Re: Windows authentication for web service client??
- From: "Kevin Yu" <koo9@xxxxxxxxxxx>
- Date: Mon, 18 Apr 2005 09:13:44 -0600
"solex" <solex@xxxxxxxxxxxxx> wrote in message
news:%23wMk7BdQFHA.3076@xxxxxxxxxxxxxxxxxxxxxxx
> Kevin,
> Thanks for responding, if you (or anyone) sees anything obviously wrong
> with the below summary please let me know.
>
> Thanks,
> Dan
>
> I have the following settings
> Web config:
> <authentication mode="Windows" />
> <identity impersonate="true" />
>
> IIS:
> Anonymous access has been disabled and Integraged Security is the
> only access that is enabled.
>
> Client:
> When calling the web service I make sure that I am passing the
> defaultCredentials from the CredentialCache.
>
> I hardcoded a credential using the following code and it works
>
> Dim Response As System.Net.HttpWebResponse
> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
> HttpWebRequest)
> Dim MyCredentialCache = New System.Net.CredentialCache
> MyCredentialCache.Add(New System.Uri(URI), "NTLM", _
> New System.Net.NetworkCredential("myUserID", "myPassword",
"myDomain"))
>
> Request.Credentials = MyCredentialCache
>
> make my http WEBDAV request here ...
>
> Return (Response)
>
> But this does not work:
>
> Dim Response As System.Net.HttpWebResponse
> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
> HttpWebRequest)
>
> Request.Credentials = CredentialCache.DefaultCredentials
> make my http WEBDAV request here ...
>
> Return (Response)
>
ok. CredentialCache.DefaultCredentials will return the credentials that
client is running under.
so it doens't matter what you set before the line:
Request.Credentials = CredentialCache.DefaultCredentials
it will always return the default credential for the request, but in the
working code, since you set
credentials in the credentialscache for that particular request URI, so that
when the client making
calls to the destinated service, it will use that credential for the
request, that's why it works.
> Nor does this:
>
> Dim impersonationContext As
> System.Security.Principal.WindowsImpersonationContext
> Dim currentWindowsIdentity As
System.Security.Principal.WindowsIdentity
>
> currentWindowsIdentity = CType(mobjUser.Identity,
> System.Security.Principal.WindowsIdentity)
> impersonationContext = currentWindowsIdentity.Impersonate()
>
> Request.Credentials = CredentialCache.DefaultCredentials
> Dim Response As System.Net.HttpWebResponse
> Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
> HttpWebRequest)
>
> Request.Credentials = CredentialCache.DefaultCredentials
>
> make my http WEBDAV request here ...
>
> impersonationContext.Undo()
>
> Return (Response)
>
I have try the same approach using implicity impersonation, what you are
doing here
is the same as using this line: Request.Credentials =
CredentialCache.DefaultCredentials
since you use this call to get the current identity: currentWindowsIdentity
= CType(mobjUser.Identity,
> System.Security.Principal.WindowsIdentity), then you do this:
Request.Credentials = CredentialCache.DefaultCredentials
thus in fact you are doing the same thing twice.
it seems that doing impersonation won't change the
defaultcredential, Request.Credentials = CredentialCache.DefaultCredentials
will always return the credentials that the client is running under as I
mentioned
above.
I use this code from msdn to do impersonation:
#region Public Methods
public bool ImpersonateValidUser()
{
WindowsIdentity tempWindowsIdentity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;
if(RevertToSelf())
{
if(LogonUserA(_userName, _domain, _password, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, ref token) != 0)
{
if(DuplicateToken(token, 2, ref tokenDuplicate) != 0)
{
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
if (impersonationContext != null)
{
CloseHandle(token);
CloseHandle(tokenDuplicate);
return true;
}
}
}
}
if(token!= IntPtr.Zero)
CloseHandle(token);
if(tokenDuplicate!=IntPtr.Zero)
CloseHandle(tokenDuplicate);
return false;
}
//reverse the security context
public void UndoImpersonation()
{
if(impersonationContext!=null)
impersonationContext.Undo();
}
#endregion
#region Win32 calls
[DllImport("advapi32.dll")]
private static extern int LogonUserA(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
private static extern int DuplicateToken(IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken);
[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
private static extern bool RevertToSelf();
[DllImport("kernel32.dll", CharSet=CharSet.Auto)]
private static extern bool CloseHandle(IntPtr handle);
#endregion
}
in conclusion, only when the correct credential in the credentialsCache for
that
request (that particular URI), it request have access permission.
thanks for your code. I will give it a try.
>
>
> "Kevin Yu" <koo9@xxxxxxxxxxx> wrote in message
> news:u0yUSScQFHA.580@xxxxxxxxxxxxxxxxxxxxxxx
> >
> >
> > "solex" <solex@xxxxxxxxxxxxx> wrote in message
> > news:%23sSDjOSQFHA.244@xxxxxxxxxxxxxxxxxxxxxxx
> >> I'm having a similar problem
> >>
> >> I have a web service that make a webDav request to Exchange.
> >>
> >> I have impersonation on but when I use the defaultCredentials in the
web
> >> services to make the webdav reqeust I get an Unauthorized 401 error.
My
> >> credentials have rights to make this request and I'm at my wits end
> >> trying
> >> to figure it out.
> >>
> >> The service works if I hard code my Network credentials in the service
> >> but
> >> does not otherwise.
> >
> > Hardcoded into your code? create a credential instead of using the
> > defaultcredentials?
> >
> > I thought one can only create credential for "basic" or "digest"
> > authentication mode.
> >
> > I try implicit impersonation, it won't work, even if you are
> > impersonating,
> > the web service has to
> > put the credential on the soap message in order for it to be
> > authenticated,
> > because that's
> > all the hosting service see when interacting with each other. don't want
> > to
> > do explicit impersonation.
> >
> >
> > in .net 2.0, there will be a better support or even WSE 2.0, but this is
> > not
> > my options here.
> > since if we were to use WSE 2.0, there will be a long process of paper
> > work
> > and testing and questioning.....
> >
> >
> >
> >
> >
> >>
> >> Any help with this would also be appreciated.
> >>
> >> Thanks,
> >> Dan
> >>
> >>
> >> "Kevin Yu" <koo9@xxxxxxxxxxx> wrote in message
> >> news:eOariLKQFHA.1476@xxxxxxxxxxxxxxxxxxxxxxx
> >> > but the problem with impersonation in the code is after LogonUser()
> > win32
> >> > call, will the defaultcredentials be set to the new credentials then?
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > "Kevin Yu" <koo9@xxxxxxxxxxx> wrote in message
> >> > news:OEbaAMIQFHA.2356@xxxxxxxxxxxxxxxxxxxxxxx
> >> >>I think impersonation will do , enable impersonation but don't
> >> >>specified
> >> >>the user, use code call the web service with a different
> >> >>username/password.
> >> >>
> >> >>
> >> >>
> >> >> "Brock Allen" <ballen@xxxxxxxxxxxxxxxxx> wrote in message
> >> >> news:453919632490103600068528@xxxxxxxxxxxxxxxxxxxxxxx
> >> >>> The ASPNET account is a local account, so the other machine or
domain
> >> >>> wouldn't know about it. You can either run you web app under a
> > different
> >> >>> account, but that affects the rest of the code in there too. The
> >> >>> other
> >> >>> approach is to have a dedicated account (instead of using the
current
> >> >>> identity of ASPNET) that you can use to do the authentication and
> >> >>> then
> >> >>> use those credentials from the client.
> >> >>>
> >> >>> -Brock
> >> >>> DevelopMentor
> >> >>> http://staff.develop.com/ballen
> >> >>>
> >> >>>
> >> >>>
> >> >>>> hi all
> >> >>>>
> >> >>>> got a question here, a web service secure mode is set to
"windows",
> > on
> >> >>>> the client side
> >> >>>>
> >> >>>> when supplying the credentials, it's like this:
> >> >>>>
> >> >>>> somewebservice.Authentication ssoAuth = new
> >> >>>> somewebservice.Authentication();
> >> >>>>
> >> >>>> ssoAuth.PreAuthenticate = true;
> >> >>>>
> >> >>>> ssoAuth.Credentials =
System.Net.CredentialCache.DefaultCredentials;
> >> >>>>
> >> >>>> from the info here
> >> >>>>
> >> >>>>
> > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref
> >> >>>>
/html/frlrfSystemNetCredentialCacheClassDefaultCredentialsTopic.asp
> >> >>>>
> >> >>>> the defaultcredential should supply the current security context
> >> >>>> that
> >> >>>> the client is running, but in my case the client is another web
> >> >>>> service running
> >> >>>>
> >> >>>> on another server, now by default the account that the client(the
> >> >>>> calling web service) is running under ASPNET account,
> >> >>>>
> >> >>>> so on the host(somewebservice), I should add the
clientdomain\ASPNET
> >> >>>> account into the windows account?
> >> >>>>
> >> >>>
> >> >>>
> >> >>>
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>
.
- Follow-Ups:
- References:
- Windows authentication for web service client??
- From: Kevin Yu
- Re: Windows authentication for web service client??
- From: Brock Allen
- Re: Windows authentication for web service client??
- From: Kevin Yu
- Re: Windows authentication for web service client??
- From: Kevin Yu
- Re: Windows authentication for web service client??
- From: solex
- Re: Windows authentication for web service client??
- From: Kevin Yu
- Re: Windows authentication for web service client??
- From: solex
- Windows authentication for web service client??
- Prev by Date: web server gets "The Request Failed with HTTP Status 400: Bad Requ
- Next by Date: C# exception after calling Java/Axis web service
- Previous by thread: Re: Windows authentication for web service client??
- Next by thread: Re: Windows authentication for web service client??
- Index(es):
Relevant Pages
|
