HttpWebRequest and 401

Discussion in 'ASP .Net Security' started by LinuxLivz, Jan 29, 2004.

  1. LinuxLivz

    LinuxLivz Guest

    Hello All
    Here is what I am attempting to do:

    I have a NTLM protected site. There are some users who are not part of
    the domain (visitors) get challenged with a Pop up dialog box
    prompting for a user id, pwd and domain.

    In oder to overcome this, I have setup a anonymous site (open to
    alll). Users would first hit this site contains a page with an
    instance of HttpWebRequest class. This class would make a call to the
    protected site with the user's credentials on behalf of the user. If
    the user has the correct credentials, then they would be passed to the
    protected site else they would be redirected to a login page (NOT the
    pop up dialog). In theory this appears to be a good idea to get rid of
    the po up dialog.

    However, I am unable to get the suers credentials on the anonymous
    site and pass it to the HttpWebRequest. If I use DefaultCredentials,
    then the site's user id and password are passed (IUSR_MACHINENAME). Is
    it possible to obtain the user credential on the anonymous site or is
    there another way to acoomplish this

    Thanks
     
    LinuxLivz, Jan 29, 2004
    #1
    1. Advertising

  2. I think you're confusing authentication types.

    Read this msdn article, "IIS Authentication" on the subject or search
    online on msdn.
    ms-help://MS.VSCC.2003/MS.MSDNQTR.2003FEB.1033/vsent7/html/vxconIISAuthentic
    ation.htm

    At some point, you will need to gather authentication information from the
    user (i.e. they will have to enter a username / pwd). Why use two servers
    when one will suffice?


    --------------------------------------------------------------------
    This reply is provided AS IS, without warranty (express or implied).


    --------------------
    >From: (LinuxLivz)
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >Subject: HttpWebRequest and 401
    >Date: 29 Jan 2004 06:35:21 -0800
    >Organization: http://groups.google.com
    >Lines: 23
    >Message-ID: <>
    >NNTP-Posting-Host: 63.100.172.7
    >Content-Type: text/plain; charset=ISO-8859-1
    >Content-Transfer-Encoding: 8bit
    >X-Trace: posting.google.com 1075386921 4534 127.0.0.1 (29 Jan 2004

    14:35:21 GMT)
    >X-Complaints-To:
    >NNTP-Posting-Date: Thu, 29 Jan 2004 14:35:21 +0000 (UTC)
    >Path:

    cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.su
    l.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!po
    stnews1.google.com!not-for-mail
    >Xref: cpmsftngxa07.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:8423
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >Hello All
    >Here is what I am attempting to do:
    >
    >I have a NTLM protected site. There are some users who are not part of
    >the domain (visitors) get challenged with a Pop up dialog box
    >prompting for a user id, pwd and domain.
    >
    >In oder to overcome this, I have setup a anonymous site (open to
    >alll). Users would first hit this site contains a page with an
    >instance of HttpWebRequest class. This class would make a call to the
    >protected site with the user's credentials on behalf of the user. If
    >the user has the correct credentials, then they would be passed to the
    >protected site else they would be redirected to a login page (NOT the
    >pop up dialog). In theory this appears to be a good idea to get rid of
    >the po up dialog.
    >
    >However, I am unable to get the suers credentials on the anonymous
    >site and pass it to the HttpWebRequest. If I use DefaultCredentials,
    >then the site's user id and password are passed (IUSR_MACHINENAME). Is
    >it possible to obtain the user credential on the anonymous site or is
    >there another way to acoomplish this
    >
    >Thanks
    >
     
    Charlie Nilsson [MSFT], Jan 29, 2004
    #2
    1. Advertising

  3. LinuxLivz

    LinuxLivz Guest

    (Charlie Nilsson [MSFT]) wrote in message news:<>...
    > I think you're confusing authentication types.
    >
    > Read this msdn article, "IIS Authentication" on the subject or search
    > online on msdn.
    > ms-help://MS.VSCC.2003/MS.MSDNQTR.2003FEB.1033/vsent7/html/vxconIISAuthentic
    > ation.htm
    >
    > At some point, you will need to gather authentication information from the
    > user (i.e. they will have to enter a username / pwd). Why use two servers
    > when one will suffice?
    >
    >
    > --------------------------------------------------------------------
    > This reply is provided AS IS, without warranty (express or implied).
    >
    >
    > --------------------
    > >From: (LinuxLivz)
    > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > >Subject: HttpWebRequest and 401
    > >Date: 29 Jan 2004 06:35:21 -0800
    > >Organization: http://groups.google.com
    > >Lines: 23
    > >Message-ID: <>
    > >NNTP-Posting-Host: 63.100.172.7
    > >Content-Type: text/plain; charset=ISO-8859-1
    > >Content-Transfer-Encoding: 8bit
    > >X-Trace: posting.google.com 1075386921 4534 127.0.0.1 (29 Jan 2004

    > 14:35:21 GMT)
    > >X-Complaints-To:
    > >NNTP-Posting-Date: Thu, 29 Jan 2004 14:35:21 +0000 (UTC)
    > >Path:

    > cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.su
    > l.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!po
    > stnews1.google.com!not-for-mail
    > >Xref: cpmsftngxa07.phx.gbl

    > microsoft.public.dotnet.framework.aspnet.security:8423
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > >
    > >Hello All
    > >Here is what I am attempting to do:
    > >
    > >I have a NTLM protected site. There are some users who are not part of
    > >the domain (visitors) get challenged with a Pop up dialog box
    > >prompting for a user id, pwd and domain.
    > >
    > >In oder to overcome this, I have setup a anonymous site (open to
    > >alll). Users would first hit this site contains a page with an
    > >instance of HttpWebRequest class. This class would make a call to the
    > >protected site with the user's credentials on behalf of the user. If
    > >the user has the correct credentials, then they would be passed to the
    > >protected site else they would be redirected to a login page (NOT the
    > >pop up dialog). In theory this appears to be a good idea to get rid of
    > >the po up dialog.
    > >
    > >However, I am unable to get the suers credentials on the anonymous
    > >site and pass it to the HttpWebRequest. If I use DefaultCredentials,
    > >then the site's user id and password are passed (IUSR_MACHINENAME). Is
    > >it possible to obtain the user credential on the anonymous site or is
    > >there another way to acoomplish this
    > >
    > >Thanks
    > >



    Thanks for your response. I understand auth types, NTLM works well for
    windows domain acounts, what about other OSes? The thinking is to
    perform auth without the annoyin pop-up dialog. I think, to condense
    the question, it would be can one make the auth pop up dialog go away
    if user is not in a Windows domain

    Thaks
     
    LinuxLivz, Jan 29, 2004
    #3
  4. Right, Linux machines do not support NTLM natively (though Mozilla *was*
    trying to get it to function properly, though I don't think they're working
    on that anymore). I'm unaware of any method for getting your Linux
    clients to send authentication info along with the HTTP request to IIS (or
    respond with the user's correct Windows Domain credentials during challenge
    / response).
    I'm afraid you'll have to re-think your security settings in IIS.


    --
    CharlieN
    VSU

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Note: For the benefit of the community-at-large, all responses to this
    message are best directed to the newsgroup/thread from which they
    originated.

    --------------------
    > From: (LinuxLivz)
    > Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > Subject: Re: HttpWebRequest and 401
    > Date: 29 Jan 2004 14:39:35 -0800
    > Organization: http://groups.google.com
    > Lines: 73
    > Message-ID: <>
    > References: <>

    <>
    > NNTP-Posting-Host: 63.100.172.7
    > Content-Type: text/plain; charset=ISO-8859-1
    > Content-Transfer-Encoding: 8bit
    > X-Trace: posting.google.com 1075415976 7022 127.0.0.1 (29 Jan 2004

    22:39:36 GMT)
    > X-Complaints-To:
    > NNTP-Posting-Date: Thu, 29 Jan 2004 22:39:36 +0000 (UTC)
    > Path:

    cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!cpmsftngxa08.phx.gbl!cpmsftngxa06.
    phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de
    !t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnews1.googl
    e.com!not-for-mail
    > Xref: cpmsftngxa07.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:8438
    > X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    > (Charlie Nilsson [MSFT]) wrote in

    message news:<>...
    > > I think you're confusing authentication types.
    > >
    > > Read this msdn article, "IIS Authentication" on the subject or search
    > > online on msdn.
    > >

    ms-help://MS.VSCC.2003/MS.MSDNQTR.2003FEB.1033/vsent7/html/vxconIISAuthentic
    > > ation.htm
    > >
    > > At some point, you will need to gather authentication information from

    the
    > > user (i.e. they will have to enter a username / pwd). Why use two

    servers
    > > when one will suffice?
    > >
    > >
    > > --------------------------------------------------------------------
    > > This reply is provided AS IS, without warranty (express or implied).
    > >
    > >
    > > --------------------
    > > >From: (LinuxLivz)
    > > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > > >Subject: HttpWebRequest and 401
    > > >Date: 29 Jan 2004 06:35:21 -0800
    > > >Organization: http://groups.google.com
    > > >Lines: 23
    > > >Message-ID: <>
    > > >NNTP-Posting-Host: 63.100.172.7
    > > >Content-Type: text/plain; charset=ISO-8859-1
    > > >Content-Transfer-Encoding: 8bit
    > > >X-Trace: posting.google.com 1075386921 4534 127.0.0.1 (29 Jan 2004

    > > 14:35:21 GMT)
    > > >X-Complaints-To:
    > > >NNTP-Posting-Date: Thu, 29 Jan 2004 14:35:21 +0000 (UTC)
    > > >Path:

    > >

    cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.su
    > >

    l.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!po
    > > stnews1.google.com!not-for-mail
    > > >Xref: cpmsftngxa07.phx.gbl

    > > microsoft.public.dotnet.framework.aspnet.security:8423
    > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > > >
    > > >Hello All
    > > >Here is what I am attempting to do:
    > > >
    > > >I have a NTLM protected site. There are some users who are not part of
    > > >the domain (visitors) get challenged with a Pop up dialog box
    > > >prompting for a user id, pwd and domain.
    > > >
    > > >In oder to overcome this, I have setup a anonymous site (open to
    > > >alll). Users would first hit this site contains a page with an
    > > >instance of HttpWebRequest class. This class would make a call to the
    > > >protected site with the user's credentials on behalf of the user. If
    > > >the user has the correct credentials, then they would be passed to the
    > > >protected site else they would be redirected to a login page (NOT the
    > > >pop up dialog). In theory this appears to be a good idea to get rid of
    > > >the po up dialog.
    > > >
    > > >However, I am unable to get the suers credentials on the anonymous
    > > >site and pass it to the HttpWebRequest. If I use DefaultCredentials,
    > > >then the site's user id and password are passed (IUSR_MACHINENAME). Is
    > > >it possible to obtain the user credential on the anonymous site or is
    > > >there another way to acoomplish this
    > > >
    > > >Thanks
    > > >

    >
    >
    > Thanks for your response. I understand auth types, NTLM works well for
    > windows domain acounts, what about other OSes? The thinking is to
    > perform auth without the annoyin pop-up dialog. I think, to condense
    > the question, it would be can one make the auth pop up dialog go away
    > if user is not in a Windows domain
    >
    > Thaks
    >
     
    Charlie Nilsson [MSFT], Jan 30, 2004
    #4
  5. You should be able to use Basic authentication (with SSL for safety of
    course). Basic authentication headers are easy to build on just about any
    platform. Plus, you can send them with the original request
    (pre-authenticate) to avoid the challenge/response.

    However, if NTLM/Kerberos is required for the Web Service, then Charlie is
    absolutely right.

    Joe K.

    "Charlie Nilsson [MSFT]" <> wrote in
    message news:...
    >
    > Right, Linux machines do not support NTLM natively (though Mozilla *was*
    > trying to get it to function properly, though I don't think they're

    working
    > on that anymore). I'm unaware of any method for getting your Linux
    > clients to send authentication info along with the HTTP request to IIS (or
    > respond with the user's correct Windows Domain credentials during

    challenge
    > / response).
    > I'm afraid you'll have to re-think your security settings in IIS.
    >
    >
    > --
    > CharlieN
    > VSU
    >
    > This posting is provided "AS IS" with no warranties, and confers no

    rights.
    >
    > Note: For the benefit of the community-at-large, all responses to this
    > message are best directed to the newsgroup/thread from which they
    > originated.
    >
    > --------------------
    > > From: (LinuxLivz)
    > > Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > > Subject: Re: HttpWebRequest and 401
    > > Date: 29 Jan 2004 14:39:35 -0800
    > > Organization: http://groups.google.com
    > > Lines: 73
    > > Message-ID: <>
    > > References: <>

    > <>
    > > NNTP-Posting-Host: 63.100.172.7
    > > Content-Type: text/plain; charset=ISO-8859-1
    > > Content-Transfer-Encoding: 8bit
    > > X-Trace: posting.google.com 1075415976 7022 127.0.0.1 (29 Jan 2004

    > 22:39:36 GMT)
    > > X-Complaints-To:
    > > NNTP-Posting-Date: Thu, 29 Jan 2004 22:39:36 +0000 (UTC)
    > > Path:

    >

    cpmsftngxa07.phx.gbl!cpmsftngxa10.phx.gbl!cpmsftngxa08.phx.gbl!cpmsftngxa06.
    >

    phx.gbl!cpmsftngxa09.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de
    >

    !t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnews1.googl
    > e.com!not-for-mail
    > > Xref: cpmsftngxa07.phx.gbl

    > microsoft.public.dotnet.framework.aspnet.security:8438
    > > X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > >
    > > (Charlie Nilsson [MSFT]) wrote in

    > message news:<>...
    > > > I think you're confusing authentication types.
    > > >
    > > > Read this msdn article, "IIS Authentication" on the subject or search
    > > > online on msdn.
    > > >

    >

    ms-help://MS.VSCC.2003/MS.MSDNQTR.2003FEB.1033/vsent7/html/vxconIISAuthentic
    > > > ation.htm
    > > >
    > > > At some point, you will need to gather authentication information from

    > the
    > > > user (i.e. they will have to enter a username / pwd). Why use two

    > servers
    > > > when one will suffice?
    > > >
    > > >
    > > > --------------------------------------------------------------------
    > > > This reply is provided AS IS, without warranty (express or implied).
    > > >
    > > >
    > > > --------------------
    > > > >From: (LinuxLivz)
    > > > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > > > >Subject: HttpWebRequest and 401
    > > > >Date: 29 Jan 2004 06:35:21 -0800
    > > > >Organization: http://groups.google.com
    > > > >Lines: 23
    > > > >Message-ID: <>
    > > > >NNTP-Posting-Host: 63.100.172.7
    > > > >Content-Type: text/plain; charset=ISO-8859-1
    > > > >Content-Transfer-Encoding: 8bit
    > > > >X-Trace: posting.google.com 1075386921 4534 127.0.0.1 (29 Jan 2004
    > > > 14:35:21 GMT)
    > > > >X-Complaints-To:
    > > > >NNTP-Posting-Date: Thu, 29 Jan 2004 14:35:21 +0000 (UTC)
    > > > >Path:
    > > >

    >

    cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.su
    > > >

    >

    l.t-online.de!t-online.de!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!po
    > > > stnews1.google.com!not-for-mail
    > > > >Xref: cpmsftngxa07.phx.gbl
    > > > microsoft.public.dotnet.framework.aspnet.security:8423
    > > > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > > > >
    > > > >Hello All
    > > > >Here is what I am attempting to do:
    > > > >
    > > > >I have a NTLM protected site. There are some users who are not part

    of
    > > > >the domain (visitors) get challenged with a Pop up dialog box
    > > > >prompting for a user id, pwd and domain.
    > > > >
    > > > >In oder to overcome this, I have setup a anonymous site (open to
    > > > >alll). Users would first hit this site contains a page with an
    > > > >instance of HttpWebRequest class. This class would make a call to the
    > > > >protected site with the user's credentials on behalf of the user. If
    > > > >the user has the correct credentials, then they would be passed to

    the
    > > > >protected site else they would be redirected to a login page (NOT the
    > > > >pop up dialog). In theory this appears to be a good idea to get rid

    of
    > > > >the po up dialog.
    > > > >
    > > > >However, I am unable to get the suers credentials on the anonymous
    > > > >site and pass it to the HttpWebRequest. If I use DefaultCredentials,
    > > > >then the site's user id and password are passed (IUSR_MACHINENAME).

    Is
    > > > >it possible to obtain the user credential on the anonymous site or is
    > > > >there another way to acoomplish this
    > > > >
    > > > >Thanks
    > > > >

    > >
    > >
    > > Thanks for your response. I understand auth types, NTLM works well for
    > > windows domain acounts, what about other OSes? The thinking is to
    > > perform auth without the annoyin pop-up dialog. I think, to condense
    > > the question, it would be can one make the auth pop up dialog go away
    > > if user is not in a Windows domain
    > >
    > > Thaks
    > >

    >
     
    Joe Kaplan \(MVP - ADSI\), Jan 30, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?UG1jZw==?=

    HttpWebRequest & (401) Unauthorized http status code

    =?Utf-8?B?UG1jZw==?=, Jun 21, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    2,477
    =?Utf-8?B?UG1jZw==?=
    Jun 21, 2004
  2. Steve Richter
    Replies:
    2
    Views:
    10,676
    Shane Thomas
    Apr 30, 2005
  3. Marcos Martínez

    ReadXml (DataSet) and WebException (401)

    Marcos Martínez, Sep 26, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    1,616
    Paul Glavich [MVP ASP.NET]
    Oct 2, 2005
  4. Ryan

    401 on HttpWebRequest in FIrefox

    Ryan, Oct 4, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    447
    bruce barker \(sqlwork.com\)
    Oct 4, 2006
  5. Replies:
    1
    Views:
    329
Loading...

Share This Page