Passing windows credentials from server to server.

W

Wade Wegner

Hello,

I have been desperately trying to programmatically authenticate a windows
user, create their credentials, and then redirect them to a different server
while passing the credentials at the same time so that they don't have to
login again.

Specifically, I have two webservers in the same domain. When I have a user
go to Webserver A (which uses basic authentication) I programmatically
create either a user credential or impersonate a user context (for now it's
hardcoded, but in the future it would be entered in forms). Then, I want to
let that user access a page on Webserver B (which uses basic
authentication), but I don't want them to have to login again -- rather, I
want to use the user context that I programmatically created on Webserver A.

For instance, here is an example of the code I use to create the user
credentials:

Dim strURI = "http://www.whatever.com"
Dim myCred As New NetworkCredential("userid", "password", "domain")
Dim myURI As New Uri(strURI)
Dim myCache As New CredentialCache
myCache.Add(myURI, "Basic", myCred)

From this, I have attempted to use WebRequests and WebResponses to somehow
allow me to direct the browser to a different page, and use the credential I
have generated. The most I can do, however, is create the request and
receive the response:

Dim myWebRequest As System.Net.WebRequest =
System.Net.WebRequest.Create(strURI)
myWebRequest.Credentials = myCache
Dim myWebResponse As WebResponse = myWebRequest.GetResponse()

If only I could use the response.redirect method, and somehow pass the
credentials with the redirection (like you can with the webrequest), it
could work!

I have also attempted to use the LogonUser API (from the advapi32.dll), and
impersonate a user based on the proper logon information -- this works, and
I'm able to successfully impersonate the user, but again, I don't know how
to pass along the user context to a different page.

I know that many people will say "just use form based authentication," but
this will not work for me, as I want this to work with tools like Outlook
Web Access, which requires windows authentication.

Any help would be greatly appreciated. Thank you!!

Wade
 
A

Andrea D'Onofrio [MSFT]

Hi,
can you set on server B windows authentication? If yes, you can easily solve
your problem by turning on impersonation in server A's web.config.

HtH,
Andrea
 
W

Wade Wegner

I would be very interested to hear your explanation, and know how to do
it -- especially if it's easily solved.

FYI - below I did specify that Server B uses windows authentication.

Thanks,

Wade
 
A

Andrea D'Onofrio [MSFT]

Hi,
I would be very interested to hear your explanation, and know how to do
it -- especially if it's easily solved.
ServerA -> Basic Authentication
ServerB -> Windows Integrated
You must turn on impersonation in ServerA web.config:
<authentication mode="Windows" />

<identity impersonate="true"></identity>

If you have a code like Response.Redirect(http://serverB/default.aspx) in a
ServerA page, IIS (automatically) succesfully authenticate the user (the
user must be a valid user for both serverA and ServerB) and you don't need
to write any additional code.

You will find more details about the issue in these articles:
283201 HOWTO: Use Delegation in Windows 2000 with COM+
http://support.microsoft.com/?id=283201

287537 Using Basic Authentication to Generate Kerberos Tokens
http://support.microsoft.com/?id=287537
FYI - below I did specify that Server B uses windows authentication.
FYI, extracted from your original post:
....access a page on Webserver B (which uses basic
authentication), but I don't want them to have to login again ...
Thanks,
Wade
HtH,
Andrea
 
W

Wade Wegner

I have always thought that using the termi "windows authentication" referred
to the fact that you were authenticating to a windows account, and that it
qualified for both basic and NTLM. If I was incorrect, then I apologize.

Now ...

I have tried your suggestion, and I can get it to work under one context,
but not another. For isntance, when I authenticate the user on Server A,
and then have them click a button that redirects them to Server B, I get
prompted for login credentials. However, if I use a client-side vbScript to
redirect the user (window.location = "path.aspx"), then it works correctly.

Am I doing something incorrectly, or will this not work for response
redirect?

Thankis,

Wade
 
A

Andrea D'Onofrio [MSFT]

I've tested the scenario I suggested you on IIS 5.1 (both on ServerA and
ServerB) and all works fine with Response.Redirect (then server side code).
I don't know which servers there are in your scenario, but I think that, in
this context, there are no differences with IIS 5.0 or IIS 6.0. Try to
check:
- ServerA -> Basic Authentication and ServerB -> Windows Integrated are the
only options flagged
- the Enabled Integrated Windows Authentication in the Advenced IE options
is checked

HtH,
Andrea
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top