Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Impersonation with NTLM

Reply
Thread Tools

Impersonation with NTLM

 
 
Thomas Mueller-Lynch
Guest
Posts: n/a
 
      02-06-2004
I want to use impersonation within a second thread of an httpwebrequest.
While configuring IIS with basic authentication everything works fine.
Changing to Intergrated Windows Authentication the thread (which should return a secure web-page) returns the http status code 401.

My web.config looks like:
.....
<identity impersonate="true"/><authentication mode="Windows" />
.....


My Testpage looks like:

dim url as String = "https://server/secure/index.html"
dim Req as HttpWebRequest = DirectCast(WebRequest.Create(url), HttpWebRequest)

Req.Method = "GET"
Req.ContentType = "application/x-www-form-urlencoded;charset=iso-8859-1"
Req.PreAuthenticate = true

if Request.ServerVariables("AUTH_TYPE") = "Basic"
Req.Credentials = new System.Net.NetworkCredential(Request.ServerVariabl es("AUTH_USER"),Request.ServerVariables("AUTH_PASS WORD"))
else
Req.Credentials = CredentialCache.DefaultCredentials
' Should impersonate the user in case of NTLM, shouldn't it???
end if

dim Resp as HttpWebResponse = DirectCast(req.GetResponse(),HttpWebResponse)
dim Reader as StreamReader

Reader = new StreamReader(Resp.GetResponseStream())

while Reader.Peek() > -1
strLine = Reader.ReadLine()
Trace.write(strLine)
end while

Reader.Close()
Resp.Close()

The included thread should impersonate the logged-on user (NTLM or Basic).

What did I do wrong?

Thomas
 
Reply With Quote
 
 
 
 
Paul Glavich
Guest
Posts: n/a
 
      02-09-2004
At a guess, you are trying to do a "double hop" in that, you have used
windows auth/NTLM to logon to your web app, then that same security token to
go to another web site on another machine. Using NTLM, you cannot
impersonate a user, then use that impersonation to authenticate to another
machine (this is the double hop). Basic works because the credentials are
propagated in clear text as part of the Http header. NTLM used a security
token and cannot propagate the same token and be valid.

Kerberos can do it, but you still need to mark the user account as
"Delegateable". (Win2000+)
--
- Paul Glavich


"Thomas Mueller-Lynch" <thomas.mueller-lynch(remove)@siemens.com> wrote in
message news(E-Mail Removed)...
> I want to use impersonation within a second thread of an httpwebrequest.
> While configuring IIS with basic authentication everything works fine.
> Changing to Intergrated Windows Authentication the thread (which should

return a secure web-page) returns the http status code 401.
>
> My web.config looks like:
> ...
> <identity impersonate="true"/><authentication mode="Windows" />
> ...
>
>
> My Testpage looks like:
>
> dim url as String = "https://server/secure/index.html"
> dim Req as HttpWebRequest = DirectCast(WebRequest.Create(url),

HttpWebRequest)
>
> Req.Method = "GET"
> Req.ContentType = "application/x-www-form-urlencoded;charset=iso-8859-1"
> Req.PreAuthenticate = true
>
> if Request.ServerVariables("AUTH_TYPE") = "Basic"
> Req.Credentials = new

System.Net.NetworkCredential(Request.ServerVariabl es("AUTH_USER"),Request.Se
rverVariables("AUTH_PASSWORD"))
> else
> Req.Credentials = CredentialCache.DefaultCredentials
> ' Should impersonate the user in case of NTLM, shouldn't it???
> end if
>
> dim Resp as HttpWebResponse =

DirectCast(req.GetResponse(),HttpWebResponse)
> dim Reader as StreamReader
>
> Reader = new StreamReader(Resp.GetResponseStream())
>
> while Reader.Peek() > -1
> strLine = Reader.ReadLine()
> Trace.write(strLine)
> end while
>
> Reader.Close()
> Resp.Close()
>
> The included thread should impersonate the logged-on user (NTLM or Basic).
>
> What did I do wrong?
>
> Thomas



 
Reply With Quote
 
 
 
 
Paul Glavich
Guest
Posts: n/a
 
      02-10-2004
It may still be suffering the "double hop" syndrome if it thinks that the
page you are trying to access (even though its on the same machine) is on
another machine. when you specify the "host" part of the URL is it as you
specified below (ie. https://server/....) or does it contain periods (eg.
https://my.server/...)?

Also, try it without using SSL (ie. http://server/....) to see what happens.

--
- Paul Glavich


"Thomas Mueller-Lynch" <thomas.mueller-lynch(remove)@siemens.com> wrote in
message news:(E-Mail Removed)...
> In this case I have only one server.
> the aspx page which is running on my server is executing another page on

the same server.
>
> Any ideas? Thanks in advance
>
> Thomas Mueller-Lynch
>
> ----- Paul Glavich wrote: -----
>
> At a guess, you are trying to do a "double hop" in that, you have

used
> windows auth/NTLM to logon to your web app, then that same security

token to
> go to another web site on another machine. Using NTLM, you cannot
> impersonate a user, then use that impersonation to authenticate to

another
> machine (this is the double hop). Basic works because the credentials

are
> propagated in clear text as part of the Http header. NTLM used a

security
> token and cannot propagate the same token and be valid.
>
> Kerberos can do it, but you still need to mark the user account as
> "Delegateable". (Win2000+)
> --
> - Paul Glavich
>
>
> "Thomas Mueller-Lynch" <thomas.mueller-lynch(remove)@siemens.com>

wrote in
> message news(E-Mail Removed)...
> > I want to use impersonation within a second thread of an

httpwebrequest.
> > While configuring IIS with basic authentication everything works

fine.
> > Changing to Intergrated Windows Authentication the thread (which

should
> return a secure web-page) returns the http status code 401.
> >> My web.config looks like:

> > ...
> ><identity impersonate="true"/><authentication mode="Windows" />> ...
> >>> My Testpage looks like:
> >> dim url as String = "https://server/secure/index.html"

> > dim Req as HttpWebRequest = DirectCast(WebRequest.Create(url),

> HttpWebRequest)
> >> Req.Method = "GET"

> > Req.ContentType =

"application/x-www-form-urlencoded;charset=iso-8859-1"
> > Req.PreAuthenticate = true
> >> if Request.ServerVariables("AUTH_TYPE") = "Basic"

> > Req.Credentials = new

>

System.Net.NetworkCredential(Request.ServerVariabl es("AUTH_USER"),Request.Se
> rverVariables("AUTH_PASSWORD"))
> > else
> > Req.Credentials = CredentialCache.DefaultCredentials
> > ' Should impersonate the user in case of NTLM, shouldn't it???
> > end if
> >> dim Resp as HttpWebResponse =

> DirectCast(req.GetResponse(),HttpWebResponse)
> > dim Reader as StreamReader
> >> Reader = new StreamReader(Resp.GetResponseStream())
> >> while Reader.Peek() > -1

> > strLine = Reader.ReadLine()
> > Trace.write(strLine)
> > end while
> >> Reader.Close()

> > Resp.Close()
> >> The included thread should impersonate the logged-on user (NTLM or

Basic).
> >> What did I do wrong?
> >> Thomas

>
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ANN: python-ntlm - provides NTLM support, including an authenticationhandler for urllib2 Matthijs Python 0 12-10-2008 03:38 PM
NTLM and Impersonation Ray5531 ASP .Net 0 07-18-2005 04:24 PM
NTLM credentials -> query Active Directory -> email address Jim Adams ASP .Net 1 01-07-2004 09:48 PM
WebControls and NTLM Authentication Carlos Fersura ASP .Net 0 11-03-2003 04:48 PM
LWP::Authen::Ntlm Error when often used Reto Zingg Perl 0 09-28-2003 09:56 PM



Advertisments