Request.Credentials = MyCredentialCache
    > >>
    > >> make my http WEBDAV request here ...
    > >>
    > >> Return (Response)
    > >>
    > >> But this does not work:
    > >>
    > >> Dim Response As System.Net.HttpWebResponse
    > >> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    > >> HttpWebRequest)
    > >>
    > >> Request.Credentials = CredentialCache.DefaultCredentials
    > >> make my http WEBDAV request here ...
    > >>
    > >> Return (Response)
    > >>
    > >
    > > ok. CredentialCache.DefaultCredentials will return the credentials that
    > > client is running under.
    > > so it doens't matter what you set before the line:
    > >
    > > Request.Credentials = CredentialCache.DefaultCredentials
    > >
    > > it will always return the default credential for the request, but in the
    > > working code, since you set
    > > credentials in the credentialscache for that particular request URI, so
    > > that
    > > when the client making
    > > calls to the destinated service, it will use that credential for the
    > > request, that's why it works.
    > >
    > >
    > >> Nor does this:
    > >>
    > >> Dim impersonationContext As
    > >> System.Security.Principal.WindowsImpersonationCont ext
    > >> Dim currentWindowsIdentity As
    > > System.Security.Principal.WindowsIdentity
    > >>
    > >> currentWindowsIdentity = CType(mobjUser.Identity,
    > >> System.Security.Principal.WindowsIdentity)
    > >> impersonationContext = currentWindowsIdentity.Impersonate()
    > >>
    > >> Request.Credentials = CredentialCache.DefaultCredentials
    > >> Dim Response As System.Net.HttpWebResponse
    > >> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    > >> HttpWebRequest)
    > >>
    > >> Request.Credentials = CredentialCache.DefaultCredentials
    > >>
    > >> make my http WEBDAV request here ...
    > >>
    > >> impersonationContext.Undo()
    > >>
    > >> Return (Response)
    > >>
    > >
    > > I have try the same approach using implicity impersonation, what you are
    > > doing here
    > > is the same as using this line: Request.Credentials =
    > > CredentialCache.DefaultCredentials
    > > since you use this call to get the current identity:
    > > currentWindowsIdentity
    > > = CType(mobjUser.Identity,
    > >> System.Security.Principal.WindowsIdentity), then you do this:
    > > Request.Credentials = CredentialCache.DefaultCredentials
    > > thus in fact you are doing the same thing twice.
    > >
    > > it seems that doing impersonation won't change the
    > > defaultcredential, Request.Credentials =
    > > CredentialCache.DefaultCredentials
    > > will always return the credentials that the client is running under as I
    > > mentioned
    > > above.
    > >
    > > I use this code from msdn to do impersonation:
    > >
    > > #region Public Methods
    > >
    > > public bool ImpersonateValidUser()
    > >
    > > {
    > >
    > > WindowsIdentity tempWindowsIdentity;
    > >
    > > IntPtr token = IntPtr.Zero;
    > >
    > > IntPtr tokenDuplicate = IntPtr.Zero;
    > >
    > > if(RevertToSelf())
    > >
    > > {
    > >
    > > if(LogonUserA(_userName, _domain, _password, LOGON32_LOGON_INTERACTIVE,
    > >
    > > LOGON32_PROVIDER_DEFAULT, ref token) != 0)
    > >
    > > {
    > >
    > > if(DuplicateToken(token, 2, ref tokenDuplicate) != 0)
    > >
    > > {
    > >
    > > tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
    > >
    > > impersonationContext = tempWindowsIdentity.Impersonate();
    > >
    > > if (impersonationContext != null)
    > >
    > > {
    > >
    > > CloseHandle(token);
    > >
    > > CloseHandle(tokenDuplicate);
    > >
    > > return true;
    > >
    > > }
    > >
    > > }
    > >
    > > }
    > >
    > > }
    > >
    > > if(token!= IntPtr.Zero)
    > >
    > > CloseHandle(token);
    > >
    > > if(tokenDuplicate!=IntPtr.Zero)
    > >
    > > CloseHandle(tokenDuplicate);
    > >
    > > return false;
    > >
    > > }
    > >
    > > //reverse the security context
    > >
    > > public void UndoImpersonation()
    > >
    > > {
    > >
    > > if(impersonationContext!=null)
    > >
    > > impersonationContext.Undo();
    > >
    > > }
    > >
    > > #endregion
    > >
    > >
    > > #region Win32 calls
    > >
    > > [DllImport("advapi32.dll")]
    > >
    > > private static extern int LogonUserA(String lpszUserName,
    > >
    > > String lpszDomain,
    > >
    > > String lpszPassword,
    > >
    > > int dwLogonType,
    > >
    > > int dwLogonProvider,
    > >
    > > ref IntPtr phToken);
    > >
    > > [DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]
    > >
    > > private static extern int DuplicateToken(IntPtr hToken,
    > >
    > > int impersonationLevel,
    > >
    > > ref IntPtr hNewToken);
    > >
    > > [DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]
    > >
    > > private static extern bool RevertToSelf();
    > >
    > > [DllImport("kernel32.dll", Cht=Cht.Auto)]
    > >
    > > private static extern bool CloseHandle(IntPtr handle);
    > >
    > > #endregion
    > >
    > >
    > > }
    > >
    > > in conclusion, only when the correct credential in the credentialsCache
    > > for
    > > that
    > > request (that particular URI), it request have access permission.
    > >
    > > thanks for your code. I will give it a try.
    > >
    > >
    > >
    > >
    > >>
    > >>
    > >> "Kevin Yu" <koo9hotmail.com> wrote in message
    > >> news:u0yUSScQFHA.580TK2MSFTNGP15.phx.gbl...
    > >> >
    > >> >
    > >> > "solex" <solexsomewhere.com> wrote in message
    > >> > news:%23sSDjOSQFHA.244TK2MSFTNGP12.phx.gbl...
    > >> >> I'm having a similar problem
    > >> >>
    > >> >> I have a web service that make a webDav request to Exchange.
    > >> >>
    > >> >> I have impersonation on but when I use the defaultCredentials in the
    > > web
    > >> >> services to make the webdav reqeust I get an Unauthorized 401 error.
    > > My
    > >> >> credentials have rights to make this request and I'm at my wits end
    > >> >> trying
    > >> >> to figure it out.
    > >> >>
    > >> >> The service works if I hard code my Network credentials in the
    service
    > >> >> but
    > >> >> does not otherwise.
    > >> >
    > >> > Hardcoded into your code? create a credential instead of using the
    > >> > defaultcredentials?
    > >> >
    > >> > I thought one can only create credential for "basic" or "digest"
    > >> > authentication mode.
    > >> >
    > >> > I try implicit impersonation, it won't work, even if you are
    > >> > impersonating,
    > >> > the web service has to
    > >> > put the credential on the soap message in order for it to be
    > >> > authenticated,
    > >> > because that's
    > >> > all the hosting service see when interacting with each other. don't
    > >> > want
    > >> > to
    > >> > do explicit impersonation.
    > >> >
    > >> >
    > >> > in .net 2.0, there will be a better support or even WSE 2.0, but this
    > >> > is
    > >> > not
    > >> > my options here.
    > >> > since if we were to use WSE 2.0, there will be a long process of
    paper
    > >> > work
    > >> > and testing and questioning.....
    > >> >
    > >> >
    > >> >
    > >> >
    > >> >
    > >> >>
    > >> >> Any help with this would also be appreciated.
    > >> >>
    > >> >> Thanks,
    > >> >> Dan
    > >> >>
    > >> >>
    > >> >> "Kevin Yu" <koo9hotmail.com> wrote in message
    > >> >> news:eOariLKQFHA.1476TK2MSFTNGP09.phx.gbl...
    > >> >> > but the problem with impersonation in the code is after
    LogonUser()
    > >> > win32
    > >> >> > call, will the defaultcredentials be set to the new credentials
    > >> >> > then?
    > >> >> >
    > >> >> >
    > >> >> >
    > >> >> >
    > >> >> >
    > >> >> > "Kevin Yu" <koo9hotmail.com> wrote in message
    > >> >> > news:OEbaAMIQFHA.2356TK2MSFTNGP14.phx.gbl...
    > >> >> >>I think impersonation will do , enable impersonation but don't
    > >> >> >>specified
    > >> >> >>the user, use code call the web service with a different
    > >> >> >>username/password.
    > >> >> >>
    > >> >> >>
    > >> >> >>
    > >> >> >> "Brock Allen" <ballenNOSPAMdevelop.com> wrote in message
    > >> >> >> news:453919632490103600068528msnews.microsoft.com ...
    > >> >> >>> The ASPNET account is a local account, so the other machine or
    > > domain
    > >> >> >>> wouldn't know about it. You can either run you web app under a
    > >> > different
    > >> >> >>> account, but that affects the rest of the code in there too. The
    > >> >> >>> other
    > >> >> >>> approach is to have a dedicated account (instead of using the
    > > current
    > >> >> >>> identity of ASPNET) that you can use to do the authentication
    and
    > >> >> >>> then
    > >> >> >>> use those credentials from the client.
    > >> >> >>>
    > >> >> >>> -Brock
    > >> >> >>> DevelopMentor
    > >> >> >>> [url]http://staff.develop.com/ballen[/url]
    > >> >> >>>
    > >> >> >>>
    > >> >> >>>
    > >> >> >>>> hi all
    > >> >> >>>>
    > >> >> >>>> got a question here, a web service secure mode is set to
    > > "windows",
    > >> > on
    > >> >> >>>> the client side
    > >> >> >>>>
    > >> >> >>>> when supplying the credentials, it's like this:
    > >> >> >>>>
    > >> >> >>>> somewebservice.Authentication ssoAuth = new
    > >> >> >>>> somewebservice.Authentication();
    > >> >> >>>>
    > >> >> >>>> ssoAuth.PreAuthenticate = true;
    > >> >> >>>>
    > >> >> >>>> ssoAuth.Credentials =
    > > System.Net.CredentialCache.DefaultCredentials;
    > >> >> >>>>
    > >> >> >>>> from the info here
    > >> >> >>>>
    > >> >> >>>>
    > >> >
    [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref[/url]
    > >> >> >>>>
    > > /html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp
    > >> >> >>>>
    > >> >> >>>> the defaultcredential should supply the current security
    context
    > >> >> >>>> that
    > >> >> >>>> the client is running, but in my case the client is another web
    > >> >> >>>> service running
    > >> >> >>>>
    > >> >> >>>> on another server, now by default the account that the
    client(the
    > >> >> >>>> calling web service) is running under ASPNET account,
    > >> >> >>>>
    > >> >> >>>> so on the host(somewebservice), I should add the
    > > clientdomain\ASPNET
    > >> >> >>>> account into the windows account?
    > >> >> >>>>
    > >> >> >>>
    > >> >> >>>
    > >> >> >>>
    > >> >> >>
    > >> >> >>
    > >> >> >
    > >> >> >
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >

    Kevin Yu Guest

  11. #11

    Default Re: Windows authentication for web service client??

    Kevin,

    I appreciate your response.

    I guess what I am saying here is that it is not working as advertised. I
    must put together a sample example, but for some reason the users
    credentials are lost when making the WebDAV request. I get a 401
    unauthorized error.

    Thanks,
    Dan




    "Kevin Yu" <koo9hotmail.com> wrote in message
    news:eQY0VXERFHA.4028tk2msftngp13.phx.gbl...
    > Dan
    >
    > The bottom line is when enable integrated windows authentication for a
    > service (web app, web service etc)
    > the client need to supply proper credential to the service. now as I
    > memtion, DefaultCredentials will always
    > return the credential that the client is running under. so by default, the
    > web service is running ASPNET account.
    > you can however config the web service(I assume that's the client) to run
    > under a different account.
    >
    > I am not sure what you mean "users id" here, if you mean the login users,
    > then you can set the impersonate=true
    > in the web.config file. so that calls to the WebDAV will use the login
    > users' credentials.
    >
    > HTH
    >
    > Kevin
    >
    >
    >
    > "solex" <solexsomewhere.com> wrote in message
    > news:%2373WxyDRFHA.2736TK2MSFTNGP09.phx.gbl...
    >> Kevin,
    >>
    >> My problem is that the DefaultCredentials is NOT working. If I hard code
    >> the credentials using my uid/password and domain it works fine as shown
    >> in
    >> my first example.
    >>
    >> Ideally I want the web service and a subsequent call to Exchange (via
    >> WebDAV) to run completely under the users id.
    >>
    >> Thanks,
    >> Dan
    >>
    >>
    >> "Kevin Yu" <koo9hotmail.com> wrote in message
    >> news:etWV4kCRFHA.508TK2MSFTNGP12.phx.gbl...
    >> >
    >> > "solex" <solexsomewhere.com> wrote in message
    >> > news:%23wMk7BdQFHA.3076tk2msftngp13.phx.gbl...
    >> >> Kevin,
    >> >> Thanks for responding, if you (or anyone) sees anything obviously
    > wrong
    >> >> with the below summary please let me know.
    >> >>
    >> >> Thanks,
    >> >> Dan
    >> >>
    >> >> I have the following settings
    >> >> Web config:
    >> >> <authentication mode="Windows" />
    >> >> <identity impersonate="true" />
    >> >>
    >> >> IIS:
    >> >> Anonymous access has been disabled and Integraged Security is
    > the
    >> >> only access that is enabled.
    >> >>
    >> >> Client:
    >> >> When calling the web service I make sure that I am passing the
    >> >> defaultCredentials from the CredentialCache.
    >> >>
    >> >> I hardcoded a credential using the following code and it works
    >> >>
    >> >> Dim Response As System.Net.HttpWebResponse
    >> >> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    >> >> HttpWebRequest)
    >> >> Dim MyCredentialCache = New System.Net.CredentialCache
    >> >> MyCredentialCache.Add(New System.Uri(URI), "NTLM", _
    >> >> New System.Net.NetworkCredential("myUserID", "myPassword",
    >> > "myDomain"))
    >> >>
    >> >> Request.Credentials = MyCredentialCache
    >> >>
    >> >> make my http WEBDAV request here ...
    >> >>
    >> >> Return (Response)
    >> >>
    >> >> But this does not work:
    >> >>
    >> >> Dim Response As System.Net.HttpWebResponse
    >> >> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    >> >> HttpWebRequest)
    >> >>
    >> >> Request.Credentials = CredentialCache.DefaultCredentials
    >> >> make my http WEBDAV request here ...
    >> >>
    >> >> Return (Response)
    >> >>
    >> >
    >> > ok. CredentialCache.DefaultCredentials will return the credentials that
    >> > client is running under.
    >> > so it doens't matter what you set before the line:
    >> >
    >> > Request.Credentials = CredentialCache.DefaultCredentials
    >> >
    >> > it will always return the default credential for the request, but in
    >> > the
    >> > working code, since you set
    >> > credentials in the credentialscache for that particular request URI, so
    >> > that
    >> > when the client making
    >> > calls to the destinated service, it will use that credential for the
    >> > request, that's why it works.
    >> >
    >> >
    >> >> Nor does this:
    >> >>
    >> >> Dim impersonationContext As
    >> >> System.Security.Principal.WindowsImpersonationCont ext
    >> >> Dim currentWindowsIdentity As
    >> > System.Security.Principal.WindowsIdentity
    >> >>
    >> >> currentWindowsIdentity = CType(mobjUser.Identity,
    >> >> System.Security.Principal.WindowsIdentity)
    >> >> impersonationContext = currentWindowsIdentity.Impersonate()
    >> >>
    >> >> Request.Credentials = CredentialCache.DefaultCredentials
    >> >> Dim Response As System.Net.HttpWebResponse
    >> >> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    >> >> HttpWebRequest)
    >> >>
    >> >> Request.Credentials = CredentialCache.DefaultCredentials
    >> >>
    >> >> make my http WEBDAV request here ...
    >> >>
    >> >> impersonationContext.Undo()
    >> >>
    >> >> Return (Response)
    >> >>
    >> >
    >> > I have try the same approach using implicity impersonation, what you
    >> > are
    >> > doing here
    >> > is the same as using this line: Request.Credentials =
    >> > CredentialCache.DefaultCredentials
    >> > since you use this call to get the current identity:
    >> > currentWindowsIdentity
    >> > = CType(mobjUser.Identity,
    >> >> System.Security.Principal.WindowsIdentity), then you do this:
    >> > Request.Credentials = CredentialCache.DefaultCredentials
    >> > thus in fact you are doing the same thing twice.
    >> >
    >> > it seems that doing impersonation won't change the
    >> > defaultcredential, Request.Credentials =
    >> > CredentialCache.DefaultCredentials
    >> > will always return the credentials that the client is running under as
    >> > I
    >> > mentioned
    >> > above.
    >> >
    >> > I use this code from msdn to do impersonation:
    >> >
    >> > #region Public Methods
    >> >
    >> > public bool ImpersonateValidUser()
    >> >
    >> > {
    >> >
    >> > WindowsIdentity tempWindowsIdentity;
    >> >
    >> > IntPtr token = IntPtr.Zero;
    >> >
    >> > IntPtr tokenDuplicate = IntPtr.Zero;
    >> >
    >> > if(RevertToSelf())
    >> >
    >> > {
    >> >
    >> > if(LogonUserA(_userName, _domain, _password, LOGON32_LOGON_INTERACTIVE,
    >> >
    >> > LOGON32_PROVIDER_DEFAULT, ref token) != 0)
    >> >
    >> > {
    >> >
    >> > if(DuplicateToken(token, 2, ref tokenDuplicate) != 0)
    >> >
    >> > {
    >> >
    >> > tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
    >> >
    >> > impersonationContext = tempWindowsIdentity.Impersonate();
    >> >
    >> > if (impersonationContext != null)
    >> >
    >> > {
    >> >
    >> > CloseHandle(token);
    >> >
    >> > CloseHandle(tokenDuplicate);
    >> >
    >> > return true;
    >> >
    >> > }
    >> >
    >> > }
    >> >
    >> > }
    >> >
    >> > }
    >> >
    >> > if(token!= IntPtr.Zero)
    >> >
    >> > CloseHandle(token);
    >> >
    >> > if(tokenDuplicate!=IntPtr.Zero)
    >> >
    >> > CloseHandle(tokenDuplicate);
    >> >
    >> > return false;
    >> >
    >> > }
    >> >
    >> > //reverse the security context
    >> >
    >> > public void UndoImpersonation()
    >> >
    >> > {
    >> >
    >> > if(impersonationContext!=null)
    >> >
    >> > impersonationContext.Undo();
    >> >
    >> > }
    >> >
    >> > #endregion
    >> >
    >> >
    >> > #region Win32 calls
    >> >
    >> > [DllImport("advapi32.dll")]
    >> >
    >> > private static extern int LogonUserA(String lpszUserName,
    >> >
    >> > String lpszDomain,
    >> >
    >> > String lpszPassword,
    >> >
    >> > int dwLogonType,
    >> >
    >> > int dwLogonProvider,
    >> >
    >> > ref IntPtr phToken);
    >> >
    >> > [DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]
    >> >
    >> > private static extern int DuplicateToken(IntPtr hToken,
    >> >
    >> > int impersonationLevel,
    >> >
    >> > ref IntPtr hNewToken);
    >> >
    >> > [DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]
    >> >
    >> > private static extern bool RevertToSelf();
    >> >
    >> > [DllImport("kernel32.dll", Cht=Cht.Auto)]
    >> >
    >> > private static extern bool CloseHandle(IntPtr handle);
    >> >
    >> > #endregion
    >> >
    >> >
    >> > }
    >> >
    >> > in conclusion, only when the correct credential in the credentialsCache
    >> > for
    >> > that
    >> > request (that particular URI), it request have access permission.
    >> >
    >> > thanks for your code. I will give it a try.
    >> >
    >> >
    >> >
    >> >
    >> >>
    >> >>
    >> >> "Kevin Yu" <koo9hotmail.com> wrote in message
    >> >> news:u0yUSScQFHA.580TK2MSFTNGP15.phx.gbl...
    >> >> >
    >> >> >
    >> >> > "solex" <solexsomewhere.com> wrote in message
    >> >> > news:%23sSDjOSQFHA.244TK2MSFTNGP12.phx.gbl...
    >> >> >> I'm having a similar problem
    >> >> >>
    >> >> >> I have a web service that make a webDav request to Exchange.
    >> >> >>
    >> >> >> I have impersonation on but when I use the defaultCredentials in
    >> >> >> the
    >> > web
    >> >> >> services to make the webdav reqeust I get an Unauthorized 401
    >> >> >> error.
    >> > My
    >> >> >> credentials have rights to make this request and I'm at my wits end
    >> >> >> trying
    >> >> >> to figure it out.
    >> >> >>
    >> >> >> The service works if I hard code my Network credentials in the
    > service
    >> >> >> but
    >> >> >> does not otherwise.
    >> >> >
    >> >> > Hardcoded into your code? create a credential instead of using the
    >> >> > defaultcredentials?
    >> >> >
    >> >> > I thought one can only create credential for "basic" or "digest"
    >> >> > authentication mode.
    >> >> >
    >> >> > I try implicit impersonation, it won't work, even if you are
    >> >> > impersonating,
    >> >> > the web service has to
    >> >> > put the credential on the soap message in order for it to be
    >> >> > authenticated,
    >> >> > because that's
    >> >> > all the hosting service see when interacting with each other. don't
    >> >> > want
    >> >> > to
    >> >> > do explicit impersonation.
    >> >> >
    >> >> >
    >> >> > in .net 2.0, there will be a better support or even WSE 2.0, but
    >> >> > this
    >> >> > is
    >> >> > not
    >> >> > my options here.
    >> >> > since if we were to use WSE 2.0, there will be a long process of
    > paper
    >> >> > work
    >> >> > and testing and questioning.....
    >> >> >
    >> >> >
    >> >> >
    >> >> >
    >> >> >
    >> >> >>
    >> >> >> Any help with this would also be appreciated.
    >> >> >>
    >> >> >> Thanks,
    >> >> >> Dan
    >> >> >>
    >> >> >>
    >> >> >> "Kevin Yu" <koo9hotmail.com> wrote in message
    >> >> >> news:eOariLKQFHA.1476TK2MSFTNGP09.phx.gbl...
    >> >> >> > but the problem with impersonation in the code is after
    > LogonUser()
    >> >> > win32
    >> >> >> > call, will the defaultcredentials be set to the new credentials
    >> >> >> > then?
    >> >> >> >
    >> >> >> >
    >> >> >> >
    >> >> >> >
    >> >> >> >
    >> >> >> > "Kevin Yu" <koo9hotmail.com> wrote in message
    >> >> >> > news:OEbaAMIQFHA.2356TK2MSFTNGP14.phx.gbl...
    >> >> >> >>I think impersonation will do , enable impersonation but don't
    >> >> >> >>specified
    >> >> >> >>the user, use code call the web service with a different
    >> >> >> >>username/password.
    >> >> >> >>
    >> >> >> >>
    >> >> >> >>
    >> >> >> >> "Brock Allen" <ballenNOSPAMdevelop.com> wrote in message
    >> >> >> >> news:453919632490103600068528msnews.microsoft.com ...
    >> >> >> >>> The ASPNET account is a local account, so the other machine or
    >> > domain
    >> >> >> >>> wouldn't know about it. You can either run you web app under a
    >> >> > different
    >> >> >> >>> account, but that affects the rest of the code in there too.
    >> >> >> >>> The
    >> >> >> >>> other
    >> >> >> >>> approach is to have a dedicated account (instead of using the
    >> > current
    >> >> >> >>> identity of ASPNET) that you can use to do the authentication
    > and
    >> >> >> >>> then
    >> >> >> >>> use those credentials from the client.
    >> >> >> >>>
    >> >> >> >>> -Brock
    >> >> >> >>> DevelopMentor
    >> >> >> >>> [url]http://staff.develop.com/ballen[/url]
    >> >> >> >>>
    >> >> >> >>>
    >> >> >> >>>
    >> >> >> >>>> hi all
    >> >> >> >>>>
    >> >> >> >>>> got a question here, a web service secure mode is set to
    >> > "windows",
    >> >> > on
    >> >> >> >>>> the client side
    >> >> >> >>>>
    >> >> >> >>>> when supplying the credentials, it's like this:
    >> >> >> >>>>
    >> >> >> >>>> somewebservice.Authentication ssoAuth = new
    >> >> >> >>>> somewebservice.Authentication();
    >> >> >> >>>>
    >> >> >> >>>> ssoAuth.PreAuthenticate = true;
    >> >> >> >>>>
    >> >> >> >>>> ssoAuth.Credentials =
    >> > System.Net.CredentialCache.DefaultCredentials;
    >> >> >> >>>>
    >> >> >> >>>> from the info here
    >> >> >> >>>>
    >> >> >> >>>>
    >> >> >
    > [url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref[/url]
    >> >> >> >>>>
    >> > /html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp
    >> >> >> >>>>
    >> >> >> >>>> the defaultcredential should supply the current security
    > context
    >> >> >> >>>> that
    >> >> >> >>>> the client is running, but in my case the client is another
    >> >> >> >>>> web
    >> >> >> >>>> service running
    >> >> >> >>>>
    >> >> >> >>>> on another server, now by default the account that the
    > client(the
    >> >> >> >>>> calling web service) is running under ASPNET account,
    >> >> >> >>>>
    >> >> >> >>>> so on the host(somewebservice), I should add the
    >> > clientdomain\ASPNET
    >> >> >> >>>> account into the windows account?
    >> >> >> >>>>
    >> >> >> >>>
    >> >> >> >>>
    >> >> >> >>>
    >> >> >> >>
    >> >> >> >>
    >> >> >> >
    >> >> >> >
    >> >> >>
    >> >> >>
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >
    >>
    >>
    >
    >

    solex Guest

  12. #12

    Default Re: Windows authentication for web service client??

    If you are posting to WEBDAV it is my understanding that you cannot use
    Integrated authentication since you HAVE to pass it the username and the
    password in the network credentials. I was going to try to write some
    information to user's calendars and saw several articles on doing it via
    WEBDAV. However, you have to ask them for their password and pass it
    along. This makes it totally useless as far as I am concerned.

    If someone knows a way to not have to pass the password through that
    would be great but I haven't seen anything on how to do it anywhere.

    -Keith


    solex wrote:
    > Kevin,
    >
    > I appreciate your response.
    >
    > I guess what I am saying here is that it is not working as advertised. I
    > must put together a sample example, but for some reason the users
    > credentials are lost when making the WebDAV request. I get a 401
    > unauthorized error.
    >
    > Thanks,
    > Dan
    >
    >
    >
    >
    > "Kevin Yu" <koo9hotmail.com> wrote in message
    > news:eQY0VXERFHA.4028tk2msftngp13.phx.gbl...
    >
    >>Dan
    >>
    >>The bottom line is when enable integrated windows authentication for a
    >>service (web app, web service etc)
    >>the client need to supply proper credential to the service. now as I
    >>memtion, DefaultCredentials will always
    >>return the credential that the client is running under. so by default, the
    >>web service is running ASPNET account.
    >>you can however config the web service(I assume that's the client) to run
    >>under a different account.
    >>
    >>I am not sure what you mean "users id" here, if you mean the login users,
    >>then you can set the impersonate=true
    >>in the web.config file. so that calls to the WebDAV will use the login
    >>users' credentials.
    >>
    >>HTH
    >>
    >>Kevin
    >>
    >>
    >>
    >>"solex" <solexsomewhere.com> wrote in message
    >>news:%2373WxyDRFHA.2736TK2MSFTNGP09.phx.gbl.. .
    >>
    >>>Kevin,
    >>>
    >>>My problem is that the DefaultCredentials is NOT working. If I hard code
    >>>the credentials using my uid/password and domain it works fine as shown
    >>>in
    >>>my first example.
    >>>
    >>>Ideally I want the web service and a subsequent call to Exchange (via
    >>>WebDAV) to run completely under the users id.
    >>>
    >>>Thanks,
    >>>Dan
    >>>
    >>>
    >>>"Kevin Yu" <koo9hotmail.com> wrote in message
    >>>news:etWV4kCRFHA.508TK2MSFTNGP12.phx.gbl...
    >>>
    >>>>"solex" <solexsomewhere.com> wrote in message
    >>>>news:%23wMk7BdQFHA.3076tk2msftngp13.phx.gbl.. .
    >>>>
    >>>>>Kevin,
    >>>>>Thanks for responding, if you (or anyone) sees anything obviously
    >>
    >>wrong
    >>
    >>>>>with the below summary please let me know.
    >>>>>
    >>>>>Thanks,
    >>>>>Dan
    >>>>>
    >>>>>I have the following settings
    >>>>> Web config:
    >>>>> <authentication mode="Windows" />
    >>>>> <identity impersonate="true" />
    >>>>>
    >>>>> IIS:
    >>>>> Anonymous access has been disabled and Integraged Security is
    >>
    >>the
    >>
    >>>>>only access that is enabled.
    >>>>>
    >>>>> Client:
    >>>>> When calling the web service I make sure that I am passing the
    >>>>>defaultCredentials from the CredentialCache.
    >>>>>
    >>>>>I hardcoded a credential using the following code and it works
    >>>>>
    >>>>> Dim Response As System.Net.HttpWebResponse
    >>>>> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    >>>>>HttpWebRequest)
    >>>>> Dim MyCredentialCache = New System.Net.CredentialCache
    >>>>> MyCredentialCache.Add(New System.Uri(URI), "NTLM", _
    >>>>> New System.Net.NetworkCredential("myUserID", "myPassword",
    >>>>
    >>>>"myDomain"))
    >>>>
    >>>>> Request.Credentials = MyCredentialCache
    >>>>>
    >>>>> make my http WEBDAV request here ...
    >>>>>
    >>>>> Return (Response)
    >>>>>
    >>>>>But this does not work:
    >>>>>
    >>>>> Dim Response As System.Net.HttpWebResponse
    >>>>> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    >>>>>HttpWebRequest)
    >>>>>
    >>>>> Request.Credentials = CredentialCache.DefaultCredentials
    >>>>> make my http WEBDAV request here ...
    >>>>>
    >>>>> Return (Response)
    >>>>>
    >>>>
    >>>>ok. CredentialCache.DefaultCredentials will return the credentials that
    >>>>client is running under.
    >>>>so it doens't matter what you set before the line:
    >>>>
    >>>>Request.Credentials = CredentialCache.DefaultCredentials
    >>>>
    >>>>it will always return the default credential for the request, but in
    >>>>the
    >>>>working code, since you set
    >>>>credentials in the credentialscache for that particular request URI, so
    >>>>that
    >>>>when the client making
    >>>>calls to the destinated service, it will use that credential for the
    >>>>request, that's why it works.
    >>>>
    >>>>
    >>>>
    >>>>>Nor does this:
    >>>>>
    >>>>> Dim impersonationContext As
    >>>>>System.Security.Principal.WindowsImpersonatio nContext
    >>>>> Dim currentWindowsIdentity As
    >>>>
    >>>>System.Security.Principal.WindowsIdentity
    >>>>
    >>>>> currentWindowsIdentity = CType(mobjUser.Identity,
    >>>>>System.Security.Principal.WindowsIdentity)
    >>>>> impersonationContext = currentWindowsIdentity.Impersonate()
    >>>>>
    >>>>> Request.Credentials = CredentialCache.DefaultCredentials
    >>>>> Dim Response As System.Net.HttpWebResponse
    >>>>> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    >>>>>HttpWebRequest)
    >>>>>
    >>>>> Request.Credentials = CredentialCache.DefaultCredentials
    >>>>>
    >>>>> make my http WEBDAV request here ...
    >>>>>
    >>>>> impersonationContext.Undo()
    >>>>>
    >>>>> Return (Response)
    >>>>>
    >>>>
    >>>>I have try the same approach using implicity impersonation, what you
    >>>>are
    >>>>doing here
    >>>>is the same as using this line: Request.Credentials =
    >>>>CredentialCache.DefaultCredentials
    >>>>since you use this call to get the current identity:
    >>>>currentWindowsIdentity
    >>>>= CType(mobjUser.Identity,
    >>>>
    >>>>>System.Security.Principal.WindowsIdentity), then you do this:
    >>>>
    >>>>Request.Credentials = CredentialCache.DefaultCredentials
    >>>>thus in fact you are doing the same thing twice.
    >>>>
    >>>>it seems that doing impersonation won't change the
    >>>>defaultcredential, Request.Credentials =
    >>>>CredentialCache.DefaultCredentials
    >>>>will always return the credentials that the client is running under as
    >>>>I
    >>>>mentioned
    >>>>above.
    >>>>
    >>>>I use this code from msdn to do impersonation:
    >>>>
    >>>>#region Public Methods
    >>>>
    >>>>public bool ImpersonateValidUser()
    >>>>
    >>>>{
    >>>>
    >>>>WindowsIdentity tempWindowsIdentity;
    >>>>
    >>>>IntPtr token = IntPtr.Zero;
    >>>>
    >>>>IntPtr tokenDuplicate = IntPtr.Zero;
    >>>>
    >>>>if(RevertToSelf())
    >>>>
    >>>>{
    >>>>
    >>>>if(LogonUserA(_userName, _domain, _password, LOGON32_LOGON_INTERACTIVE,
    >>>>
    >>>>LOGON32_PROVIDER_DEFAULT, ref token) != 0)
    >>>>
    >>>>{
    >>>>
    >>>>if(DuplicateToken(token, 2, ref tokenDuplicate) != 0)
    >>>>
    >>>>{
    >>>>
    >>>>tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
    >>>>
    >>>>impersonationContext = tempWindowsIdentity.Impersonate();
    >>>>
    >>>>if (impersonationContext != null)
    >>>>
    >>>>{
    >>>>
    >>>>CloseHandle(token);
    >>>>
    >>>>CloseHandle(tokenDuplicate);
    >>>>
    >>>>return true;
    >>>>
    >>>>}
    >>>>
    >>>>}
    >>>>
    >>>>}
    >>>>
    >>>>}
    >>>>
    >>>>if(token!= IntPtr.Zero)
    >>>>
    >>>>CloseHandle(token);
    >>>>
    >>>>if(tokenDuplicate!=IntPtr.Zero)
    >>>>
    >>>>CloseHandle(tokenDuplicate);
    >>>>
    >>>>return false;
    >>>>
    >>>>}
    >>>>
    >>>>//reverse the security context
    >>>>
    >>>>public void UndoImpersonation()
    >>>>
    >>>>{
    >>>>
    >>>>if(impersonationContext!=null)
    >>>>
    >>>>impersonationContext.Undo();
    >>>>
    >>>>}
    >>>>
    >>>>#endregion
    >>>>
    >>>>
    >>>>#region Win32 calls
    >>>>
    >>>>[DllImport("advapi32.dll")]
    >>>>
    >>>>private static extern int LogonUserA(String lpszUserName,
    >>>>
    >>>>String lpszDomain,
    >>>>
    >>>>String lpszPassword,
    >>>>
    >>>>int dwLogonType,
    >>>>
    >>>>int dwLogonProvider,
    >>>>
    >>>>ref IntPtr phToken);
    >>>>
    >>>>[DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]
    >>>>
    >>>>private static extern int DuplicateToken(IntPtr hToken,
    >>>>
    >>>>int impersonationLevel,
    >>>>
    >>>>ref IntPtr hNewToken);
    >>>>
    >>>>[DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]
    >>>>
    >>>>private static extern bool RevertToSelf();
    >>>>
    >>>>[DllImport("kernel32.dll", Cht=Cht.Auto)]
    >>>>
    >>>>private static extern bool CloseHandle(IntPtr handle);
    >>>>
    >>>>#endregion
    >>>>
    >>>>
    >>>>}
    >>>>
    >>>>in conclusion, only when the correct credential in the credentialsCache
    >>>>for
    >>>>that
    >>>>request (that particular URI), it request have access permission.
    >>>>
    >>>>thanks for your code. I will give it a try.
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>>
    >>>>>"Kevin Yu" <koo9hotmail.com> wrote in message
    >>>>>news:u0yUSScQFHA.580TK2MSFTNGP15.phx.gbl.. .
    >>>>>
    >>>>>>
    >>>>>>"solex" <solexsomewhere.com> wrote in message
    >>>>>>news:%23sSDjOSQFHA.244TK2MSFTNGP12.phx.gbl. ..
    >>>>>>
    >>>>>>>I'm having a similar problem
    >>>>>>>
    >>>>>>>I have a web service that make a webDav request to Exchange.
    >>>>>>>
    >>>>>>>I have impersonation on but when I use the defaultCredentials in
    >>>>>>>the
    >>>>
    >>>>web
    >>>>
    >>>>>>>services to make the webdav reqeust I get an Unauthorized 401
    >>>>>>>error.
    >>>>
    >>>>My
    >>>>
    >>>>>>>credentials have rights to make this request and I'm at my wits end
    >>>>>>>trying
    >>>>>>>to figure it out.
    >>>>>>>
    >>>>>>>The service works if I hard code my Network credentials in the
    >>
    >>service
    >>
    >>>>>>>but
    >>>>>>>does not otherwise.
    >>>>>>
    >>>>>>Hardcoded into your code? create a credential instead of using the
    >>>>>>defaultcredentials?
    >>>>>>
    >>>>>>I thought one can only create credential for "basic" or "digest"
    >>>>>>authentication mode.
    >>>>>>
    >>>>>>I try implicit impersonation, it won't work, even if you are
    >>>>>>impersonating,
    >>>>>>the web service has to
    >>>>>>put the credential on the soap message in order for it to be
    >>>>>>authenticated,
    >>>>>>because that's
    >>>>>>all the hosting service see when interacting with each other. don't
    >>>>>>want
    >>>>>>to
    >>>>>>do explicit impersonation.
    >>>>>>
    >>>>>>
    >>>>>>in .net 2.0, there will be a better support or even WSE 2.0, but
    >>>>>>this
    >>>>>>is
    >>>>>>not
    >>>>>>my options here.
    >>>>>>since if we were to use WSE 2.0, there will be a long process of
    >>
    >>paper
    >>
    >>>>>>work
    >>>>>>and testing and questioning.....
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>
    >>>>>>>Any help with this would also be appreciated.
    >>>>>>>
    >>>>>>>Thanks,
    >>>>>>>Dan
    >>>>>>>
    >>>>>>>
    >>>>>>>"Kevin Yu" <koo9hotmail.com> wrote in message
    >>>>>>>news:eOariLKQFHA.1476TK2MSFTNGP09.phx.gbl. ..
    >>>>>>>
    >>>>>>>>but the problem with impersonation in the code is after
    >>
    >>LogonUser()
    >>
    >>>>>>win32
    >>>>>>
    >>>>>>>>call, will the defaultcredentials be set to the new credentials
    >>>>>>>>then?
    >>>>>>>>
    >>>>>>>>
    >>>>>>>>
    >>>>>>>>
    >>>>>>>>
    >>>>>>>>"Kevin Yu" <koo9hotmail.com> wrote in message
    >>>>>>>>news:OEbaAMIQFHA.2356TK2MSFTNGP14.phx.gbl ...
    >>>>>>>>
    >>>>>>>>>I think impersonation will do , enable impersonation but don't
    >>>>>>>>>specified
    >>>>>>>>>the user, use code call the web service with a different
    >>>>>>>>>username/password.
    >>>>>>>>>
    >>>>>>>>>
    >>>>>>>>>
    >>>>>>>>>"Brock Allen" <ballenNOSPAMdevelop.com> wrote in message
    >>>>>>>>>news:453919632490103600068528msnews.micr osoft.com...
    >>>>>>>>>
    >>>>>>>>>>The ASPNET account is a local account, so the other machine or
    >>>>
    >>>>domain
    >>>>
    >>>>>>>>>>wouldn't know about it. You can either run you web app under a
    >>>>>>
    >>>>>>different
    >>>>>>
    >>>>>>>>>>account, but that affects the rest of the code in there too.
    >>>>>>>>>>The
    >>>>>>>>>>other
    >>>>>>>>>>approach is to have a dedicated account (instead of using the
    >>>>
    >>>>current
    >>>>
    >>>>>>>>>>identity of ASPNET) that you can use to do the authentication
    >>
    >>and
    >>
    >>>>>>>>>>then
    >>>>>>>>>>use those credentials from the client.
    >>>>>>>>>>
    >>>>>>>>>>-Brock
    >>>>>>>>>>DevelopMentor
    >>>>>>>>>>[url]http://staff.develop.com/ballen[/url]
    >>>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>>>>hi all
    >>>>>>>>>>>
    >>>>>>>>>>>got a question here, a web service secure mode is set to
    >>>>
    >>>>"windows",
    >>>>
    >>>>>>on
    >>>>>>
    >>>>>>>>>>>the client side
    >>>>>>>>>>>
    >>>>>>>>>>>when supplying the credentials, it's like this:
    >>>>>>>>>>>
    >>>>>>>>>>>somewebservice.Authentication ssoAuth = new
    >>>>>>>>>>>somewebservice.Authentication();
    >>>>>>>>>>>
    >>>>>>>>>>>ssoAuth.PreAuthenticate = true;
    >>>>>>>>>>>
    >>>>>>>>>>>ssoAuth.Credentials =
    >>>>
    >>>>System.Net.CredentialCache.DefaultCredential s;
    >>>>
    >>>>>>>>>>>from the info here
    >>>>>>>>>>>
    >>>>>>>>>>>
    >>>>>>
    >>[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref[/url]
    >>
    >>>>/html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp
    >>>>
    >>>>>>>>>>>the defaultcredential should supply the current security
    >>
    >>context
    >>
    >>>>>>>>>>>that
    >>>>>>>>>>>the client is running, but in my case the client is another
    >>>>>>>>>>>web
    >>>>>>>>>>>service running
    >>>>>>>>>>>
    >>>>>>>>>>>on another server, now by default the account that the
    >>
    >>client(the
    >>
    >>>>>>>>>>>calling web service) is running under ASPNET account,
    >>>>>>>>>>>
    >>>>>>>>>>>so on the host(somewebservice), I should add the
    >>>>
    >>>>clientdomain\ASPNET
    >>>>
    >>>>>>>>>>>account into the windows account?
    >>>>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>>
    >>>>>>>>
    >>>>>>>
    >>>>>>
    >>>>>
    >>>>
    >>>
    >>
    >
    >
    Keith Elder Guest

  13. #13

    Default Re: Windows authentication for web service client??

    I think you can try and get the login user's credential from teh current
    thread if you have impersonate = true.
    and pass it to the web service call.


    "Keith Elder" <keithremovethis.dotnetpimps.net> wrote in message
    news:PO-dnYjWFbFr9vnfRVn-vQcomcast.com...
    > If you are posting to WEBDAV it is my understanding that you cannot use
    > Integrated authentication since you HAVE to pass it the username and the
    > password in the network credentials. I was going to try to write some
    > information to user's calendars and saw several articles on doing it via
    > WEBDAV. However, you have to ask them for their password and pass it
    > along. This makes it totally useless as far as I am concerned.
    >
    > If someone knows a way to not have to pass the password through that
    > would be great but I haven't seen anything on how to do it anywhere.
    >
    > -Keith
    >
    >
    > solex wrote:
    > > Kevin,
    > >
    > > I appreciate your response.
    > >
    > > I guess what I am saying here is that it is not working as advertised.
    I
    > > must put together a sample example, but for some reason the users
    > > credentials are lost when making the WebDAV request. I get a 401
    > > unauthorized error.
    > >
    > > Thanks,
    > > Dan
    > >
    > >
    > >
    > >
    > > "Kevin Yu" <koo9hotmail.com> wrote in message
    > > news:eQY0VXERFHA.4028tk2msftngp13.phx.gbl...
    > >
    > >>Dan
    > >>
    > >>The bottom line is when enable integrated windows authentication for a
    > >>service (web app, web service etc)
    > >>the client need to supply proper credential to the service. now as I
    > >>memtion, DefaultCredentials will always
    > >>return the credential that the client is running under. so by default,
    the
    > >>web service is running ASPNET account.
    > >>you can however config the web service(I assume that's the client) to
    run
    > >>under a different account.
    > >>
    > >>I am not sure what you mean "users id" here, if you mean the login
    users,
    > >>then you can set the impersonate=true
    > >>in the web.config file. so that calls to the WebDAV will use the login
    > >>users' credentials.
    > >>
    > >>HTH
    > >>
    > >>Kevin
    > >>
    > >>
    > >>
    > >>"solex" <solexsomewhere.com> wrote in message
    > >>news:%2373WxyDRFHA.2736TK2MSFTNGP09.phx.gbl.. .
    > >>
    > >>>Kevin,
    > >>>
    > >>>My problem is that the DefaultCredentials is NOT working. If I hard
    code
    > >>>the credentials using my uid/password and domain it works fine as shown
    > >>>in
    > >>>my first example.
    > >>>
    > >>>Ideally I want the web service and a subsequent call to Exchange (via
    > >>>WebDAV) to run completely under the users id.
    > >>>
    > >>>Thanks,
    > >>>Dan
    > >>>
    > >>>
    > >>>"Kevin Yu" <koo9hotmail.com> wrote in message
    > >>>news:etWV4kCRFHA.508TK2MSFTNGP12.phx.gbl...
    > >>>
    > >>>>"solex" <solexsomewhere.com> wrote in message
    > >>>>news:%23wMk7BdQFHA.3076tk2msftngp13.phx.gbl.. .
    > >>>>
    > >>>>>Kevin,
    > >>>>>Thanks for responding, if you (or anyone) sees anything obviously
    > >>
    > >>wrong
    > >>
    > >>>>>with the below summary please let me know.
    > >>>>>
    > >>>>>Thanks,
    > >>>>>Dan
    > >>>>>
    > >>>>>I have the following settings
    > >>>>> Web config:
    > >>>>> <authentication mode="Windows" />
    > >>>>> <identity impersonate="true" />
    > >>>>>
    > >>>>> IIS:
    > >>>>> Anonymous access has been disabled and Integraged Security is
    > >>
    > >>the
    > >>
    > >>>>>only access that is enabled.
    > >>>>>
    > >>>>> Client:
    > >>>>> When calling the web service I make sure that I am passing
    the
    > >>>>>defaultCredentials from the CredentialCache.
    > >>>>>
    > >>>>>I hardcoded a credential using the following code and it works
    > >>>>>
    > >>>>> Dim Response As System.Net.HttpWebResponse
    > >>>>> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    > >>>>>HttpWebRequest)
    > >>>>> Dim MyCredentialCache = New System.Net.CredentialCache
    > >>>>> MyCredentialCache.Add(New System.Uri(URI), "NTLM", _
    > >>>>> New System.Net.NetworkCredential("myUserID", "myPassword",
    > >>>>
    > >>>>"myDomain"))
    > >>>>
    > >>>>> Request.Credentials = MyCredentialCache
    > >>>>>
    > >>>>> make my http WEBDAV request here ...
    > >>>>>
    > >>>>> Return (Response)
    > >>>>>
    > >>>>>But this does not work:
    > >>>>>
    > >>>>> Dim Response As System.Net.HttpWebResponse
    > >>>>> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    > >>>>>HttpWebRequest)
    > >>>>>
    > >>>>> Request.Credentials = CredentialCache.DefaultCredentials
    > >>>>> make my http WEBDAV request here ...
    > >>>>>
    > >>>>> Return (Response)
    > >>>>>
    > >>>>
    > >>>>ok. CredentialCache.DefaultCredentials will return the credentials
    that
    > >>>>client is running under.
    > >>>>so it doens't matter what you set before the line:
    > >>>>
    > >>>>Request.Credentials = CredentialCache.DefaultCredentials
    > >>>>
    > >>>>it will always return the default credential for the request, but in
    > >>>>the
    > >>>>working code, since you set
    > >>>>credentials in the credentialscache for that particular request URI,
    so
    > >>>>that
    > >>>>when the client making
    > >>>>calls to the destinated service, it will use that credential for the
    > >>>>request, that's why it works.
    > >>>>
    > >>>>
    > >>>>
    > >>>>>Nor does this:
    > >>>>>
    > >>>>> Dim impersonationContext As
    > >>>>>System.Security.Principal.WindowsImpersonatio nContext
    > >>>>> Dim currentWindowsIdentity As
    > >>>>
    > >>>>System.Security.Principal.WindowsIdentity
    > >>>>
    > >>>>> currentWindowsIdentity = CType(mobjUser.Identity,
    > >>>>>System.Security.Principal.WindowsIdentity)
    > >>>>> impersonationContext = currentWindowsIdentity.Impersonate()
    > >>>>>
    > >>>>> Request.Credentials = CredentialCache.DefaultCredentials
    > >>>>> Dim Response As System.Net.HttpWebResponse
    > >>>>> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    > >>>>>HttpWebRequest)
    > >>>>>
    > >>>>> Request.Credentials = CredentialCache.DefaultCredentials
    > >>>>>
    > >>>>> make my http WEBDAV request here ...
    > >>>>>
    > >>>>> impersonationContext.Undo()
    > >>>>>
    > >>>>> Return (Response)
    > >>>>>
    > >>>>
    > >>>>I have try the same approach using implicity impersonation, what you
    > >>>>are
    > >>>>doing here
    > >>>>is the same as using this line: Request.Credentials =
    > >>>>CredentialCache.DefaultCredentials
    > >>>>since you use this call to get the current identity:
    > >>>>currentWindowsIdentity
    > >>>>= CType(mobjUser.Identity,
    > >>>>
    > >>>>>System.Security.Principal.WindowsIdentity), then you do this:
    > >>>>
    > >>>>Request.Credentials = CredentialCache.DefaultCredentials
    > >>>>thus in fact you are doing the same thing twice.
    > >>>>
    > >>>>it seems that doing impersonation won't change the
    > >>>>defaultcredential, Request.Credentials =
    > >>>>CredentialCache.DefaultCredentials
    > >>>>will always return the credentials that the client is running under as
    > >>>>I
    > >>>>mentioned
    > >>>>above.
    > >>>>
    > >>>>I use this code from msdn to do impersonation:
    > >>>>
    > >>>>#region Public Methods
    > >>>>
    > >>>>public bool ImpersonateValidUser()
    > >>>>
    > >>>>{
    > >>>>
    > >>>>WindowsIdentity tempWindowsIdentity;
    > >>>>
    > >>>>IntPtr token = IntPtr.Zero;
    > >>>>
    > >>>>IntPtr tokenDuplicate = IntPtr.Zero;
    > >>>>
    > >>>>if(RevertToSelf())
    > >>>>
    > >>>>{
    > >>>>
    > >>>>if(LogonUserA(_userName, _domain, _password,
    LOGON32_LOGON_INTERACTIVE,
    > >>>>
    > >>>>LOGON32_PROVIDER_DEFAULT, ref token) != 0)
    > >>>>
    > >>>>{
    > >>>>
    > >>>>if(DuplicateToken(token, 2, ref tokenDuplicate) != 0)
    > >>>>
    > >>>>{
    > >>>>
    > >>>>tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
    > >>>>
    > >>>>impersonationContext = tempWindowsIdentity.Impersonate();
    > >>>>
    > >>>>if (impersonationContext != null)
    > >>>>
    > >>>>{
    > >>>>
    > >>>>CloseHandle(token);
    > >>>>
    > >>>>CloseHandle(tokenDuplicate);
    > >>>>
    > >>>>return true;
    > >>>>
    > >>>>}
    > >>>>
    > >>>>}
    > >>>>
    > >>>>}
    > >>>>
    > >>>>}
    > >>>>
    > >>>>if(token!= IntPtr.Zero)
    > >>>>
    > >>>>CloseHandle(token);
    > >>>>
    > >>>>if(tokenDuplicate!=IntPtr.Zero)
    > >>>>
    > >>>>CloseHandle(tokenDuplicate);
    > >>>>
    > >>>>return false;
    > >>>>
    > >>>>}
    > >>>>
    > >>>>//reverse the security context
    > >>>>
    > >>>>public void UndoImpersonation()
    > >>>>
    > >>>>{
    > >>>>
    > >>>>if(impersonationContext!=null)
    > >>>>
    > >>>>impersonationContext.Undo();
    > >>>>
    > >>>>}
    > >>>>
    > >>>>#endregion
    > >>>>
    > >>>>
    > >>>>#region Win32 calls
    > >>>>
    > >>>>[DllImport("advapi32.dll")]
    > >>>>
    > >>>>private static extern int LogonUserA(String lpszUserName,
    > >>>>
    > >>>>String lpszDomain,
    > >>>>
    > >>>>String lpszPassword,
    > >>>>
    > >>>>int dwLogonType,
    > >>>>
    > >>>>int dwLogonProvider,
    > >>>>
    > >>>>ref IntPtr phToken);
    > >>>>
    > >>>>[DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]
    > >>>>
    > >>>>private static extern int DuplicateToken(IntPtr hToken,
    > >>>>
    > >>>>int impersonationLevel,
    > >>>>
    > >>>>ref IntPtr hNewToken);
    > >>>>
    > >>>>[DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]
    > >>>>
    > >>>>private static extern bool RevertToSelf();
    > >>>>
    > >>>>[DllImport("kernel32.dll", Cht=Cht.Auto)]
    > >>>>
    > >>>>private static extern bool CloseHandle(IntPtr handle);
    > >>>>
    > >>>>#endregion
    > >>>>
    > >>>>
    > >>>>}
    > >>>>
    > >>>>in conclusion, only when the correct credential in the
    credentialsCache
    > >>>>for
    > >>>>that
    > >>>>request (that particular URI), it request have access permission.
    > >>>>
    > >>>>thanks for your code. I will give it a try.
    > >>>>
    > >>>>
    > >>>>
    > >>>>
    > >>>>
    > >>>>>
    > >>>>>"Kevin Yu" <koo9hotmail.com> wrote in message
    > >>>>>news:u0yUSScQFHA.580TK2MSFTNGP15.phx.gbl.. .
    > >>>>>
    > >>>>>>
    > >>>>>>"solex" <solexsomewhere.com> wrote in message
    > >>>>>>news:%23sSDjOSQFHA.244TK2MSFTNGP12.phx.gbl. ..
    > >>>>>>
    > >>>>>>>I'm having a similar problem
    > >>>>>>>
    > >>>>>>>I have a web service that make a webDav request to Exchange.
    > >>>>>>>
    > >>>>>>>I have impersonation on but when I use the defaultCredentials in
    > >>>>>>>the
    > >>>>
    > >>>>web
    > >>>>
    > >>>>>>>services to make the webdav reqeust I get an Unauthorized 401
    > >>>>>>>error.
    > >>>>
    > >>>>My
    > >>>>
    > >>>>>>>credentials have rights to make this request and I'm at my wits end
    > >>>>>>>trying
    > >>>>>>>to figure it out.
    > >>>>>>>
    > >>>>>>>The service works if I hard code my Network credentials in the
    > >>
    > >>service
    > >>
    > >>>>>>>but
    > >>>>>>>does not otherwise.
    > >>>>>>
    > >>>>>>Hardcoded into your code? create a credential instead of using the
    > >>>>>>defaultcredentials?
    > >>>>>>
    > >>>>>>I thought one can only create credential for "basic" or "digest"
    > >>>>>>authentication mode.
    > >>>>>>
    > >>>>>>I try implicit impersonation, it won't work, even if you are
    > >>>>>>impersonating,
    > >>>>>>the web service has to
    > >>>>>>put the credential on the soap message in order for it to be
    > >>>>>>authenticated,
    > >>>>>>because that's
    > >>>>>>all the hosting service see when interacting with each other. don't
    > >>>>>>want
    > >>>>>>to
    > >>>>>>do explicit impersonation.
    > >>>>>>
    > >>>>>>
    > >>>>>>in .net 2.0, there will be a better support or even WSE 2.0, but
    > >>>>>>this
    > >>>>>>is
    > >>>>>>not
    > >>>>>>my options here.
    > >>>>>>since if we were to use WSE 2.0, there will be a long process of
    > >>
    > >>paper
    > >>
    > >>>>>>work
    > >>>>>>and testing and questioning.....
    > >>>>>>
    > >>>>>>
    > >>>>>>
    > >>>>>>
    > >>>>>>
    > >>>>>>
    > >>>>>>>Any help with this would also be appreciated.
    > >>>>>>>
    > >>>>>>>Thanks,
    > >>>>>>>Dan
    > >>>>>>>
    > >>>>>>>
    > >>>>>>>"Kevin Yu" <koo9hotmail.com> wrote in message
    > >>>>>>>news:eOariLKQFHA.1476TK2MSFTNGP09.phx.gbl. ..
    > >>>>>>>
    > >>>>>>>>but the problem with impersonation in the code is after
    > >>
    > >>LogonUser()
    > >>
    > >>>>>>win32
    > >>>>>>
    > >>>>>>>>call, will the defaultcredentials be set to the new credentials
    > >>>>>>>>then?
    > >>>>>>>>
    > >>>>>>>>
    > >>>>>>>>
    > >>>>>>>>
    > >>>>>>>>
    > >>>>>>>>"Kevin Yu" <koo9hotmail.com> wrote in message
    > >>>>>>>>news:OEbaAMIQFHA.2356TK2MSFTNGP14.phx.gbl ...
    > >>>>>>>>
    > >>>>>>>>>I think impersonation will do , enable impersonation but don't
    > >>>>>>>>>specified
    > >>>>>>>>>the user, use code call the web service with a different
    > >>>>>>>>>username/password.
    > >>>>>>>>>
    > >>>>>>>>>
    > >>>>>>>>>
    > >>>>>>>>>"Brock Allen" <ballenNOSPAMdevelop.com> wrote in message
    > >>>>>>>>>news:453919632490103600068528msnews.micr osoft.com...
    > >>>>>>>>>
    > >>>>>>>>>>The ASPNET account is a local account, so the other machine or
    > >>>>
    > >>>>domain
    > >>>>
    > >>>>>>>>>>wouldn't know about it. You can either run you web app under a
    > >>>>>>
    > >>>>>>different
    > >>>>>>
    > >>>>>>>>>>account, but that affects the rest of the code in there too.
    > >>>>>>>>>>The
    > >>>>>>>>>>other
    > >>>>>>>>>>approach is to have a dedicated account (instead of using the
    > >>>>
    > >>>>current
    > >>>>
    > >>>>>>>>>>identity of ASPNET) that you can use to do the authentication
    > >>
    > >>and
    > >>
    > >>>>>>>>>>then
    > >>>>>>>>>>use those credentials from the client.
    > >>>>>>>>>>
    > >>>>>>>>>>-Brock
    > >>>>>>>>>>DevelopMentor
    > >>>>>>>>>>[url]http://staff.develop.com/ballen[/url]
    > >>>>>>>>>>
    > >>>>>>>>>>
    > >>>>>>>>>>
    > >>>>>>>>>>
    > >>>>>>>>>>>hi all
    > >>>>>>>>>>>
    > >>>>>>>>>>>got a question here, a web service secure mode is set to
    > >>>>
    > >>>>"windows",
    > >>>>
    > >>>>>>on
    > >>>>>>
    > >>>>>>>>>>>the client side
    > >>>>>>>>>>>
    > >>>>>>>>>>>when supplying the credentials, it's like this:
    > >>>>>>>>>>>
    > >>>>>>>>>>>somewebservice.Authentication ssoAuth = new
    > >>>>>>>>>>>somewebservice.Authentication();
    > >>>>>>>>>>>
    > >>>>>>>>>>>ssoAuth.PreAuthenticate = true;
    > >>>>>>>>>>>
    > >>>>>>>>>>>ssoAuth.Credentials =
    > >>>>
    > >>>>System.Net.CredentialCache.DefaultCredential s;
    > >>>>
    > >>>>>>>>>>>from the info here
    > >>>>>>>>>>>
    > >>>>>>>>>>>
    > >>>>>>
    > >>[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref[/url]
    > >>
    > >>>>/html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp
    > >>>>
    > >>>>>>>>>>>the defaultcredential should supply the current security
    > >>
    > >>context
    > >>
    > >>>>>>>>>>>that
    > >>>>>>>>>>>the client is running, but in my case the client is another
    > >>>>>>>>>>>web
    > >>>>>>>>>>>service running
    > >>>>>>>>>>>
    > >>>>>>>>>>>on another server, now by default the account that the
    > >>
    > >>client(the
    > >>
    > >>>>>>>>>>>calling web service) is running under ASPNET account,
    > >>>>>>>>>>>
    > >>>>>>>>>>>so on the host(somewebservice), I should add the
    > >>>>
    > >>>>clientdomain\ASPNET
    > >>>>
    > >>>>>>>>>>>account into the windows account?
    > >>>>>>>>>>>
    > >>>>>>>>>>
    > >>>>>>>>>>
    > >>>>>>>>>>
    > >>>>>>>>>
    > >>>>>>>>
    > >>>>>>>
    > >>>>>>
    > >>>>>
    > >>>>
    > >>>
    > >>
    > >
    > >

    Kevin Yu Guest

  14. #14

    Default Re: Windows authentication for web service client??

    Kevin,

    In my experience so far this simply does not work.

    Dan

    "Kevin Yu" <koo9hotmail.com> wrote in message
    news:O4yr$VQRFHA.904tk2msftngp13.phx.gbl...
    >I think you can try and get the login user's credential from teh current
    > thread if you have impersonate = true.
    > and pass it to the web service call.
    >
    >
    > "Keith Elder" <keithremovethis.dotnetpimps.net> wrote in message
    > news:PO-dnYjWFbFr9vnfRVn-vQcomcast.com...
    >> If you are posting to WEBDAV it is my understanding that you cannot use
    >> Integrated authentication since you HAVE to pass it the username and the
    >> password in the network credentials. I was going to try to write some
    >> information to user's calendars and saw several articles on doing it via
    >> WEBDAV. However, you have to ask them for their password and pass it
    >> along. This makes it totally useless as far as I am concerned.
    >>
    >> If someone knows a way to not have to pass the password through that
    >> would be great but I haven't seen anything on how to do it anywhere.
    >>
    >> -Keith
    >>
    >>
    >> solex wrote:
    >> > Kevin,
    >> >
    >> > I appreciate your response.
    >> >
    >> > I guess what I am saying here is that it is not working as advertised.
    > I
    >> > must put together a sample example, but for some reason the users
    >> > credentials are lost when making the WebDAV request. I get a 401
    >> > unauthorized error.
    >> >
    >> > Thanks,
    >> > Dan
    >> >
    >> >
    >> >
    >> >
    >> > "Kevin Yu" <koo9hotmail.com> wrote in message
    >> > news:eQY0VXERFHA.4028tk2msftngp13.phx.gbl...
    >> >
    >> >>Dan
    >> >>
    >> >>The bottom line is when enable integrated windows authentication for a
    >> >>service (web app, web service etc)
    >> >>the client need to supply proper credential to the service. now as I
    >> >>memtion, DefaultCredentials will always
    >> >>return the credential that the client is running under. so by default,
    > the
    >> >>web service is running ASPNET account.
    >> >>you can however config the web service(I assume that's the client) to
    > run
    >> >>under a different account.
    >> >>
    >> >>I am not sure what you mean "users id" here, if you mean the login
    > users,
    >> >>then you can set the impersonate=true
    >> >>in the web.config file. so that calls to the WebDAV will use the login
    >> >>users' credentials.
    >> >>
    >> >>HTH
    >> >>
    >> >>Kevin
    >> >>
    >> >>
    >> >>
    >> >>"solex" <solexsomewhere.com> wrote in message
    >> >>news:%2373WxyDRFHA.2736TK2MSFTNGP09.phx.gbl.. .
    >> >>
    >> >>>Kevin,
    >> >>>
    >> >>>My problem is that the DefaultCredentials is NOT working. If I hard
    > code
    >> >>>the credentials using my uid/password and domain it works fine as
    >> >>>shown
    >> >>>in
    >> >>>my first example.
    >> >>>
    >> >>>Ideally I want the web service and a subsequent call to Exchange (via
    >> >>>WebDAV) to run completely under the users id.
    >> >>>
    >> >>>Thanks,
    >> >>>Dan
    >> >>>
    >> >>>
    >> >>>"Kevin Yu" <koo9hotmail.com> wrote in message
    >> >>>news:etWV4kCRFHA.508TK2MSFTNGP12.phx.gbl...
    >> >>>
    >> >>>>"solex" <solexsomewhere.com> wrote in message
    >> >>>>news:%23wMk7BdQFHA.3076tk2msftngp13.phx.gbl.. .
    >> >>>>
    >> >>>>>Kevin,
    >> >>>>>Thanks for responding, if you (or anyone) sees anything obviously
    >> >>
    >> >>wrong
    >> >>
    >> >>>>>with the below summary please let me know.
    >> >>>>>
    >> >>>>>Thanks,
    >> >>>>>Dan
    >> >>>>>
    >> >>>>>I have the following settings
    >> >>>>> Web config:
    >> >>>>> <authentication mode="Windows" />
    >> >>>>> <identity impersonate="true" />
    >> >>>>>
    >> >>>>> IIS:
    >> >>>>> Anonymous access has been disabled and Integraged Security
    >> >>>>> is
    >> >>
    >> >>the
    >> >>
    >> >>>>>only access that is enabled.
    >> >>>>>
    >> >>>>> Client:
    >> >>>>> When calling the web service I make sure that I am passing
    > the
    >> >>>>>defaultCredentials from the CredentialCache.
    >> >>>>>
    >> >>>>>I hardcoded a credential using the following code and it works
    >> >>>>>
    >> >>>>> Dim Response As System.Net.HttpWebResponse
    >> >>>>> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    >> >>>>>HttpWebRequest)
    >> >>>>> Dim MyCredentialCache = New System.Net.CredentialCache
    >> >>>>> MyCredentialCache.Add(New System.Uri(URI), "NTLM", _
    >> >>>>> New System.Net.NetworkCredential("myUserID", "myPassword",
    >> >>>>
    >> >>>>"myDomain"))
    >> >>>>
    >> >>>>> Request.Credentials = MyCredentialCache
    >> >>>>>
    >> >>>>> make my http WEBDAV request here ...
    >> >>>>>
    >> >>>>> Return (Response)
    >> >>>>>
    >> >>>>>But this does not work:
    >> >>>>>
    >> >>>>> Dim Response As System.Net.HttpWebResponse
    >> >>>>> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    >> >>>>>HttpWebRequest)
    >> >>>>>
    >> >>>>> Request.Credentials = CredentialCache.DefaultCredentials
    >> >>>>> make my http WEBDAV request here ...
    >> >>>>>
    >> >>>>> Return (Response)
    >> >>>>>
    >> >>>>
    >> >>>>ok. CredentialCache.DefaultCredentials will return the credentials
    > that
    >> >>>>client is running under.
    >> >>>>so it doens't matter what you set before the line:
    >> >>>>
    >> >>>>Request.Credentials = CredentialCache.DefaultCredentials
    >> >>>>
    >> >>>>it will always return the default credential for the request, but in
    >> >>>>the
    >> >>>>working code, since you set
    >> >>>>credentials in the credentialscache for that particular request URI,
    > so
    >> >>>>that
    >> >>>>when the client making
    >> >>>>calls to the destinated service, it will use that credential for the
    >> >>>>request, that's why it works.
    >> >>>>
    >> >>>>
    >> >>>>
    >> >>>>>Nor does this:
    >> >>>>>
    >> >>>>> Dim impersonationContext As
    >> >>>>>System.Security.Principal.WindowsImpersonatio nContext
    >> >>>>> Dim currentWindowsIdentity As
    >> >>>>
    >> >>>>System.Security.Principal.WindowsIdentity
    >> >>>>
    >> >>>>> currentWindowsIdentity = CType(mobjUser.Identity,
    >> >>>>>System.Security.Principal.WindowsIdentity)
    >> >>>>> impersonationContext = currentWindowsIdentity.Impersonate()
    >> >>>>>
    >> >>>>> Request.Credentials = CredentialCache.DefaultCredentials
    >> >>>>> Dim Response As System.Net.HttpWebResponse
    >> >>>>> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
    >> >>>>>HttpWebRequest)
    >> >>>>>
    >> >>>>> Request.Credentials = CredentialCache.DefaultCredentials
    >> >>>>>
    >> >>>>> make my http WEBDAV request here ...
    >> >>>>>
    >> >>>>> impersonationContext.Undo()
    >> >>>>>
    >> >>>>> Return (Response)
    >> >>>>>
    >> >>>>
    >> >>>>I have try the same approach using implicity impersonation, what you
    >> >>>>are
    >> >>>>doing here
    >> >>>>is the same as using this line: Request.Credentials =
    >> >>>>CredentialCache.DefaultCredentials
    >> >>>>since you use this call to get the current identity:
    >> >>>>currentWindowsIdentity
    >> >>>>= CType(mobjUser.Identity,
    >> >>>>
    >> >>>>>System.Security.Principal.WindowsIdentity), then you do this:
    >> >>>>
    >> >>>>Request.Credentials = CredentialCache.DefaultCredentials
    >> >>>>thus in fact you are doing the same thing twice.
    >> >>>>
    >> >>>>it seems that doing impersonation won't change the
    >> >>>>defaultcredential, Request.Credentials =
    >> >>>>CredentialCache.DefaultCredentials
    >> >>>>will always return the credentials that the client is running under
    >> >>>>as
    >> >>>>I
    >> >>>>mentioned
    >> >>>>above.
    >> >>>>
    >> >>>>I use this code from msdn to do impersonation:
    >> >>>>
    >> >>>>#region Public Methods
    >> >>>>
    >> >>>>public bool ImpersonateValidUser()
    >> >>>>
    >> >>>>{
    >> >>>>
    >> >>>>WindowsIdentity tempWindowsIdentity;
    >> >>>>
    >> >>>>IntPtr token = IntPtr.Zero;
    >> >>>>
    >> >>>>IntPtr tokenDuplicate = IntPtr.Zero;
    >> >>>>
    >> >>>>if(RevertToSelf())
    >> >>>>
    >> >>>>{
    >> >>>>
    >> >>>>if(LogonUserA(_userName, _domain, _password,
    > LOGON32_LOGON_INTERACTIVE,
    >> >>>>
    >> >>>>LOGON32_PROVIDER_DEFAULT, ref token) != 0)
    >> >>>>
    >> >>>>{
    >> >>>>
    >> >>>>if(DuplicateToken(token, 2, ref tokenDuplicate) != 0)
    >> >>>>
    >> >>>>{
    >> >>>>
    >> >>>>tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
    >> >>>>
    >> >>>>impersonationContext = tempWindowsIdentity.Impersonate();
    >> >>>>
    >> >>>>if (impersonationContext != null)
    >> >>>>
    >> >>>>{
    >> >>>>
    >> >>>>CloseHandle(token);
    >> >>>>
    >> >>>>CloseHandle(tokenDuplicate);
    >> >>>>
    >> >>>>return true;
    >> >>>>
    >> >>>>}
    >> >>>>
    >> >>>>}
    >> >>>>
    >> >>>>}
    >> >>>>
    >> >>>>}
    >> >>>>
    >> >>>>if(token!= IntPtr.Zero)
    >> >>>>
    >> >>>>CloseHandle(token);
    >> >>>>
    >> >>>>if(tokenDuplicate!=IntPtr.Zero)
    >> >>>>
    >> >>>>CloseHandle(tokenDuplicate);
    >> >>>>
    >> >>>>return false;
    >> >>>>
    >> >>>>}
    >> >>>>
    >> >>>>//reverse the security context
    >> >>>>
    >> >>>>public void UndoImpersonation()
    >> >>>>
    >> >>>>{
    >> >>>>
    >> >>>>if(impersonationContext!=null)
    >> >>>>
    >> >>>>impersonationContext.Undo();
    >> >>>>
    >> >>>>}
    >> >>>>
    >> >>>>#endregion
    >> >>>>
    >> >>>>
    >> >>>>#region Win32 calls
    >> >>>>
    >> >>>>[DllImport("advapi32.dll")]
    >> >>>>
    >> >>>>private static extern int LogonUserA(String lpszUserName,
    >> >>>>
    >> >>>>String lpszDomain,
    >> >>>>
    >> >>>>String lpszPassword,
    >> >>>>
    >> >>>>int dwLogonType,
    >> >>>>
    >> >>>>int dwLogonProvider,
    >> >>>>
    >> >>>>ref IntPtr phToken);
    >> >>>>
    >> >>>>[DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]
    >> >>>>
    >> >>>>private static extern int DuplicateToken(IntPtr hToken,
    >> >>>>
    >> >>>>int impersonationLevel,
    >> >>>>
    >> >>>>ref IntPtr hNewToken);
    >> >>>>
    >> >>>>[DllImport("advapi32.dll", Cht=Cht.Auto, SetLastError=true)]
    >> >>>>
    >> >>>>private static extern bool RevertToSelf();
    >> >>>>
    >> >>>>[DllImport("kernel32.dll", Cht=Cht.Auto)]
    >> >>>>
    >> >>>>private static extern bool CloseHandle(IntPtr handle);
    >> >>>>
    >> >>>>#endregion
    >> >>>>
    >> >>>>
    >> >>>>}
    >> >>>>
    >> >>>>in conclusion, only when the correct credential in the
    > credentialsCache
    >> >>>>for
    >> >>>>that
    >> >>>>request (that particular URI), it request have access permission.
    >> >>>>
    >> >>>>thanks for your code. I will give it a try.
    >> >>>>
    >> >>>>
    >> >>>>
    >> >>>>
    >> >>>>
    >> >>>>>
    >> >>>>>"Kevin Yu" <koo9hotmail.com> wrote in message
    >> >>>>>news:u0yUSScQFHA.580TK2MSFTNGP15.phx.gbl.. .
    >> >>>>>
    >> >>>>>>
    >> >>>>>>"solex" <solexsomewhere.com> wrote in message
    >> >>>>>>news:%23sSDjOSQFHA.244TK2MSFTNGP12.phx.gbl. ..
    >> >>>>>>
    >> >>>>>>>I'm having a similar problem
    >> >>>>>>>
    >> >>>>>>>I have a web service that make a webDav request to Exchange.
    >> >>>>>>>
    >> >>>>>>>I have impersonation on but when I use the defaultCredentials in
    >> >>>>>>>the
    >> >>>>
    >> >>>>web
    >> >>>>
    >> >>>>>>>services to make the webdav reqeust I get an Unauthorized 401
    >> >>>>>>>error.
    >> >>>>
    >> >>>>My
    >> >>>>
    >> >>>>>>>credentials have rights to make this request and I'm at my wits
    >> >>>>>>>end
    >> >>>>>>>trying
    >> >>>>>>>to figure it out.
    >> >>>>>>>
    >> >>>>>>>The service works if I hard code my Network credentials in the
    >> >>
    >> >>service
    >> >>
    >> >>>>>>>but
    >> >>>>>>>does not otherwise.
    >> >>>>>>
    >> >>>>>>Hardcoded into your code? create a credential instead of using the
    >> >>>>>>defaultcredentials?
    >> >>>>>>
    >> >>>>>>I thought one can only create credential for "basic" or "digest"
    >> >>>>>>authentication mode.
    >> >>>>>>
    >> >>>>>>I try implicit impersonation, it won't work, even if you are
    >> >>>>>>impersonating,
    >> >>>>>>the web service has to
    >> >>>>>>put the credential on the soap message in order for it to be
    >> >>>>>>authenticated,
    >> >>>>>>because that's
    >> >>>>>>all the hosting service see when interacting with each other. don't
    >> >>>>>>want
    >> >>>>>>to
    >> >>>>>>do explicit impersonation.
    >> >>>>>>
    >> >>>>>>
    >> >>>>>>in .net 2.0, there will be a better support or even WSE 2.0, but
    >> >>>>>>this
    >> >>>>>>is
    >> >>>>>>not
    >> >>>>>>my options here.
    >> >>>>>>since if we were to use WSE 2.0, there will be a long process of
    >> >>
    >> >>paper
    >> >>
    >> >>>>>>work
    >> >>>>>>and testing and questioning.....
    >> >>>>>>
    >> >>>>>>
    >> >>>>>>
    >> >>>>>>
    >> >>>>>>
    >> >>>>>>
    >> >>>>>>>Any help with this would also be appreciated.
    >> >>>>>>>
    >> >>>>>>>Thanks,
    >> >>>>>>>Dan
    >> >>>>>>>
    >> >>>>>>>
    >> >>>>>>>"Kevin Yu" <koo9hotmail.com> wrote in message
    >> >>>>>>>news:eOariLKQFHA.1476TK2MSFTNGP09.phx.gbl. ..
    >> >>>>>>>
    >> >>>>>>>>but the problem with impersonation in the code is after
    >> >>
    >> >>LogonUser()
    >> >>
    >> >>>>>>win32
    >> >>>>>>
    >> >>>>>>>>call, will the defaultcredentials be set to the new credentials
    >> >>>>>>>>then?
    >> >>>>>>>>
    >> >>>>>>>>
    >> >>>>>>>>
    >> >>>>>>>>
    >> >>>>>>>>
    >> >>>>>>>>"Kevin Yu" <koo9hotmail.com> wrote in message
    >> >>>>>>>>news:OEbaAMIQFHA.2356TK2MSFTNGP14.phx.gbl ...
    >> >>>>>>>>
    >> >>>>>>>>>I think impersonation will do , enable impersonation but don't
    >> >>>>>>>>>specified
    >> >>>>>>>>>the user, use code call the web service with a different
    >> >>>>>>>>>username/password.
    >> >>>>>>>>>
    >> >>>>>>>>>
    >> >>>>>>>>>
    >> >>>>>>>>>"Brock Allen" <ballenNOSPAMdevelop.com> wrote in message
    >> >>>>>>>>>news:453919632490103600068528msnews.micr osoft.com...
    >> >>>>>>>>>
    >> >>>>>>>>>>The ASPNET account is a local account, so the other machine or
    >> >>>>
    >> >>>>domain
    >> >>>>
    >> >>>>>>>>>>wouldn't know about it. You can either run you web app under a
    >> >>>>>>
    >> >>>>>>different
    >> >>>>>>
    >> >>>>>>>>>>account, but that affects the rest of the code in there too.
    >> >>>>>>>>>>The
    >> >>>>>>>>>>other
    >> >>>>>>>>>>approach is to have a dedicated account (instead of using the
    >> >>>>
    >> >>>>current
    >> >>>>
    >> >>>>>>>>>>identity of ASPNET) that you can use to do the authentication
    >> >>
    >> >>and
    >> >>
    >> >>>>>>>>>>then
    >> >>>>>>>>>>use those credentials from the client.
    >> >>>>>>>>>>
    >> >>>>>>>>>>-Brock
    >> >>>>>>>>>>DevelopMentor
    >> >>>>>>>>>>[url]http://staff.develop.com/ballen[/url]
    >> >>>>>>>>>>
    >> >>>>>>>>>>
    >> >>>>>>>>>>
    >> >>>>>>>>>>
    >> >>>>>>>>>>>hi all
    >> >>>>>>>>>>>
    >> >>>>>>>>>>>got a question here, a web service secure mode is set to
    >> >>>>
    >> >>>>"windows",
    >> >>>>
    >> >>>>>>on
    >> >>>>>>
    >> >>>>>>>>>>>the client side
    >> >>>>>>>>>>>
    >> >>>>>>>>>>>when supplying the credentials, it's like this:
    >> >>>>>>>>>>>
    >> >>>>>>>>>>>somewebservice.Authentication ssoAuth = new
    >> >>>>>>>>>>>somewebservice.Authentication();
    >> >>>>>>>>>>>
    >> >>>>>>>>>>>ssoAuth.PreAuthenticate = true;
    >> >>>>>>>>>>>
    >> >>>>>>>>>>>ssoAuth.Credentials =
    >> >>>>
    >> >>>>System.Net.CredentialCache.DefaultCredential s;
    >> >>>>
    >> >>>>>>>>>>>from the info here
    >> >>>>>>>>>>>
    >> >>>>>>>>>>>
    >> >>>>>>
    >> >>[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref[/url]
    >> >>
    >> >>>>/html/frlrfSystemNetCredentialCacheClassDefaultCredentia lsTopic.asp
    >> >>>>
    >> >>>>>>>>>>>the defaultcredential should supply the current security
    >> >>
    >> >>context
    >> >>
    >> >>>>>>>>>>>that
    >> >>>>>>>>>>>the client is running, but in my case the client is another
    >> >>>>>>>>>>>web
    >> >>>>>>>>>>>service running
    >> >>>>>>>>>>>
    >> >>>>>>>>>>>on another server, now by default the account that the
    >> >>
    >> >>client(the
    >> >>
    >> >>>>>>>>>>>calling web service) is running under ASPNET account,
    >> >>>>>>>>>>>
    >> >>>>>>>>>>>so on the host(somewebservice), I should add the
    >> >>>>
    >> >>>>clientdomain\ASPNET
    >> >>>>
    >> >>>>>>>>>>>account into the windows account?
    >> >>>>>>>>>>>
    >> >>>>>>>>>>
    >> >>>>>>>>>>
    >> >>>>>>>>>>
    >> >>>>>>>>>
    >> >>>>>>>>
    >> >>>>>>>
    >> >>>>>>
    >> >>>>>
    >> >>>>
    >> >>>
    >> >>
    >> >
    >> >
    >
    >

    solex Guest

Similar Threads

  1. Windows XP Pro Service Pack 2 X Forms Authentication
    By Fabricio de Reuter Sperandio in forum ASP.NET Security
    Replies: 1
    Last Post: October 7th, 07:03 AM
  2. Replies: 4
    Last Post: August 18th, 11:55 PM
  3. Replies: 4
    Last Post: February 18th, 08:23 PM
  4. Replies: 0
    Last Post: November 26th, 03:36 AM
  5. Capturing Windows NT authentication for client.
    By Brad in forum ASP.NET General
    Replies: 1
    Last Post: August 11th, 08:17 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139