Re: Windows Auth -- double hop issue??

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 03/25/04

• Next message: Brian W: "Re: POST form from HTML to ASP.NET"
• Previous message: Steven Cheng[MSFT]: "RE: POST form from HTML to ASP.NET"
• In reply to: Alek Davis: "Re: Windows Auth -- double hop issue??"
• Next in thread: Alek Davis: "Re: Windows Auth -- double hop issue??"
• Reply: Alek Davis: "Re: Windows Auth -- double hop issue??"
• Messages sorted by: [ date ] [ thread ]

---

Date: Thu, 25 Mar 2004 12:39:55 +1100

But he is executing a new HTTP request (just the browser did
originally)...and the code doesn't have enough information to complete the
authentication challenge that the web server will be issuing. All he has is
the token - not the username/password.

Cheers
Ken

"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
news:%23vjNr%23cEEHA.696@TK2MSFTNGP12.phx.gbl...
: You are absolutely right, but what I am trying to say is that there is no
: OTHER machine. Impersonation token for Integrated Windows Authentication
: should work fine on the same system. and, according to the original post,
: both resources reside on the same server, so double-hop should not be an
: issue.
:
: Alek
:
: "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
: in message news:O55yavcEEHA.2460@TK2MSFTNGP10.phx.gbl...
: > The way I read it, it works like this:
: >
: > 1. User authenticates with web server via browser using Windows
Integrated
: > authentication
: > 2. IIS creates a token for the authenticated user. This token is an
: > impersonation token since that's what IIS creates for Integrated
: > authentication
: > 3. ASP.NET code accesses DefaultCredentials to use in WebRequest.
: > DefaultCredentials are based on impersonation token, so they cannot hop
to
: > another server.
: >
: > That's my theory. Since the user's password is never passed to the IIS
: > server, the only way the token on the IIS server is going to hop to
: another
: > machine on the network is via Kerberos Delegation. If that isn't
: available,
: > then the hop won't happen (which is what it sounds like is happening).
If
: > web authentication was Basic, then the user's plain text credentials are
: > available, so a primary token can be created and that will hop to a
: > different machine without delegation.
: >
: > Joe K.
: >
: > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
: > news:uIlneDcEEHA.2640@TK2MSFTNGP09.phx.gbl...
: > > But Kannan said that all resources reside on the same server. How can
it
: > be
: > > the double-hop problem? Logically, it should work, but maybe there is
: > > something else we're missing.
: > >
: > > Alek
: > >
: > > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
: wrote
: > > in message news:eXamriREEHA.1452@TK2MSFTNGP09.phx.gbl...
: > > > Given that you are using default credentials, it does look like it
: might
: > > be
: > > > a double hop issue.
: > > >
: > > > If the current security context is an impersonation token that can't
: > > > delegate, then the credentials you supply will not hop to the other
: > > machine.
: > > > Since Windows integrated authentication creates an imperonation
token,
: > > this
: > > > is very likely to be the case.
: > > >
: > > > Joe K.
: > > >
: > > >
: > > > "Kannan" <pv_kannan@yahoo.com> wrote in message
: > > > news:b46a02f.0403231023.21b252a7@posting.google.com...
: > > > > Hi Alex,
: > > > > I am setting that in the code. Here is the code sample in VB.NET:
: > > > >
: > > > > Private Function LogonToProjectServer(ByVal
projectServerUrl
: As
: > > > > String)
: > > > >
: > > > > Dim url As String
: > > > > Dim cookieString As String
: > > > >
: > > > > If Not projectServerUrl.EndsWith("/") Then
: > > > > projectServerUrl += "/"
: > > > > End If
: > > > >
: > > > > url = projectServerUrl + "LgnIntAu.asp"
: > > > > Dim XMLDoc As New XmlDocument
: > > > >
: > > > > Try
: > > > > Dim myReq As HttpWebRequest =
: > > > > CType(WebRequest.Create(url), HttpWebRequest)
: > > > > Dim conCookie As New CookieContainer
: > > > > myReq.CookieContainer = conCookie
: > > > > myReq.Credentials =
: CredentialCache.DefaultCredentials
: > > > > Dim networkCredential As NetworkCredential =
: > > > > CType(CredentialCache.DefaultCredentials, NetworkCredential)
: > > > > Dim identity As WindowsIdentity =
: > > > > WindowsIdentity.GetCurrent()
: > > > >
: > > > > Dim log As New EventLog
: > > > > log.Log = "Application"
: > > > > log.Source = "PDSHelper:LogonToProjectServer"
: > > > >
: > > > > log.WriteEntry("WindowsUser is " + identity.Name,
: > > > > EventLogEntryType.Information) ' This returns the correct
username
: > > > >
: > > > > Dim myRes As HttpWebResponse = Nothing
: > > > > Dim i As Integer
: > > > > For i = 0 To 2
: > > > > Try
: > > > > myRes = CType(myReq.GetResponse(),
: > > > > HttpWebResponse)
: > > > > ' if it gets to this line it didn't error
: > > > > Exit For
: > > > > Catch e As Exception
: > > > > If i = 2 Then
: > > > > Throw e
: > > > > End If
: > > > > End Try
: > > > > Next i
: > > > >
: > > > > XMLDoc.Load(myRes.GetResponseStream())
: > > > > log.WriteEntry("Xmlcontents are " +
: XMLDoc.InnerText,
: > > > > EventLogEntryType.Information)
: > > > > ' Close the response to free resources.
: > > > > myRes.Close()
: > > > >
: > > > > cookieString = GetLogonStatus(XMLDoc)
: > > > > If cookieString.Length < 10 Then
: > > > > Throw New Exception("Invalid Project Server
: Login
: > > > > Cookie: " + cookieString)
: > > > > End If
: > > > > Catch ex As Exception
: > > > > Throw New Exception("Error occurred attempting to
: log
: > > > > into project server: " + url + vbCrLf + XMLDoc.InnerXml, ex)
: > > > > End Try
: > > > >
: > > > > LogonToProjectServer = cookieString
: > > > >
: > > > > End Function
: > > > >
: > > > >
: > > > >
: > > > >
: > > > >
: > ************************************************************************
: > > > > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in
: message
: > > > news:<OiRD1rHEEHA.3372@TK2MSFTNGP10.phx.gbl>...
: > > > > > Kannan,
: > > > > >
: > > > > > Before you call the other site, make sure that you set the
default
: > > > > > credentials for your HttpWebRequest's (or whatever class you're
: > using)
: > > > > > Credentials member. See MSDN documentation on
: > > > > > CredentialCache.DefaultCredentials for samples.
: > > > > >
: > > > > > Alek
: > > > > >
: > > > > > "Kannan" <pv_kannan@yahoo.com> wrote in message
: > > > > > news:b46a02f.0403221407.388842f1@posting.google.com...
: > > > > > > We are having a strange problem with NT credentials being lost
: > while
: > > > > > > accessing another resource on the same server.
: > > > > > >
: > > > > > > Here is the scenario:
: > > > > > >
: > > > > > > Step 1
: > > > > > > -------------
: > > > > > > Client A makes a call to a method in a C# DLL that resides in
: > Server
: > > A
: > > > > > > using Windows Auth (correct settings in web.config and IIS).
: > > > > > >
: > > > > > > Step 2
: > > > > > > -------------
: > > > > > > That method makes a call to an asp page that is present on a
: > > different
: > > > > > > website on the same server (Server A) to retrieve a cookie
: value.
: > > > > > >
: > > > > > > I notice that Windows credentials are being passed over in
Step
: 1.
: > > It
: > > > > > > returns the correct value when I use
: > > WindowsIdentity.GetCurrent.Name.
: > > > > > > But they do not get passed over from DLL method to the site in
: > Step
: > > 2.
: > > > > > > (LOGON_USER returns blank)
: > > > > > >
: > > > > > >
: > > > > > > Would this be a double-hop issue? Would use of delegation and
: > > kerberos
: > > > > > > help?
: > > > > > >
: > > > > > > Any help would be really appreciated.
: > > > > > >
: > > > > > > Thanks
: > > > > > > kannan
: > > >
: > > >
: > >
: > >
: >
: >
:
:

---

• Next message: Brian W: "Re: POST form from HTML to ASP.NET"
• Previous message: Steven Cheng[MSFT]: "RE: POST form from HTML to ASP.NET"
• In reply to: Alek Davis: "Re: Windows Auth -- double hop issue??"
• Next in thread: Alek Davis: "Re: Windows Auth -- double hop issue??"
• Reply: Alek Davis: "Re: Windows Auth -- double hop issue??"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: WM5 can not sync to exchange ... I checked all the authentication settings and they are as you requested. ... After running the internet connection wizard I had to uncheck the Require ... On the SBS 2003 Server open the Server Management console. ... Open IIS Manager ... (microsoft.public.windows.server.sbs) RE: WM5 can not sync to exchange ... code 85010014 during ActiveSync with SBS. ... On the SBS 2003 Server open the Server Management console. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ... (microsoft.public.windows.server.sbs) Re: WM5 can not sync to exchange ... On the SBS 2003 Server open the Server Management console. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ... Collect the IIS metabase on Exchange Server and send to me: ... (microsoft.public.windows.server.sbs) RE: Confusion on standard security methodologies. ... Application will talk to a back-end SQL ... By "back-end," I assume you mean on a different box from IIS? ... If SQL is on a separate box, you won't be able to use NT authentication ... impersonations (meaning that once passed to the IIS server, ... (microsoft.public.inetserver.iis.security) Re: Nokia E50 ActiveSync problem with SBS2003 SP2 ... Open IIS Manager ... Open properties of virtual directory OMA ... Click Start on your SBS server, ... And then please verify Authentication settings by the following steps. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)