Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Passing windows credentials from server to server.

Reply
Thread Tools

Passing windows credentials from server to server.

 
 
Wade Wegner
Guest
Posts: n/a
 
      12-27-2003
Hello,

I have been desperately trying to programmatically authenticate a windows
user, create their credentials, and then redirect them to a different server
while passing the credentials at the same time so that they don't have to
login again.

Specifically, I have two webservers in the same domain. When I have a user
go to Webserver A (which uses basic authentication) I programmatically
create either a user credential or impersonate a user context (for now it's
hardcoded, but in the future it would be entered in forms). Then, I want to
let that user access a page on Webserver B (which uses basic
authentication), but I don't want them to have to login again -- rather, I
want to use the user context that I programmatically created on Webserver A.

For instance, here is an example of the code I use to create the user
credentials:

Dim strURI = "http://www.whatever.com"
Dim myCred As New NetworkCredential("userid", "password", "domain")
Dim myURI As New Uri(strURI)
Dim myCache As New CredentialCache
myCache.Add(myURI, "Basic", myCred)

From this, I have attempted to use WebRequests and WebResponses to somehow
allow me to direct the browser to a different page, and use the credential I
have generated. The most I can do, however, is create the request and
receive the response:

Dim myWebRequest As System.Net.WebRequest =
System.Net.WebRequest.Create(strURI)
myWebRequest.Credentials = myCache
Dim myWebResponse As WebResponse = myWebRequest.GetResponse()

If only I could use the response.redirect method, and somehow pass the
credentials with the redirection (like you can with the webrequest), it
could work!

I have also attempted to use the LogonUser API (from the advapi32.dll), and
impersonate a user based on the proper logon information -- this works, and
I'm able to successfully impersonate the user, but again, I don't know how
to pass along the user context to a different page.

I know that many people will say "just use form based authentication," but
this will not work for me, as I want this to work with tools like Outlook
Web Access, which requires windows authentication.

Any help would be greatly appreciated. Thank you!!

Wade



 
Reply With Quote
 
 
 
 
Andrea D'Onofrio [MSFT]
Guest
Posts: n/a
 
      12-30-2003
Hi,
can you set on server B windows authentication? If yes, you can easily solve
your problem by turning on impersonation in server A's web.config.

HtH,
Andrea

"Wade Wegner" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> I have been desperately trying to programmatically authenticate a windows
> user, create their credentials, and then redirect them to a different

server
> while passing the credentials at the same time so that they don't have to
> login again.
>
> Specifically, I have two webservers in the same domain. When I have a

user
> go to Webserver A (which uses basic authentication) I programmatically
> create either a user credential or impersonate a user context (for now

it's
> hardcoded, but in the future it would be entered in forms). Then, I want

to
> let that user access a page on Webserver B (which uses basic
> authentication), but I don't want them to have to login again -- rather, I
> want to use the user context that I programmatically created on Webserver

A.
>
> For instance, here is an example of the code I use to create the user
> credentials:
>
> Dim strURI = "http://www.whatever.com"
> Dim myCred As New NetworkCredential("userid", "password", "domain")
> Dim myURI As New Uri(strURI)
> Dim myCache As New CredentialCache
> myCache.Add(myURI, "Basic", myCred)
>
> From this, I have attempted to use WebRequests and WebResponses to somehow
> allow me to direct the browser to a different page, and use the credential

I
> have generated. The most I can do, however, is create the request and
> receive the response:
>
> Dim myWebRequest As System.Net.WebRequest =
> System.Net.WebRequest.Create(strURI)
> myWebRequest.Credentials = myCache
> Dim myWebResponse As WebResponse = myWebRequest.GetResponse()
>
> If only I could use the response.redirect method, and somehow pass the
> credentials with the redirection (like you can with the webrequest), it
> could work!
>
> I have also attempted to use the LogonUser API (from the advapi32.dll),

and
> impersonate a user based on the proper logon information -- this works,

and
> I'm able to successfully impersonate the user, but again, I don't know how
> to pass along the user context to a different page.
>
> I know that many people will say "just use form based authentication,"

but
> this will not work for me, as I want this to work with tools like Outlook
> Web Access, which requires windows authentication.
>
> Any help would be greatly appreciated. Thank you!!
>
> Wade
>
>
>



 
Reply With Quote
 
 
 
 
Wade Wegner
Guest
Posts: n/a
 
      12-30-2003
I would be very interested to hear your explanation, and know how to do
it -- especially if it's easily solved.

FYI - below I did specify that Server B uses windows authentication.

Thanks,

Wade


"Andrea D'Onofrio [MSFT]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi,
> can you set on server B windows authentication? If yes, you can easily

solve
> your problem by turning on impersonation in server A's web.config.
>
> HtH,
> Andrea
>
> "Wade Wegner" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hello,
> >
> > I have been desperately trying to programmatically authenticate a

windows
> > user, create their credentials, and then redirect them to a different

> server
> > while passing the credentials at the same time so that they don't have

to
> > login again.
> >
> > Specifically, I have two webservers in the same domain. When I have a

> user
> > go to Webserver A (which uses basic authentication) I programmatically
> > create either a user credential or impersonate a user context (for now

> it's
> > hardcoded, but in the future it would be entered in forms). Then, I

want
> to
> > let that user access a page on Webserver B (which uses basic
> > authentication), but I don't want them to have to login again -- rather,

I
> > want to use the user context that I programmatically created on

Webserver
> A.
> >
> > For instance, here is an example of the code I use to create the user
> > credentials:
> >
> > Dim strURI = "http://www.whatever.com"
> > Dim myCred As New NetworkCredential("userid", "password", "domain")
> > Dim myURI As New Uri(strURI)
> > Dim myCache As New CredentialCache
> > myCache.Add(myURI, "Basic", myCred)
> >
> > From this, I have attempted to use WebRequests and WebResponses to

somehow
> > allow me to direct the browser to a different page, and use the

credential
> I
> > have generated. The most I can do, however, is create the request and
> > receive the response:
> >
> > Dim myWebRequest As System.Net.WebRequest =
> > System.Net.WebRequest.Create(strURI)
> > myWebRequest.Credentials = myCache
> > Dim myWebResponse As WebResponse = myWebRequest.GetResponse()
> >
> > If only I could use the response.redirect method, and somehow pass the
> > credentials with the redirection (like you can with the webrequest), it
> > could work!
> >
> > I have also attempted to use the LogonUser API (from the advapi32.dll),

> and
> > impersonate a user based on the proper logon information -- this works,

> and
> > I'm able to successfully impersonate the user, but again, I don't know

how
> > to pass along the user context to a different page.
> >
> > I know that many people will say "just use form based authentication,"

> but
> > this will not work for me, as I want this to work with tools like

Outlook
> > Web Access, which requires windows authentication.
> >
> > Any help would be greatly appreciated. Thank you!!
> >
> > Wade
> >
> >
> >

>
>



 
Reply With Quote
 
Andrea D'Onofrio [MSFT]
Guest
Posts: n/a
 
      12-30-2003
Hi,
> I would be very interested to hear your explanation, and know how to do
> it -- especially if it's easily solved.

ServerA -> Basic Authentication
ServerB -> Windows Integrated
You must turn on impersonation in ServerA web.config:
<authentication mode="Windows" />

<identity impersonate="true"></identity>

If you have a code like Response.Redirect(http://serverB/default.aspx) in a
ServerA page, IIS (automatically) succesfully authenticate the user (the
user must be a valid user for both serverA and ServerB) and you don't need
to write any additional code.

You will find more details about the issue in these articles:
283201 HOWTO: Use Delegation in Windows 2000 with COM+
http://support.microsoft.com/?id=283201

287537 Using Basic Authentication to Generate Kerberos Tokens
http://support.microsoft.com/?id=287537

> FYI - below I did specify that Server B uses windows authentication.
>

FYI, extracted from your original post:
....access a page on Webserver B (which uses basic
authentication), but I don't want them to have to login again ...

> Thanks,
> Wade

HtH,
Andrea




 
Reply With Quote
 
Wade Wegner
Guest
Posts: n/a
 
      12-30-2003
I have always thought that using the termi "windows authentication" referred
to the fact that you were authenticating to a windows account, and that it
qualified for both basic and NTLM. If I was incorrect, then I apologize.

Now ...

I have tried your suggestion, and I can get it to work under one context,
but not another. For isntance, when I authenticate the user on Server A,
and then have them click a button that redirects them to Server B, I get
prompted for login credentials. However, if I use a client-side vbScript to
redirect the user (window.location = "path.aspx"), then it works correctly.

Am I doing something incorrectly, or will this not work for response
redirect?

Thankis,

Wade

"Andrea D'Onofrio [MSFT]" <(E-Mail Removed)> wrote in message
news:uOu%(E-Mail Removed)...
> Hi,
> > I would be very interested to hear your explanation, and know how to do
> > it -- especially if it's easily solved.

> ServerA -> Basic Authentication
> ServerB -> Windows Integrated
> You must turn on impersonation in ServerA web.config:
> <authentication mode="Windows" />
>
> <identity impersonate="true"></identity>
>
> If you have a code like Response.Redirect(http://serverB/default.aspx) in

a
> ServerA page, IIS (automatically) succesfully authenticate the user (the
> user must be a valid user for both serverA and ServerB) and you don't need
> to write any additional code.
>
> You will find more details about the issue in these articles:
> 283201 HOWTO: Use Delegation in Windows 2000 with COM+
> http://support.microsoft.com/?id=283201
>
> 287537 Using Basic Authentication to Generate Kerberos Tokens
> http://support.microsoft.com/?id=287537
>
> > FYI - below I did specify that Server B uses windows authentication.
> >

> FYI, extracted from your original post:
> ...access a page on Webserver B (which uses basic
> authentication), but I don't want them to have to login again ...
>
> > Thanks,
> > Wade

> HtH,
> Andrea
>
>
>
>



 
Reply With Quote
 
Andrea D'Onofrio [MSFT]
Guest
Posts: n/a
 
      12-31-2003
I've tested the scenario I suggested you on IIS 5.1 (both on ServerA and
ServerB) and all works fine with Response.Redirect (then server side code).
I don't know which servers there are in your scenario, but I think that, in
this context, there are no differences with IIS 5.0 or IIS 6.0. Try to
check:
- ServerA -> Basic Authentication and ServerB -> Windows Integrated are the
only options flagged
- the Enabled Integrated Windows Authentication in the Advenced IE options
is checked

HtH,
Andrea

"Wade Wegner" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I have always thought that using the termi "windows authentication"

referred
> to the fact that you were authenticating to a windows account, and that it
> qualified for both basic and NTLM. If I was incorrect, then I apologize.
>
> Now ...
>
> I have tried your suggestion, and I can get it to work under one context,
> but not another. For isntance, when I authenticate the user on Server A,
> and then have them click a button that redirects them to Server B, I get
> prompted for login credentials. However, if I use a client-side vbScript

to
> redirect the user (window.location = "path.aspx"), then it works

correctly.
>
> Am I doing something incorrectly, or will this not work for response
> redirect?
>
> Thankis,
>
> Wade
>
> "Andrea D'Onofrio [MSFT]" <(E-Mail Removed)> wrote in message
> news:uOu%(E-Mail Removed)...
> > Hi,
> > > I would be very interested to hear your explanation, and know how to

do
> > > it -- especially if it's easily solved.

> > ServerA -> Basic Authentication
> > ServerB -> Windows Integrated
> > You must turn on impersonation in ServerA web.config:
> > <authentication mode="Windows" />
> >
> > <identity impersonate="true"></identity>
> >
> > If you have a code like Response.Redirect(http://serverB/default.aspx)

in
> a
> > ServerA page, IIS (automatically) succesfully authenticate the user (the
> > user must be a valid user for both serverA and ServerB) and you don't

need
> > to write any additional code.
> >
> > You will find more details about the issue in these articles:
> > 283201 HOWTO: Use Delegation in Windows 2000 with COM+
> > http://support.microsoft.com/?id=283201
> >
> > 287537 Using Basic Authentication to Generate Kerberos Tokens
> > http://support.microsoft.com/?id=287537
> >
> > > FYI - below I did specify that Server B uses windows authentication.
> > >

> > FYI, extracted from your original post:
> > ...access a page on Webserver B (which uses basic
> > authentication), but I don't want them to have to login again ...
> >
> > > Thanks,
> > > Wade

> > HtH,
> > Andrea
> >
> >
> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Passing windows credentials from server to server. Wade Wegner ASP .Net 8 06-22-2007 04:44 PM
"The credentials supplied conflict with an existing set of credentials" -=rjh=- NZ Computing 2 07-15-2006 11:09 PM
Passing user credentials to another server...? Wizard! ASP .Net Security 2 11-28-2005 10:31 AM
Passing credentials to windows integrated authentication =?Utf-8?B?UGF0cmljay5PLklnZQ==?= ASP .Net 3 10-26-2004 10:56 AM
Please help - Passing credentials to windows integrated authentication jadher ASP .Net 1 10-11-2004 02:33 PM



Advertisments