Oh, I see. Not sure I completely understand your configuration and I haven't
worked with ISA servers, but these are my 2 cents. Just thinking logically
(although given that APIs are not necessarily logical, so take this with a
grain of suspicion), when you specify "identity impersonate" with userName
and password, your whole ASP.NET application should run under this identity
(instead of the default ASPNET account). If you do not explicitly set
credentials info, these credentials should be passed to the outbound calls.
So if you had a SQL server somewhere, you would be able to connect to it
using the application credentials without explicitly specifying them
(assuming that SQL server allows access by impersonated user). But in your
configuration there is an ISA server and a proxy server, so I do not know
how they handle credentials info (haven't worked with ISA at all and have
limited knowledge of proxy servers). For example, it may be a case that
proxy server needs explicit credentials to pass (delegate) them to the
external site (think of it as 3 systems: your Web server - proxy server -
external Web site). As I said, I am not an expert in this particular area,
so I may be wrong here. Hopefully someone more knowledgeable can answer your
question.
Alek
"Davide Bedin" <> wrote in message
news:...
> Thanks for the response.
> As I'm passing the credentials of the impersonated ASP.Net app account and
> not of the client account I don't see how I'm passing credentials from A
to
> B to C. From my point of view I'm passing credentials from B to C. This is
> the web.config setting:
> <identity impersonate="true" userName="user" password="password"/>
>
> So why I'm able to pass the default credentials (the credentials of the
> impersonated user account) to another web service with Windows
> authentication in order to be authenticated (or to access SQL Server with
> integrated security) but not to pass it to the proxy?
>
> From MSDN I read that DefaultCredentials in ASP.Net are the the default
> credentials are the user credentials of the logged-in user, or the user
> being impersonated
>
http://msdn.microsoft.com/library/de...tialstopic.asp
>
> This code will run only if Kerberos delegation in enabled even If I'm not
> impersonating the client user?
> Dim proxy As New System.Net.WebProxy("proxy", True)
> proxy.Credentials = System.Net.CredentialCache.DefaultCredentials
> System.Net..Select = proxy
>
> This is quite confusing to me.
> Thank you for your help,
> Davide
>
> "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> ha scritto nel
> messaggio news:...
> > Davide,
> >
> > This is expected behavior. You can only use pass-through credentials
(from
> > computer A through computer B to computer C) only if Kerberos/delegation
> are
> > enabled on the network, which is not a recommended configuration (from
> > security perspective). There must be a few posts related to this issue
> (just
> > do a search on keywords such as Kerberos, delegation, NTLM, IIS, etc).
> >
> > Alek
> >
> > "Davide Bedin" <> wrote in message
> > news:...
> > > I configured my asp.net 1.1 application to impersonate a specific user
> > > account that has the rights to access the web through the network ISA
> > > server.
> > >
> > > So I tried to access a web resource, an external web service,
specifying
> > the
> > > ISA address for the webproxy class and setting the
webproxy.Credentials
> =
> > > System.Net.CredentialCache.DefaultCredentials, I knew that in this
> > scenario
> > > the DefaultCredentials would be the credentials of the impersonated
> user.
> > >
> > > Using the default credentials doesn't let me access the web service
> > through
> > > the ISA Server as I get a 407 Proxy Authentication Error. If I
> explicitly
> > > create a new credentials object using the same user info of the
> > impersonated
> > > user account everything works as expected.
> > >
> > > This sounds really strange to me, probably there is some additional
> > setting
> > > I might have set in a wrong way.
> > >
> > > Thanks,
> > > Davide
> > >
> > >
> >
> >
>
>
Similar Threads
