«

Hi,

I have an asp.net application in several tiers and I would like to enable it
for NTLM.

Say the web front end is running on server X and the business logic is
running on server Y. In the non-NTLM case, the user types his password into
the web front end and server X passes it to Y in order to authenticate him.

In the NTLM case, the user is already authenticated to X but since X does
not have the passsword, how can it convince Y that it knows the user is who
he says he is? It seems that I need to add a new Login() method to server Y
which does not require a password (i.e. a security loophole)

Ideally I would like the NTLM authentication to generate some kind of token
that X can get hold of and pass to Y which in turn can pass it to windows
which will say "yes, that is the correct user". is there any kind of
mechanism like this in place?

I desperately don't want to have to enable asp.net impersonation throughout
the whole application because I know this will give me heaps of other
problems to deal with (file permissions etc)

Andy

Andy Fish wrote:
> Hi,
>
> I have an asp.net application in several tiers and I would like to
> enable it for NTLM.
>
> Ideally I would like the NTLM authentication to generate some kind of
> token that X can get hold of and pass to Y which in turn can pass it
> to windows which will say "yes, that is the correct user". is there
> any kind of mechanism like this in place?
>

Hi Andy,

In fact, NTLM already does that. The problem is that NTLM is explicitly
designed to not allow delegation of credentials, so you'll see a failure in
this scenario. The solution is to use Kerberos authentication and enable
delegation. If you do a KB search for "delegation scenario asp.net", you'll
hit an article that tells you how to configure it.

--
Jim Cheshire
================================
Blog: http://blogs.msdn.com/jamesche

Latest entry:
Getting the PID and TID of a COM Call

Describes how to get the PID of the
dllhost process a COM call is executing
in and how to locate the thread as well.