Impersonation and webproxy credentials

Discussion in 'ASP .Net Security' started by Davide Bedin, Mar 3, 2004.

  1. Davide Bedin

    Davide Bedin Guest

    I configured my asp.net 1.1 application to impersonate a specific user
    account that has the rights to access the web through the network ISA
    server.

    So I tried to access a web resource, an external web service, specifying the
    ISA address for the webproxy class and setting the webproxy.Credentials =
    System.Net.CredentialCache.DefaultCredentials, I knew that in this scenario
    the DefaultCredentials would be the credentials of the impersonated user.

    Using the default credentials doesn't let me access the web service through
    the ISA Server as I get a 407 Proxy Authentication Error. If I explicitly
    create a new credentials object using the same user info of the impersonated
    user account everything works as expected.

    This sounds really strange to me, probably there is some additional setting
    I might have set in a wrong way.

    Thanks,
    Davide
    Davide Bedin, Mar 3, 2004
    #1
    1. Advertising

  2. Davide Bedin

    Alek Davis Guest

    Davide,

    This is expected behavior. You can only use pass-through credentials (from
    computer A through computer B to computer C) only if Kerberos/delegation are
    enabled on the network, which is not a recommended configuration (from
    security perspective). There must be a few posts related to this issue (just
    do a search on keywords such as Kerberos, delegation, NTLM, IIS, etc).

    Alek

    "Davide Bedin" <> wrote in message
    news:...
    > I configured my asp.net 1.1 application to impersonate a specific user
    > account that has the rights to access the web through the network ISA
    > server.
    >
    > So I tried to access a web resource, an external web service, specifying

    the
    > ISA address for the webproxy class and setting the webproxy.Credentials =
    > System.Net.CredentialCache.DefaultCredentials, I knew that in this

    scenario
    > the DefaultCredentials would be the credentials of the impersonated user.
    >
    > Using the default credentials doesn't let me access the web service

    through
    > the ISA Server as I get a 407 Proxy Authentication Error. If I explicitly
    > create a new credentials object using the same user info of the

    impersonated
    > user account everything works as expected.
    >
    > This sounds really strange to me, probably there is some additional

    setting
    > I might have set in a wrong way.
    >
    > Thanks,
    > Davide
    >
    >
    Alek Davis, Mar 3, 2004
    #2
    1. Advertising

  3. Davide Bedin

    Davide Bedin Guest

    Thanks for the response.
    As I'm passing the credentials of the impersonated ASP.Net app account and
    not of the client account I don't see how I'm passing credentials from A to
    B to C. From my point of view I'm passing credentials from B to C. This is
    the web.config setting:
    <identity impersonate="true" userName="user" password="password"/>

    So why I'm able to pass the default credentials (the credentials of the
    impersonated user account) to another web service with Windows
    authentication in order to be authenticated (or to access SQL Server with
    integrated security) but not to pass it to the proxy?

    From MSDN I read that DefaultCredentials in ASP.Net are the the default
    credentials are the user credentials of the logged-in user, or the user
    being impersonated
    http://msdn.microsoft.com/library/d...edentialcacheclassdefaultcredentialstopic.asp

    This code will run only if Kerberos delegation in enabled even If I'm not
    impersonating the client user?
    Dim proxy As New System.Net.WebProxy("proxy", True)
    proxy.Credentials = System.Net.CredentialCache.DefaultCredentials
    System.Net.GlobalProxySelection.Select = proxy

    This is quite confusing to me.
    Thank you for your help,
    Davide

    "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> ha scritto nel
    messaggio news:...
    > Davide,
    >
    > This is expected behavior. You can only use pass-through credentials (from
    > computer A through computer B to computer C) only if Kerberos/delegation

    are
    > enabled on the network, which is not a recommended configuration (from
    > security perspective). There must be a few posts related to this issue

    (just
    > do a search on keywords such as Kerberos, delegation, NTLM, IIS, etc).
    >
    > Alek
    >
    > "Davide Bedin" <> wrote in message
    > news:...
    > > I configured my asp.net 1.1 application to impersonate a specific user
    > > account that has the rights to access the web through the network ISA
    > > server.
    > >
    > > So I tried to access a web resource, an external web service, specifying

    > the
    > > ISA address for the webproxy class and setting the webproxy.Credentials

    =
    > > System.Net.CredentialCache.DefaultCredentials, I knew that in this

    > scenario
    > > the DefaultCredentials would be the credentials of the impersonated

    user.
    > >
    > > Using the default credentials doesn't let me access the web service

    > through
    > > the ISA Server as I get a 407 Proxy Authentication Error. If I

    explicitly
    > > create a new credentials object using the same user info of the

    > impersonated
    > > user account everything works as expected.
    > >
    > > This sounds really strange to me, probably there is some additional

    > setting
    > > I might have set in a wrong way.
    > >
    > > Thanks,
    > > Davide
    > >
    > >

    >
    >
    Davide Bedin, Mar 4, 2004
    #3
  4. Davide Bedin

    Alek Davis Guest

    Oh, I see. Not sure I completely understand your configuration and I haven't
    worked with ISA servers, but these are my 2 cents. Just thinking logically
    (although given that APIs are not necessarily logical, so take this with a
    grain of suspicion), when you specify "identity impersonate" with userName
    and password, your whole ASP.NET application should run under this identity
    (instead of the default ASPNET account). If you do not explicitly set
    credentials info, these credentials should be passed to the outbound calls.
    So if you had a SQL server somewhere, you would be able to connect to it
    using the application credentials without explicitly specifying them
    (assuming that SQL server allows access by impersonated user). But in your
    configuration there is an ISA server and a proxy server, so I do not know
    how they handle credentials info (haven't worked with ISA at all and have
    limited knowledge of proxy servers). For example, it may be a case that
    proxy server needs explicit credentials to pass (delegate) them to the
    external site (think of it as 3 systems: your Web server - proxy server -
    external Web site). As I said, I am not an expert in this particular area,
    so I may be wrong here. Hopefully someone more knowledgeable can answer your
    question.

    Alek

    "Davide Bedin" <> wrote in message
    news:...
    > Thanks for the response.
    > As I'm passing the credentials of the impersonated ASP.Net app account and
    > not of the client account I don't see how I'm passing credentials from A

    to
    > B to C. From my point of view I'm passing credentials from B to C. This is
    > the web.config setting:
    > <identity impersonate="true" userName="user" password="password"/>
    >
    > So why I'm able to pass the default credentials (the credentials of the
    > impersonated user account) to another web service with Windows
    > authentication in order to be authenticated (or to access SQL Server with
    > integrated security) but not to pass it to the proxy?
    >
    > From MSDN I read that DefaultCredentials in ASP.Net are the the default
    > credentials are the user credentials of the logged-in user, or the user
    > being impersonated
    >

    http://msdn.microsoft.com/library/d...edentialcacheclassdefaultcredentialstopic.asp
    >
    > This code will run only if Kerberos delegation in enabled even If I'm not
    > impersonating the client user?
    > Dim proxy As New System.Net.WebProxy("proxy", True)
    > proxy.Credentials = System.Net.CredentialCache.DefaultCredentials
    > System.Net..Select = proxy
    >
    > This is quite confusing to me.
    > Thank you for your help,
    > Davide
    >
    > "Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> ha scritto nel
    > messaggio news:...
    > > Davide,
    > >
    > > This is expected behavior. You can only use pass-through credentials

    (from
    > > computer A through computer B to computer C) only if Kerberos/delegation

    > are
    > > enabled on the network, which is not a recommended configuration (from
    > > security perspective). There must be a few posts related to this issue

    > (just
    > > do a search on keywords such as Kerberos, delegation, NTLM, IIS, etc).
    > >
    > > Alek
    > >
    > > "Davide Bedin" <> wrote in message
    > > news:...
    > > > I configured my asp.net 1.1 application to impersonate a specific user
    > > > account that has the rights to access the web through the network ISA
    > > > server.
    > > >
    > > > So I tried to access a web resource, an external web service,

    specifying
    > > the
    > > > ISA address for the webproxy class and setting the

    webproxy.Credentials
    > =
    > > > System.Net.CredentialCache.DefaultCredentials, I knew that in this

    > > scenario
    > > > the DefaultCredentials would be the credentials of the impersonated

    > user.
    > > >
    > > > Using the default credentials doesn't let me access the web service

    > > through
    > > > the ISA Server as I get a 407 Proxy Authentication Error. If I

    > explicitly
    > > > create a new credentials object using the same user info of the

    > > impersonated
    > > > user account everything works as expected.
    > > >
    > > > This sounds really strange to me, probably there is some additional

    > > setting
    > > > I might have set in a wrong way.
    > > >
    > > > Thanks,
    > > > Davide
    > > >
    > > >

    > >
    > >

    >
    >
    Alek Davis, Mar 4, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Mavers

    Credentials and authentication

    Tim Mavers, Dec 3, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    349
    bruce barker
    Dec 3, 2004
  2. Davide Bedin

    Impersonation and webproxy credentials

    Davide Bedin, Mar 3, 2004, in forum: ASP .Net Security
    Replies:
    0
    Views:
    119
    Davide Bedin
    Mar 3, 2004
  3. Shahid

    webProxy with webClient

    Shahid, Sep 24, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    129
    Shahid
    Sep 24, 2005
  4. Shahid

    WebProxy with System.Net.WebClient

    Shahid, Sep 24, 2005, in forum: ASP .Net Security
    Replies:
    3
    Views:
    803
    Shahid
    Sep 25, 2005
  5. Mike Bridge

    WebProxy ignored calling WebMethod

    Mike Bridge, May 1, 2006, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    177
    Mike Bridge
    May 1, 2006
Loading...

Share This Page