Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > HttpWebRequest and 401

Reply
Thread Tools

HttpWebRequest and 401

 
 
LinuxLivz
Guest
Posts: n/a
 
      01-29-2004
Hello All
Here is what I am attempting to do:

I have a NTLM protected site. There are some users who are not part of
the domain (visitors) get challenged with a Pop up dialog box
prompting for a user id, pwd and domain.

In oder to overcome this, I have setup a anonymous site (open to
alll). Users would first hit this site contains a page with an
instance of HttpWebRequest class. This class would make a call to the
protected site with the user's credentials on behalf of the user. If
the user has the correct credentials, then they would be passed to the
protected site else they would be redirected to a login page (NOT the
pop up dialog). In theory this appears to be a good idea to get rid of
the po up dialog.

However, I am unable to get the suers credentials on the anonymous
site and pass it to the HttpWebRequest. If I use DefaultCredentials,
then the site's user id and password are passed (IUSR_MACHINENAME). Is
it possible to obtain the user credential on the anonymous site or is
there another way to acoomplish this

Thanks
 
Reply With Quote
 
 
 
 
Charlie Nilsson [MSFT]
Guest
Posts: n/a
 
      01-29-2004
I think you're confusing authentication types.

Read this msdn article, "IIS Authentication" on the subject or search
online on msdn.
ms-help://MS.VSCC.2003/MS.MSDNQTR.2003FEB.1033/vsent7/html/vxconIISAuthentic
ation.htm

At some point, you will need to gather authentication information from the
user (i.e. they will have to enter a username / pwd). Why use two servers
when one will suffice?


--------------------------------------------------------------------
This reply is provided AS IS, without warranty (express or implied).


--------------------
>From: http://www.velocityreviews.com/forums/(E-Mail Removed) (LinuxLivz)
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Subject: HttpWebRequest and 401
>Date: 29 Jan 2004 06:35:21 -0800
>Organization: http://groups.google.com
>Lines: 23
>Message-ID: <(E-Mail Removed) >
>NNTP-Posting-Host: 63.100.172.7
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Trace: posting.google.com 1075386921 4534 127.0.0.1 (29 Jan 2004

14:35:21 GMT)
>X-Complaints-To: (E-Mail Removed)
>NNTP-Posting-Date: Thu, 29 Jan 2004 14:35:21 +0000 (UTC)
>Path:

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTN GP08.phx.gbl!newsfeed00.su
l.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!po
stnews1.google.com!not-for-mail
>Xref: cpmsftngxa07.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 8423
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Hello All
>Here is what I am attempting to do:
>
>I have a NTLM protected site. There are some users who are not part of
>the domain (visitors) get challenged with a Pop up dialog box
>prompting for a user id, pwd and domain.
>
>In oder to overcome this, I have setup a anonymous site (open to
>alll). Users would first hit this site contains a page with an
>instance of HttpWebRequest class. This class would make a call to the
>protected site with the user's credentials on behalf of the user. If
>the user has the correct credentials, then they would be passed to the
>protected site else they would be redirected to a login page (NOT the
>pop up dialog). In theory this appears to be a good idea to get rid of
>the po up dialog.
>
>However, I am unable to get the suers credentials on the anonymous
>site and pass it to the HttpWebRequest. If I use DefaultCredentials,
>then the site's user id and password are passed (IUSR_MACHINENAME). Is
>it possible to obtain the user credential on the anonymous site or is
>there another way to acoomplish this
>
>Thanks
>


 
Reply With Quote
 
 
 
 
LinuxLivz
Guest
Posts: n/a
 
      01-29-2004
(E-Mail Removed) (Charlie Nilsson [MSFT]) wrote in message news:<(E-Mail Removed)>...
> I think you're confusing authentication types.
>
> Read this msdn article, "IIS Authentication" on the subject or search
> online on msdn.
> ms-help://MS.VSCC.2003/MS.MSDNQTR.2003FEB.1033/vsent7/html/vxconIISAuthentic
> ation.htm
>
> At some point, you will need to gather authentication information from the
> user (i.e. they will have to enter a username / pwd). Why use two servers
> when one will suffice?
>
>
> --------------------------------------------------------------------
> This reply is provided AS IS, without warranty (express or implied).
>
>
> --------------------
> >From: (E-Mail Removed) (LinuxLivz)
> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> >Subject: HttpWebRequest and 401
> >Date: 29 Jan 2004 06:35:21 -0800
> >Organization: http://groups.google.com
> >Lines: 23
> >Message-ID: <(E-Mail Removed) >
> >NNTP-Posting-Host: 63.100.172.7
> >Content-Type: text/plain; charset=ISO-8859-1
> >Content-Transfer-Encoding: 8bit
> >X-Trace: posting.google.com 1075386921 4534 127.0.0.1 (29 Jan 2004

> 14:35:21 GMT)
> >X-Complaints-To: (E-Mail Removed)
> >NNTP-Posting-Date: Thu, 29 Jan 2004 14:35:21 +0000 (UTC)
> >Path:

> cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTN GP08.phx.gbl!newsfeed00.su
> l.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!po
> stnews1.google.com!not-for-mail
> >Xref: cpmsftngxa07.phx.gbl

> microsoft.public.dotnet.framework.aspnet.security: 8423
> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >
> >Hello All
> >Here is what I am attempting to do:
> >
> >I have a NTLM protected site. There are some users who are not part of
> >the domain (visitors) get challenged with a Pop up dialog box
> >prompting for a user id, pwd and domain.
> >
> >In oder to overcome this, I have setup a anonymous site (open to
> >alll). Users would first hit this site contains a page with an
> >instance of HttpWebRequest class. This class would make a call to the
> >protected site with the user's credentials on behalf of the user. If
> >the user has the correct credentials, then they would be passed to the
> >protected site else they would be redirected to a login page (NOT the
> >pop up dialog). In theory this appears to be a good idea to get rid of
> >the po up dialog.
> >
> >However, I am unable to get the suers credentials on the anonymous
> >site and pass it to the HttpWebRequest. If I use DefaultCredentials,
> >then the site's user id and password are passed (IUSR_MACHINENAME). Is
> >it possible to obtain the user credential on the anonymous site or is
> >there another way to acoomplish this
> >
> >Thanks
> >



Thanks for your response. I understand auth types, NTLM works well for
windows domain acounts, what about other OSes? The thinking is to
perform auth without the annoyin pop-up dialog. I think, to condense
the question, it would be can one make the auth pop up dialog go away
if user is not in a Windows domain

Thaks
 
Reply With Quote
 
Charlie Nilsson [MSFT]
Guest
Posts: n/a
 
      01-30-2004

Right, Linux machines do not support NTLM natively (though Mozilla *was*
trying to get it to function properly, though I don't think they're working
on that anymore). I'm unaware of any method for getting your Linux
clients to send authentication info along with the HTTP request to IIS (or
respond with the user's correct Windows Domain credentials during challenge
/ response).
I'm afraid you'll have to re-think your security settings in IIS.


--
CharlieN
VSU

This posting is provided "AS IS" with no warranties, and confers no rights.

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

--------------------
> From: (E-Mail Removed) (LinuxLivz)
> Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> Subject: Re: HttpWebRequest and 401
> Date: 29 Jan 2004 14:39:35 -0800
> Organization: http://groups.google.com
> Lines: 73
> Message-ID: <(E-Mail Removed) >
> References: <(E-Mail Removed) >

<(E-Mail Removed)>
> NNTP-Posting-Host: 63.100.172.7
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 8bit
> X-Trace: posting.google.com 1075415976 7022 127.0.0.1 (29 Jan 2004

22:39:36 GMT)
> X-Complaints-To: (E-Mail Removed)
> NNTP-Posting-Date: Thu, 29 Jan 2004 22:39:36 +0000 (UTC)
> Path:

cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!cpmsftng xa08.phx.gbl!cpmsftngxa06.
phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.phx.gbl! newsfeed00.sul.t-online.de
!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnew s1.googl
e.com!not-for-mail
> Xref: cpmsftngxa07.phx.gbl

microsoft.public.dotnet.framework.aspnet.security: 8438
> X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
> (E-Mail Removed) (Charlie Nilsson [MSFT]) wrote in

message news:<(E-Mail Removed)>...
> > I think you're confusing authentication types.
> >
> > Read this msdn article, "IIS Authentication" on the subject or search
> > online on msdn.
> >

ms-help://MS.VSCC.2003/MS.MSDNQTR.2003FEB.1033/vsent7/html/vxconIISAuthentic
> > ation.htm
> >
> > At some point, you will need to gather authentication information from

the
> > user (i.e. they will have to enter a username / pwd). Why use two

servers
> > when one will suffice?
> >
> >
> > --------------------------------------------------------------------
> > This reply is provided AS IS, without warranty (express or implied).
> >
> >
> > --------------------
> > >From: (E-Mail Removed) (LinuxLivz)
> > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> > >Subject: HttpWebRequest and 401
> > >Date: 29 Jan 2004 06:35:21 -0800
> > >Organization: http://groups.google.com
> > >Lines: 23
> > >Message-ID: <(E-Mail Removed) >
> > >NNTP-Posting-Host: 63.100.172.7
> > >Content-Type: text/plain; charset=ISO-8859-1
> > >Content-Transfer-Encoding: 8bit
> > >X-Trace: posting.google.com 1075386921 4534 127.0.0.1 (29 Jan 2004

> > 14:35:21 GMT)
> > >X-Complaints-To: (E-Mail Removed)
> > >NNTP-Posting-Date: Thu, 29 Jan 2004 14:35:21 +0000 (UTC)
> > >Path:

> >

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTN GP08.phx.gbl!newsfeed00.su
> >

l.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!po
> > stnews1.google.com!not-for-mail
> > >Xref: cpmsftngxa07.phx.gbl

> > microsoft.public.dotnet.framework.aspnet.security: 8423
> > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> > >
> > >Hello All
> > >Here is what I am attempting to do:
> > >
> > >I have a NTLM protected site. There are some users who are not part of
> > >the domain (visitors) get challenged with a Pop up dialog box
> > >prompting for a user id, pwd and domain.
> > >
> > >In oder to overcome this, I have setup a anonymous site (open to
> > >alll). Users would first hit this site contains a page with an
> > >instance of HttpWebRequest class. This class would make a call to the
> > >protected site with the user's credentials on behalf of the user. If
> > >the user has the correct credentials, then they would be passed to the
> > >protected site else they would be redirected to a login page (NOT the
> > >pop up dialog). In theory this appears to be a good idea to get rid of
> > >the po up dialog.
> > >
> > >However, I am unable to get the suers credentials on the anonymous
> > >site and pass it to the HttpWebRequest. If I use DefaultCredentials,
> > >then the site's user id and password are passed (IUSR_MACHINENAME). Is
> > >it possible to obtain the user credential on the anonymous site or is
> > >there another way to acoomplish this
> > >
> > >Thanks
> > >

>
>
> Thanks for your response. I understand auth types, NTLM works well for
> windows domain acounts, what about other OSes? The thinking is to
> perform auth without the annoyin pop-up dialog. I think, to condense
> the question, it would be can one make the auth pop up dialog go away
> if user is not in a Windows domain
>
> Thaks
>


 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      01-30-2004
You should be able to use Basic authentication (with SSL for safety of
course). Basic authentication headers are easy to build on just about any
platform. Plus, you can send them with the original request
(pre-authenticate) to avoid the challenge/response.

However, if NTLM/Kerberos is required for the Web Service, then Charlie is
absolutely right.

Joe K.

"Charlie Nilsson [MSFT]" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
>
> Right, Linux machines do not support NTLM natively (though Mozilla *was*
> trying to get it to function properly, though I don't think they're

working
> on that anymore). I'm unaware of any method for getting your Linux
> clients to send authentication info along with the HTTP request to IIS (or
> respond with the user's correct Windows Domain credentials during

challenge
> / response).
> I'm afraid you'll have to re-think your security settings in IIS.
>
>
> --
> CharlieN
> VSU
>
> This posting is provided "AS IS" with no warranties, and confers no

rights.
>
> Note: For the benefit of the community-at-large, all responses to this
> message are best directed to the newsgroup/thread from which they
> originated.
>
> --------------------
> > From: (E-Mail Removed) (LinuxLivz)
> > Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> > Subject: Re: HttpWebRequest and 401
> > Date: 29 Jan 2004 14:39:35 -0800
> > Organization: http://groups.google.com
> > Lines: 73
> > Message-ID: <(E-Mail Removed) >
> > References: <(E-Mail Removed) >

> <(E-Mail Removed)>
> > NNTP-Posting-Host: 63.100.172.7
> > Content-Type: text/plain; charset=ISO-8859-1
> > Content-Transfer-Encoding: 8bit
> > X-Trace: posting.google.com 1075415976 7022 127.0.0.1 (29 Jan 2004

> 22:39:36 GMT)
> > X-Complaints-To: (E-Mail Removed)
> > NNTP-Posting-Date: Thu, 29 Jan 2004 22:39:36 +0000 (UTC)
> > Path:

>

cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!cpmsftng xa08.phx.gbl!cpmsftngxa06.
>

phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.phx.gbl! newsfeed00.sul.t-online.de
>

!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnew s1.googl
> e.com!not-for-mail
> > Xref: cpmsftngxa07.phx.gbl

> microsoft.public.dotnet.framework.aspnet.security: 8438
> > X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >
> > (E-Mail Removed) (Charlie Nilsson [MSFT]) wrote in

> message news:<(E-Mail Removed)>...
> > > I think you're confusing authentication types.
> > >
> > > Read this msdn article, "IIS Authentication" on the subject or search
> > > online on msdn.
> > >

>

ms-help://MS.VSCC.2003/MS.MSDNQTR.2003FEB.1033/vsent7/html/vxconIISAuthentic
> > > ation.htm
> > >
> > > At some point, you will need to gather authentication information from

> the
> > > user (i.e. they will have to enter a username / pwd). Why use two

> servers
> > > when one will suffice?
> > >
> > >
> > > --------------------------------------------------------------------
> > > This reply is provided AS IS, without warranty (express or implied).
> > >
> > >
> > > --------------------
> > > >From: (E-Mail Removed) (LinuxLivz)
> > > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> > > >Subject: HttpWebRequest and 401
> > > >Date: 29 Jan 2004 06:35:21 -0800
> > > >Organization: http://groups.google.com
> > > >Lines: 23
> > > >Message-ID: <(E-Mail Removed) >
> > > >NNTP-Posting-Host: 63.100.172.7
> > > >Content-Type: text/plain; charset=ISO-8859-1
> > > >Content-Transfer-Encoding: 8bit
> > > >X-Trace: posting.google.com 1075386921 4534 127.0.0.1 (29 Jan 2004
> > > 14:35:21 GMT)
> > > >X-Complaints-To: (E-Mail Removed)
> > > >NNTP-Posting-Date: Thu, 29 Jan 2004 14:35:21 +0000 (UTC)
> > > >Path:
> > >

>

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTN GP08.phx.gbl!newsfeed00.su
> > >

>

l.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!po
> > > stnews1.google.com!not-for-mail
> > > >Xref: cpmsftngxa07.phx.gbl
> > > microsoft.public.dotnet.framework.aspnet.security: 8423
> > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> > > >
> > > >Hello All
> > > >Here is what I am attempting to do:
> > > >
> > > >I have a NTLM protected site. There are some users who are not part

of
> > > >the domain (visitors) get challenged with a Pop up dialog box
> > > >prompting for a user id, pwd and domain.
> > > >
> > > >In oder to overcome this, I have setup a anonymous site (open to
> > > >alll). Users would first hit this site contains a page with an
> > > >instance of HttpWebRequest class. This class would make a call to the
> > > >protected site with the user's credentials on behalf of the user. If
> > > >the user has the correct credentials, then they would be passed to

the
> > > >protected site else they would be redirected to a login page (NOT the
> > > >pop up dialog). In theory this appears to be a good idea to get rid

of
> > > >the po up dialog.
> > > >
> > > >However, I am unable to get the suers credentials on the anonymous
> > > >site and pass it to the HttpWebRequest. If I use DefaultCredentials,
> > > >then the site's user id and password are passed (IUSR_MACHINENAME).

Is
> > > >it possible to obtain the user credential on the anonymous site or is
> > > >there another way to acoomplish this
> > > >
> > > >Thanks
> > > >

> >
> >
> > Thanks for your response. I understand auth types, NTLM works well for
> > windows domain acounts, what about other OSes? The thinking is to
> > perform auth without the annoyin pop-up dialog. I think, to condense
> > the question, it would be can one make the auth pop up dialog go away
> > if user is not in a Windows domain
> >
> > Thaks
> >

>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
401 on HttpWebRequest in FIrefox Ryan ASP .Net 1 10-04-2006 04:48 PM
401 Unauthorized on HttpWebRequest with DefaultCredentials (2003) ivarley@spamcop.net ASP .Net Security 1 03-31-2006 04:16 PM
401 Error with httpwebrequest =?Utf-8?B?dHduZXR5MG5lQHlhaG9vLmNvbQ==?= ASP .Net 1 10-13-2005 09:36 AM
errors running HttpWebRequest.GetResponse - 401 unauthorized Steve Richter ASP .Net 2 04-30-2005 01:07 AM
HttpWebRequest & (401) Unauthorized http status code =?Utf-8?B?UG1jZw==?= ASP .Net 0 06-21-2004 12:55 PM



Advertisments