Impersonation with NTLM

Discussion in 'ASP .Net Security' started by Thomas Mueller-Lynch, Feb 6, 2004.

  1. I want to use impersonation within a second thread of an httpwebrequest.
    While configuring IIS with basic authentication everything works fine.
    Changing to Intergrated Windows Authentication the thread (which should return a secure web-page) returns the http status code 401.

    My web.config looks like:
    .....
    <identity impersonate="true"/><authentication mode="Windows" />
    .....


    My Testpage looks like:

    dim url as String = "https://server/secure/index.html"
    dim Req as HttpWebRequest = DirectCast(WebRequest.Create(url), HttpWebRequest)

    Req.Method = "GET"
    Req.ContentType = "application/x-www-form-urlencoded;charset=iso-8859-1"
    Req.PreAuthenticate = true

    if Request.ServerVariables("AUTH_TYPE") = "Basic"
    Req.Credentials = new System.Net.NetworkCredential(Request.ServerVariables("AUTH_USER"),Request.ServerVariables("AUTH_PASSWORD"))
    else
    Req.Credentials = CredentialCache.DefaultCredentials
    ' Should impersonate the user in case of NTLM, shouldn't it???
    end if

    dim Resp as HttpWebResponse = DirectCast(req.GetResponse(),HttpWebResponse)
    dim Reader as StreamReader

    Reader = new StreamReader(Resp.GetResponseStream())

    while Reader.Peek() > -1
    strLine = Reader.ReadLine()
    Trace.write(strLine)
    end while

    Reader.Close()
    Resp.Close()

    The included thread should impersonate the logged-on user (NTLM or Basic).

    What did I do wrong?

    Thomas
     
    Thomas Mueller-Lynch, Feb 6, 2004
    #1
    1. Advertising

  2. Thomas Mueller-Lynch

    Paul Glavich Guest

    At a guess, you are trying to do a "double hop" in that, you have used
    windows auth/NTLM to logon to your web app, then that same security token to
    go to another web site on another machine. Using NTLM, you cannot
    impersonate a user, then use that impersonation to authenticate to another
    machine (this is the double hop). Basic works because the credentials are
    propagated in clear text as part of the Http header. NTLM used a security
    token and cannot propagate the same token and be valid.

    Kerberos can do it, but you still need to mark the user account as
    "Delegateable". (Win2000+)
    --
    - Paul Glavich


    "Thomas Mueller-Lynch" <thomas.mueller-lynch(remove)@siemens.com> wrote in
    message news:D...
    > I want to use impersonation within a second thread of an httpwebrequest.
    > While configuring IIS with basic authentication everything works fine.
    > Changing to Intergrated Windows Authentication the thread (which should

    return a secure web-page) returns the http status code 401.
    >
    > My web.config looks like:
    > ...
    > <identity impersonate="true"/><authentication mode="Windows" />
    > ...
    >
    >
    > My Testpage looks like:
    >
    > dim url as String = "https://server/secure/index.html"
    > dim Req as HttpWebRequest = DirectCast(WebRequest.Create(url),

    HttpWebRequest)
    >
    > Req.Method = "GET"
    > Req.ContentType = "application/x-www-form-urlencoded;charset=iso-8859-1"
    > Req.PreAuthenticate = true
    >
    > if Request.ServerVariables("AUTH_TYPE") = "Basic"
    > Req.Credentials = new

    System.Net.NetworkCredential(Request.ServerVariables("AUTH_USER"),Request.Se
    rverVariables("AUTH_PASSWORD"))
    > else
    > Req.Credentials = CredentialCache.DefaultCredentials
    > ' Should impersonate the user in case of NTLM, shouldn't it???
    > end if
    >
    > dim Resp as HttpWebResponse =

    DirectCast(req.GetResponse(),HttpWebResponse)
    > dim Reader as StreamReader
    >
    > Reader = new StreamReader(Resp.GetResponseStream())
    >
    > while Reader.Peek() > -1
    > strLine = Reader.ReadLine()
    > Trace.write(strLine)
    > end while
    >
    > Reader.Close()
    > Resp.Close()
    >
    > The included thread should impersonate the logged-on user (NTLM or Basic).
    >
    > What did I do wrong?
    >
    > Thomas
     
    Paul Glavich, Feb 9, 2004
    #2
    1. Advertising

  3. Thomas Mueller-Lynch

    Paul Glavich Guest

    It may still be suffering the "double hop" syndrome if it thinks that the
    page you are trying to access (even though its on the same machine) is on
    another machine. when you specify the "host" part of the URL is it as you
    specified below (ie. https://server/....) or does it contain periods (eg.
    https://my.server/...)?

    Also, try it without using SSL (ie. http://server/....) to see what happens.

    --
    - Paul Glavich


    "Thomas Mueller-Lynch" <thomas.mueller-lynch(remove)@siemens.com> wrote in
    message news:...
    > In this case I have only one server.
    > the aspx page which is running on my server is executing another page on

    the same server.
    >
    > Any ideas? Thanks in advance
    >
    > Thomas Mueller-Lynch
    >
    > ----- Paul Glavich wrote: -----
    >
    > At a guess, you are trying to do a "double hop" in that, you have

    used
    > windows auth/NTLM to logon to your web app, then that same security

    token to
    > go to another web site on another machine. Using NTLM, you cannot
    > impersonate a user, then use that impersonation to authenticate to

    another
    > machine (this is the double hop). Basic works because the credentials

    are
    > propagated in clear text as part of the Http header. NTLM used a

    security
    > token and cannot propagate the same token and be valid.
    >
    > Kerberos can do it, but you still need to mark the user account as
    > "Delegateable". (Win2000+)
    > --
    > - Paul Glavich
    >
    >
    > "Thomas Mueller-Lynch" <thomas.mueller-lynch(remove)@siemens.com>

    wrote in
    > message news:D...
    > > I want to use impersonation within a second thread of an

    httpwebrequest.
    > > While configuring IIS with basic authentication everything works

    fine.
    > > Changing to Intergrated Windows Authentication the thread (which

    should
    > return a secure web-page) returns the http status code 401.
    > >> My web.config looks like:

    > > ...
    > ><identity impersonate="true"/><authentication mode="Windows" />> ...
    > >>> My Testpage looks like:
    > >> dim url as String = "https://server/secure/index.html"

    > > dim Req as HttpWebRequest = DirectCast(WebRequest.Create(url),

    > HttpWebRequest)
    > >> Req.Method = "GET"

    > > Req.ContentType =

    "application/x-www-form-urlencoded;charset=iso-8859-1"
    > > Req.PreAuthenticate = true
    > >> if Request.ServerVariables("AUTH_TYPE") = "Basic"

    > > Req.Credentials = new

    >

    System.Net.NetworkCredential(Request.ServerVariables("AUTH_USER"),Request.Se
    > rverVariables("AUTH_PASSWORD"))
    > > else
    > > Req.Credentials = CredentialCache.DefaultCredentials
    > > ' Should impersonate the user in case of NTLM, shouldn't it???
    > > end if
    > >> dim Resp as HttpWebResponse =

    > DirectCast(req.GetResponse(),HttpWebResponse)
    > > dim Reader as StreamReader
    > >> Reader = new StreamReader(Resp.GetResponseStream())
    > >> while Reader.Peek() > -1

    > > strLine = Reader.ReadLine()
    > > Trace.write(strLine)
    > > end while
    > >> Reader.Close()

    > > Resp.Close()
    > >> The included thread should impersonate the logged-on user (NTLM or

    Basic).
    > >> What did I do wrong?
    > >> Thomas

    >
    >
    >
     
    Paul Glavich, Feb 10, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Reto Zingg
    Replies:
    0
    Views:
    1,226
    Reto Zingg
    Sep 28, 2003
  2. Carlos Fersura

    WebControls and NTLM Authentication

    Carlos Fersura, Nov 3, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    346
    Carlos Fersura
    Nov 3, 2003
  3. Jim Adams
    Replies:
    1
    Views:
    3,709
    Tim Heuer
    Jan 7, 2004
  4. Ray5531

    NTLM and Impersonation

    Ray5531, Jul 18, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    430
    Ray5531
    Jul 18, 2005
  5. Matthijs
    Replies:
    0
    Views:
    871
    Matthijs
    Dec 10, 2008
Loading...

Share This Page