Passing windows credentials from server to server.

Discussion in 'ASP .Net Security' started by Wade Wegner, Dec 27, 2003.

  1. Wade Wegner

    Wade Wegner Guest

    Hello,

    I have been desperately trying to programmatically authenticate a windows
    user, create their credentials, and then redirect them to a different server
    while passing the credentials at the same time so that they don't have to
    login again.

    Specifically, I have two webservers in the same domain. When I have a user
    go to Webserver A (which uses basic authentication) I programmatically
    create either a user credential or impersonate a user context (for now it's
    hardcoded, but in the future it would be entered in forms). Then, I want to
    let that user access a page on Webserver B (which uses basic
    authentication), but I don't want them to have to login again -- rather, I
    want to use the user context that I programmatically created on Webserver A.

    For instance, here is an example of the code I use to create the user
    credentials:

    Dim strURI = "http://www.whatever.com"
    Dim myCred As New NetworkCredential("userid", "password", "domain")
    Dim myURI As New Uri(strURI)
    Dim myCache As New CredentialCache
    myCache.Add(myURI, "Basic", myCred)

    From this, I have attempted to use WebRequests and WebResponses to somehow
    allow me to direct the browser to a different page, and use the credential I
    have generated. The most I can do, however, is create the request and
    receive the response:

    Dim myWebRequest As System.Net.WebRequest =
    System.Net.WebRequest.Create(strURI)
    myWebRequest.Credentials = myCache
    Dim myWebResponse As WebResponse = myWebRequest.GetResponse()

    If only I could use the response.redirect method, and somehow pass the
    credentials with the redirection (like you can with the webrequest), it
    could work!

    I have also attempted to use the LogonUser API (from the advapi32.dll), and
    impersonate a user based on the proper logon information -- this works, and
    I'm able to successfully impersonate the user, but again, I don't know how
    to pass along the user context to a different page.

    I know that many people will say "just use form based authentication," but
    this will not work for me, as I want this to work with tools like Outlook
    Web Access, which requires windows authentication.

    Any help would be greatly appreciated. Thank you!!

    Wade
    Wade Wegner, Dec 27, 2003
    #1
    1. Advertising

  2. Hi,
    can you set on server B windows authentication? If yes, you can easily solve
    your problem by turning on impersonation in server A's web.config.

    HtH,
    Andrea

    "Wade Wegner" <> wrote in message
    news:...
    > Hello,
    >
    > I have been desperately trying to programmatically authenticate a windows
    > user, create their credentials, and then redirect them to a different

    server
    > while passing the credentials at the same time so that they don't have to
    > login again.
    >
    > Specifically, I have two webservers in the same domain. When I have a

    user
    > go to Webserver A (which uses basic authentication) I programmatically
    > create either a user credential or impersonate a user context (for now

    it's
    > hardcoded, but in the future it would be entered in forms). Then, I want

    to
    > let that user access a page on Webserver B (which uses basic
    > authentication), but I don't want them to have to login again -- rather, I
    > want to use the user context that I programmatically created on Webserver

    A.
    >
    > For instance, here is an example of the code I use to create the user
    > credentials:
    >
    > Dim strURI = "http://www.whatever.com"
    > Dim myCred As New NetworkCredential("userid", "password", "domain")
    > Dim myURI As New Uri(strURI)
    > Dim myCache As New CredentialCache
    > myCache.Add(myURI, "Basic", myCred)
    >
    > From this, I have attempted to use WebRequests and WebResponses to somehow
    > allow me to direct the browser to a different page, and use the credential

    I
    > have generated. The most I can do, however, is create the request and
    > receive the response:
    >
    > Dim myWebRequest As System.Net.WebRequest =
    > System.Net.WebRequest.Create(strURI)
    > myWebRequest.Credentials = myCache
    > Dim myWebResponse As WebResponse = myWebRequest.GetResponse()
    >
    > If only I could use the response.redirect method, and somehow pass the
    > credentials with the redirection (like you can with the webrequest), it
    > could work!
    >
    > I have also attempted to use the LogonUser API (from the advapi32.dll),

    and
    > impersonate a user based on the proper logon information -- this works,

    and
    > I'm able to successfully impersonate the user, but again, I don't know how
    > to pass along the user context to a different page.
    >
    > I know that many people will say "just use form based authentication,"

    but
    > this will not work for me, as I want this to work with tools like Outlook
    > Web Access, which requires windows authentication.
    >
    > Any help would be greatly appreciated. Thank you!!
    >
    > Wade
    >
    >
    >
    Andrea D'Onofrio [MSFT], Dec 30, 2003
    #2
    1. Advertising

  3. Wade Wegner

    Wade Wegner Guest

    I would be very interested to hear your explanation, and know how to do
    it -- especially if it's easily solved.

    FYI - below I did specify that Server B uses windows authentication.

    Thanks,

    Wade


    "Andrea D'Onofrio [MSFT]" <> wrote in message
    news:%...
    > Hi,
    > can you set on server B windows authentication? If yes, you can easily

    solve
    > your problem by turning on impersonation in server A's web.config.
    >
    > HtH,
    > Andrea
    >
    > "Wade Wegner" <> wrote in message
    > news:...
    > > Hello,
    > >
    > > I have been desperately trying to programmatically authenticate a

    windows
    > > user, create their credentials, and then redirect them to a different

    > server
    > > while passing the credentials at the same time so that they don't have

    to
    > > login again.
    > >
    > > Specifically, I have two webservers in the same domain. When I have a

    > user
    > > go to Webserver A (which uses basic authentication) I programmatically
    > > create either a user credential or impersonate a user context (for now

    > it's
    > > hardcoded, but in the future it would be entered in forms). Then, I

    want
    > to
    > > let that user access a page on Webserver B (which uses basic
    > > authentication), but I don't want them to have to login again -- rather,

    I
    > > want to use the user context that I programmatically created on

    Webserver
    > A.
    > >
    > > For instance, here is an example of the code I use to create the user
    > > credentials:
    > >
    > > Dim strURI = "http://www.whatever.com"
    > > Dim myCred As New NetworkCredential("userid", "password", "domain")
    > > Dim myURI As New Uri(strURI)
    > > Dim myCache As New CredentialCache
    > > myCache.Add(myURI, "Basic", myCred)
    > >
    > > From this, I have attempted to use WebRequests and WebResponses to

    somehow
    > > allow me to direct the browser to a different page, and use the

    credential
    > I
    > > have generated. The most I can do, however, is create the request and
    > > receive the response:
    > >
    > > Dim myWebRequest As System.Net.WebRequest =
    > > System.Net.WebRequest.Create(strURI)
    > > myWebRequest.Credentials = myCache
    > > Dim myWebResponse As WebResponse = myWebRequest.GetResponse()
    > >
    > > If only I could use the response.redirect method, and somehow pass the
    > > credentials with the redirection (like you can with the webrequest), it
    > > could work!
    > >
    > > I have also attempted to use the LogonUser API (from the advapi32.dll),

    > and
    > > impersonate a user based on the proper logon information -- this works,

    > and
    > > I'm able to successfully impersonate the user, but again, I don't know

    how
    > > to pass along the user context to a different page.
    > >
    > > I know that many people will say "just use form based authentication,"

    > but
    > > this will not work for me, as I want this to work with tools like

    Outlook
    > > Web Access, which requires windows authentication.
    > >
    > > Any help would be greatly appreciated. Thank you!!
    > >
    > > Wade
    > >
    > >
    > >

    >
    >
    Wade Wegner, Dec 30, 2003
    #3
  4. Hi,
    > I would be very interested to hear your explanation, and know how to do
    > it -- especially if it's easily solved.

    ServerA -> Basic Authentication
    ServerB -> Windows Integrated
    You must turn on impersonation in ServerA web.config:
    <authentication mode="Windows" />

    <identity impersonate="true"></identity>

    If you have a code like Response.Redirect(http://serverB/default.aspx) in a
    ServerA page, IIS (automatically) succesfully authenticate the user (the
    user must be a valid user for both serverA and ServerB) and you don't need
    to write any additional code.

    You will find more details about the issue in these articles:
    283201 HOWTO: Use Delegation in Windows 2000 with COM+
    http://support.microsoft.com/?id=283201

    287537 Using Basic Authentication to Generate Kerberos Tokens
    http://support.microsoft.com/?id=287537

    > FYI - below I did specify that Server B uses windows authentication.
    >

    FYI, extracted from your original post:
    ....access a page on Webserver B (which uses basic
    authentication), but I don't want them to have to login again ...

    > Thanks,
    > Wade

    HtH,
    Andrea
    Andrea D'Onofrio [MSFT], Dec 30, 2003
    #4
  5. Wade Wegner

    Wade Wegner Guest

    I have always thought that using the termi "windows authentication" referred
    to the fact that you were authenticating to a windows account, and that it
    qualified for both basic and NTLM. If I was incorrect, then I apologize.

    Now ...

    I have tried your suggestion, and I can get it to work under one context,
    but not another. For isntance, when I authenticate the user on Server A,
    and then have them click a button that redirects them to Server B, I get
    prompted for login credentials. However, if I use a client-side vbScript to
    redirect the user (window.location = "path.aspx"), then it works correctly.

    Am I doing something incorrectly, or will this not work for response
    redirect?

    Thankis,

    Wade

    "Andrea D'Onofrio [MSFT]" <> wrote in message
    news:uOu%...
    > Hi,
    > > I would be very interested to hear your explanation, and know how to do
    > > it -- especially if it's easily solved.

    > ServerA -> Basic Authentication
    > ServerB -> Windows Integrated
    > You must turn on impersonation in ServerA web.config:
    > <authentication mode="Windows" />
    >
    > <identity impersonate="true"></identity>
    >
    > If you have a code like Response.Redirect(http://serverB/default.aspx) in

    a
    > ServerA page, IIS (automatically) succesfully authenticate the user (the
    > user must be a valid user for both serverA and ServerB) and you don't need
    > to write any additional code.
    >
    > You will find more details about the issue in these articles:
    > 283201 HOWTO: Use Delegation in Windows 2000 with COM+
    > http://support.microsoft.com/?id=283201
    >
    > 287537 Using Basic Authentication to Generate Kerberos Tokens
    > http://support.microsoft.com/?id=287537
    >
    > > FYI - below I did specify that Server B uses windows authentication.
    > >

    > FYI, extracted from your original post:
    > ...access a page on Webserver B (which uses basic
    > authentication), but I don't want them to have to login again ...
    >
    > > Thanks,
    > > Wade

    > HtH,
    > Andrea
    >
    >
    >
    >
    Wade Wegner, Dec 30, 2003
    #5
  6. I've tested the scenario I suggested you on IIS 5.1 (both on ServerA and
    ServerB) and all works fine with Response.Redirect (then server side code).
    I don't know which servers there are in your scenario, but I think that, in
    this context, there are no differences with IIS 5.0 or IIS 6.0. Try to
    check:
    - ServerA -> Basic Authentication and ServerB -> Windows Integrated are the
    only options flagged
    - the Enabled Integrated Windows Authentication in the Advenced IE options
    is checked

    HtH,
    Andrea

    "Wade Wegner" <> wrote in message
    news:%...
    > I have always thought that using the termi "windows authentication"

    referred
    > to the fact that you were authenticating to a windows account, and that it
    > qualified for both basic and NTLM. If I was incorrect, then I apologize.
    >
    > Now ...
    >
    > I have tried your suggestion, and I can get it to work under one context,
    > but not another. For isntance, when I authenticate the user on Server A,
    > and then have them click a button that redirects them to Server B, I get
    > prompted for login credentials. However, if I use a client-side vbScript

    to
    > redirect the user (window.location = "path.aspx"), then it works

    correctly.
    >
    > Am I doing something incorrectly, or will this not work for response
    > redirect?
    >
    > Thankis,
    >
    > Wade
    >
    > "Andrea D'Onofrio [MSFT]" <> wrote in message
    > news:uOu%...
    > > Hi,
    > > > I would be very interested to hear your explanation, and know how to

    do
    > > > it -- especially if it's easily solved.

    > > ServerA -> Basic Authentication
    > > ServerB -> Windows Integrated
    > > You must turn on impersonation in ServerA web.config:
    > > <authentication mode="Windows" />
    > >
    > > <identity impersonate="true"></identity>
    > >
    > > If you have a code like Response.Redirect(http://serverB/default.aspx)

    in
    > a
    > > ServerA page, IIS (automatically) succesfully authenticate the user (the
    > > user must be a valid user for both serverA and ServerB) and you don't

    need
    > > to write any additional code.
    > >
    > > You will find more details about the issue in these articles:
    > > 283201 HOWTO: Use Delegation in Windows 2000 with COM+
    > > http://support.microsoft.com/?id=283201
    > >
    > > 287537 Using Basic Authentication to Generate Kerberos Tokens
    > > http://support.microsoft.com/?id=287537
    > >
    > > > FYI - below I did specify that Server B uses windows authentication.
    > > >

    > > FYI, extracted from your original post:
    > > ...access a page on Webserver B (which uses basic
    > > authentication), but I don't want them to have to login again ...
    > >
    > > > Thanks,
    > > > Wade

    > > HtH,
    > > Andrea
    > >
    > >
    > >
    > >

    >
    >
    Andrea D'Onofrio [MSFT], Dec 31, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve Drake

    Passing Credentials to WEBDAV

    Steve Drake, Dec 1, 2003, in forum: ASP .Net
    Replies:
    7
    Views:
    4,565
    Bruce Barker
    Mar 3, 2006
  2. Wade Wegner
    Replies:
    8
    Views:
    4,514
    mnvraghuram
    Jun 22, 2007
  3. jadher
    Replies:
    1
    Views:
    3,567
    William F. Robertson, Jr.
    Oct 11, 2004
  4. =?Utf-8?B?UGF0cmljay5PLklnZQ==?=

    Passing credentials to windows integrated authentication

    =?Utf-8?B?UGF0cmljay5PLklnZQ==?=, Oct 26, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    3,502
    Girish bharadwaj
    Oct 26, 2004
  5. Wizard!

    Passing user credentials to another server...?

    Wizard!, Nov 23, 2005, in forum: ASP .Net Security
    Replies:
    2
    Views:
    151
    Ken Schaefer
    Nov 28, 2005
Loading...

Share This Page