Please help Passing Credentials

[JOS]

Hi,

I am having problems passing Windows credentials to a HTTPRequest
object using ASP.NET 1.1

Here is my set up
Server 1
* ASP.NET 1.1 application
* Integrated Authentication Security
* <identity impersonate = true>
Server 2
* ASP Page
* Integrated Autentication Security

I am creating a HTTPRequest object in Server 1 and passing credentials
using System.NET.DefaultCredentials. The HTTPRequest object is calling
an ASP page on server 2 to submit some XML

If I log on to Server1 as a windows user, browse to the web application
and submit the page it works ok

If I log on to Server 2 as the same windows user, browse to the web
application on Server 1 and submit the page I get a 401 access denied
error

It looks like I am have problems with the double hop of the
credentials.

How can I get this to work, I have basic knowledge of Windows
networking so the simpler the better

Any help gratefully recevied

 

[Joe Kaplan]

Double hops are solved by implementing Kerberos delegation. I'd suggest
doing some reading on that. There are lots of good papers on the various MS
websites explaining it and I've answered the question in detail on this and
other newsgroups too. In fact, there is another thread that was just
started a few days ago that already launches into the details. Google is
your friend...

Joe K.

 

[JOS]

Hi Joe,

Thanks for the tip, I am trying to wade through all the info on google
now!

I installed the tool from blunck.info and authentication seems o.k it
returns negotiate for all requests.
However I still get the 401 error when constructing the HttpWebRequest
(see code below)

What should I be looking for next?

Thanks in advance
Jerry


HttpWebRequest Req = (HttpWebRequest)
WebRequest.Create(http://server2/MyWebApp/ExternalXMLSubmit.asp);
Req.Credentials = System.Net.CredentialCache.DefaultCredentials;
Req.ContentType="text/xml;charset=UTF-8";
Req.Method="POST";
Req.ContentLength = byteArray.Length;
Stream newStream = Req.GetRequestStream();
newStream.Write(byteArray,0,byteArray.Length);
newStream.Close();

//GetResponse
HttpWebResponse response = (HttpWebResponse)Req.GetResponse();
StreamReader responseStream = new
StreamReader(response.GetResponseStream());
string Res = processResponse(responseStream.ReadToEnd());
return Res;

 

[Joe Kaplan]

The code is fine. I don't need to see that again. Using DefaultCredentials
is all there really is from a coding standpoint as long as you are using IWA
auth in IIS and have impersonate set to true.

A few things here:
- "Negotiate" in the headers does not mean that you WILL get Kerberos auth,
it just means that you CAN. The security event log on the web server will
tell you for sure what actually happened.
- In order for the web server to delegate to the other web server, the
account running the web server must be "trusted for delegation" in AD. This
account is usually the machine account of the server if you are running IIS
6 with the defaults for the app pool identity (Network Service). If you are
running as something else, then that account must be changed. If you are
running as a local machine account, it won't work. If you don't have the
rights to change this in AD yourself, your domain admins will have to do it
for you.
- The other web site must also be accessible with Kerberos authentication,
so you should check that the same way you check the front end server.
- In order for the front end web server to do Kerberos authentication to
the backend server, the host name in the URL must have the right service
principal name (SPN) in AD for the account running that web server. In your
code, it is "http://server2", so the SPN should be either HOST/server2 or
HTTP/server2. If the actual value is different, then it should match that.
You can check the SPNs for an account with an LDAP query tool like ADSI
Edit, ldp.exe or adfind.exe from www.joeware.net (different Joe...).

There are potentially some other steps you need to do if you are planning to
use protocol transition (S4U) and/or constrained delegation. It is
definitely a good idea to read the big TechNet docs on this stuff to gain
more detailed insight.

Best of luck,

Joe K.

 

[JOS]

Joe,

Thanks for the tips.

I had a look in the security log and it looks like I am using NTLM .
Entries look pretty much like this
http://adopenstatic.com/images/resources/blog/NTLMevent.jpg

How can I force Kerberos?
How do I set the Network Service account to be 'trusted for
delegation'. I can see how do to this with normal accounts but cannot
see the Network Service account any where

Thanks for all the help

Jerry

 

[Joe Kaplan]

Hi Jerry,

Please read my previous message carefully. When the network service account
is used for the IIS app pool identity, the account that translate to is the
machine account for the server. You need to find that account in AD and
change its delegation settings.

If you aren't getting Kerberos auth between the browser and the front end
web server, the first thing to check for is whether the host name part of
the URL the browser is using has a matching SPN on the service account. As
another example, let's say the site is http://www.directoryprogramming.net.
In that case, the machine account would need a servicePrincipalName of
HTTP/www.directoryprogramming.net or HOST/www.directoryprogramming.net.
Machine accounts get a few SPNs registered for them when they join the
domain, but they are only the ones that correspond to the machine name, so
that may not be sufficient.

Please provide examples of the host name in the URL and the SPNs of the
machine account.

Joe K.