Proxy auth with default credentials

Discussion in 'ASP .Net Security' started by kristan.mcdonald@googlemail.com, Feb 23, 2006.

  1. Guest

    Ok, I've managed to get authenticated on my proxy by doing :

    System.Net.WebRequest req;
    req = System.Net.WebRequest.Create("http://www.mywebsite.com/");
    System.Net.WebProxy prx = new
    System.Net.WebProxy("http://myproxyserver",true);
    System.Net.CredentialCache cache = new System.Net.CredentialCache();
    cache.Add( new Uri( "http://myproxyserver" ), "NTLM", new
    System.Net.NetworkCredential("username", "password", "domain") );

    I want this to be an app on the intranet and use the impersonated users
    details. I've setup IIS to auth using integrated authentication, the
    ..net app is set to impersonate=true and windows authentication. The box
    is set to be trusted for delegation etc.

    But I can't figure out how in code to create the cache entry for the
    proxy server for the impersonated user. I don't want to hardcode a
    un/pw for obvious reasons but I can't see any other way. I've tried to
    use the System.Net.CredentialCache.DefaultCredential but I just get a
    proxy auth required message if I try it.

    BTW, for some reason setting the proxies credential to the
    DefaultCredential doesn't seem to work, if I look at a packet trace it
    tries to negotiate authentication with the proxy server but it does it
    under "Negotiate" rather than "NTLM" - this seems to make a difference.

    Help!
    , Feb 23, 2006
    #1
    1. Advertising

  2. I'm pretty sure I read that .NET can't do proxy server authentication using
    Kerberos authentication. You would need that in your scenario as you would
    be delegating the user's login credentials to the proxy server.

    I think there is a kbase article that covers this.
    http://support.microsoft.com/kb/321728/

    That Kbase mentions it in terms of IE, but System.Net uses WinInet under the
    covers, so I would not be surprised if the same rules apply.

    Joe K.

    <> wrote in message
    news:...
    > Ok, I've managed to get authenticated on my proxy by doing :
    >
    > System.Net.WebRequest req;
    > req = System.Net.WebRequest.Create("http://www.mywebsite.com/");
    > System.Net.WebProxy prx = new
    > System.Net.WebProxy("http://myproxyserver",true);
    > System.Net.CredentialCache cache = new System.Net.CredentialCache();
    > cache.Add( new Uri( "http://myproxyserver" ), "NTLM", new
    > System.Net.NetworkCredential("username", "password", "domain") );
    >
    > I want this to be an app on the intranet and use the impersonated users
    > details. I've setup IIS to auth using integrated authentication, the
    > .net app is set to impersonate=true and windows authentication. The box
    > is set to be trusted for delegation etc.
    >
    > But I can't figure out how in code to create the cache entry for the
    > proxy server for the impersonated user. I don't want to hardcode a
    > un/pw for obvious reasons but I can't see any other way. I've tried to
    > use the System.Net.CredentialCache.DefaultCredential but I just get a
    > proxy auth required message if I try it.
    >
    > BTW, for some reason setting the proxies credential to the
    > DefaultCredential doesn't seem to work, if I look at a packet trace it
    > tries to negotiate authentication with the proxy server but it does it
    > under "Negotiate" rather than "NTLM" - this seems to make a difference.
    >
    > Help!
    >
    Joe Kaplan \(MVP - ADSI\), Feb 23, 2006
    #2
    1. Advertising

  3. Guest

    Ok, I'm still getting my head around the whole windows security setup,
    but from what you've said my understanding is:
    I can't auth with kerberos to the proxy, impersonation is a function of
    kerberos, so I won't be able to authenticate against the proxy with an
    impersonated user.

    I'm happy I can't do that, but seeing as I'm impersonating the user on
    the IIS box, I've therefore got a thread running as mydomain\myuser on
    the IIS box. Why can't I use that users credentials to create something
    I can assign to the proxy object so I can use with NTLM authentication
    (which does work against the proxy)?

    Basically I'm trying to get a way of creating a
    System.Net.NetworkCredential with the details of the user IIS is
    impersonating - I just can't see how to do it?
    , Feb 27, 2006
    #3
  4. It is actually delegation that is a function of Kerberos. Impersonation can
    be done with most types of Windows authentication. The issue is that you
    are impersonating a user who was authenticated from a remote browser via
    IWA, so in order to pass their credentials on to another network node (the
    proxy server in this case), you must use delegation.

    If you authenticated with Basic authentication, then you could capture the
    user's plaintext credentials and use that to build a NetworkCredential or
    you might be able to simply impersonate the user and authenticate via NTLM
    to the proxy server. That depends a little on how IIS did the Basic
    authentication.

    I'm not sure there is another good solution for you though if you need to
    use the authenticated user's credentials to access the web resource and the
    proxy requires authentication.

    Joe K.

    <> wrote in message
    news:...
    > Ok, I'm still getting my head around the whole windows security setup,
    > but from what you've said my understanding is:
    > I can't auth with kerberos to the proxy, impersonation is a function of
    > kerberos, so I won't be able to authenticate against the proxy with an
    > impersonated user.
    >
    > I'm happy I can't do that, but seeing as I'm impersonating the user on
    > the IIS box, I've therefore got a thread running as mydomain\myuser on
    > the IIS box. Why can't I use that users credentials to create something
    > I can assign to the proxy object so I can use with NTLM authentication
    > (which does work against the proxy)?
    >
    > Basically I'm trying to get a way of creating a
    > System.Net.NetworkCredential with the details of the user IIS is
    > impersonating - I just can't see how to do it?
    >
    Joe Kaplan \(MVP - ADSI\), Feb 27, 2006
    #4
  5. Guest

    What I thought I could do was just impersonate the user on IIS,
    configure the proxy's credentials to DefaultCredentials (which should
    be that of the logged on user) and then everything should work. It
    didn't though and I a 407 proxy authentication required so I assumed it
    wasn't passing anything. However when I captured the conversation
    between IIS and the proxy, it was trying to authentication using
    "Negotiate" rather than "NTLM" which appears to be what is needed. This
    failing is probably because of the restrictions in the article you
    mentioned.

    The only way I seemed to be able to force the IIS to send NTLM was to
    create the credentials myself, hence me now needing a way to get from
    the impersonated user to a NetworkCredential object I can use. The only
    other thing I can think of is if there is someway to force the WebProxy
    object to only use NTLM and not Negotiate - any ideas??

    Thanks
    , Feb 27, 2006
    #5
  6. Guest

    Done a bit more digging and it may not be the auth type that's the
    problem, I've tried doing:

    System.Net.NetworkCredential myCred =
    System.Net.CredentialCache.DefaultCredentials.GetCredential(new Uri(
    "http://myproxyserver" ), "NTLM");

    and if I examine the contents of myCred, everything is blank - no
    matter what URI I specify, it comes back with blank username, blank
    domain etc. If I look at User.Identity it's got it running as the right
    person, am I being really thick as to what DefaultCredentials should
    allow me to do? Is it maybe just not populated when you're
    impersonating and I have to do something extra to make it work?
    , Feb 27, 2006
    #6
  7. I don't think DefaultCredentials ever shows you who the person is. It is
    just some kind of a wrapper around an internal handle. I could be wrong
    about that.

    The issue is that you can't get the right kind of NTLM credentials for the
    user if you authenticated them with IWA on the front end. You would need to
    prompt the user for their plaintext credentials.

    Is it possible for you to use a service account's credentials to get through
    the proxy server authentication? You would be building a NetworkCredential
    with explicit credentials, but it would not require getting the user's
    plaintext credentials.

    Joe K.

    <> wrote in message
    news:...
    > Done a bit more digging and it may not be the auth type that's the
    > problem, I've tried doing:
    >
    > System.Net.NetworkCredential myCred =
    > System.Net.CredentialCache.DefaultCredentials.GetCredential(new Uri(
    > "http://myproxyserver" ), "NTLM");
    >
    > and if I examine the contents of myCred, everything is blank - no
    > matter what URI I specify, it comes back with blank username, blank
    > domain etc. If I look at User.Identity it's got it running as the right
    > person, am I being really thick as to what DefaultCredentials should
    > allow me to do? Is it maybe just not populated when you're
    > impersonating and I have to do something extra to make it work?
    >
    Joe Kaplan \(MVP - ADSI\), Feb 27, 2006
    #7
  8. Guest

    I've tried a slightly different tack now and I'm still getting nowhere.
    I've created a c# console app and pasted in the following :

    System.Net.WebRequest req;
    req = System.Net.WebRequest.Create("http://test.com");
    System.Net.WebProxy prx = new
    System.Net.WebProxy("http://myproxy",true);
    prx.Credentials = System.Net.CredentialCache.DefaultCredentials;

    //comment out to switch between default proxy and proxy specified above
    //req.Proxy = prx;
    req.Proxy = System.Net.WebProxy.GetDefaultProxy();

    System.Net.WebResponse resp = req.GetResponse();


    In both cases (using GetDefaultProxy and DefaultCredentials) I get a
    407 error. This is running on my PC, logged in as me - if I open IE I
    can connect fine - I'm getting confused now! I don't really want to
    have to hard code credentials in (or pull them from registry/config or
    something) but I can't see any way around it at the moment. I must be
    doing something really basic wrong. Incidentially, if I create my own
    NetworkCredential object and specify them that way, it works.
    , Feb 27, 2006
    #8
  9. This I can't tell you. I'd suggest sniffing the network traffic with a tool
    like Ethereal and seeing what is different between IE and your code.
    However, you should be able to make this work with the right combo of
    parameters.

    Joe K.

    <> wrote in message
    news:...
    > I've tried a slightly different tack now and I'm still getting nowhere.
    > I've created a c# console app and pasted in the following :
    >
    > System.Net.WebRequest req;
    > req = System.Net.WebRequest.Create("http://test.com");
    > System.Net.WebProxy prx = new
    > System.Net.WebProxy("http://myproxy",true);
    > prx.Credentials = System.Net.CredentialCache.DefaultCredentials;
    >
    > //comment out to switch between default proxy and proxy specified above
    > //req.Proxy = prx;
    > req.Proxy = System.Net.WebProxy.GetDefaultProxy();
    >
    > System.Net.WebResponse resp = req.GetResponse();
    >
    >
    > In both cases (using GetDefaultProxy and DefaultCredentials) I get a
    > 407 error. This is running on my PC, logged in as me - if I open IE I
    > can connect fine - I'm getting confused now! I don't really want to
    > have to hard code credentials in (or pull them from registry/config or
    > something) but I can't see any way around it at the moment. I must be
    > doing something really basic wrong. Incidentially, if I create my own
    > NetworkCredential object and specify them that way, it works.
    >
    Joe Kaplan \(MVP - ADSI\), Feb 27, 2006
    #9
  10. Guest

    Well I've got it working in the console app, basically it looks like
    you have to request the credential for the URI you're trying to request
    from DefaultCredentials instead of just assigning the lot, this has the
    effect of forcing it to use NTLM instead of Negoitate which seems to
    work, basically swapping:

    prx.Credentials = System.Net.CredentialCache.DefaultCredentials;

    for

    System.Net.CredentialCache cache = new System.Net.CredentialCache();
    cache.Add(new
    Uri("http://proxyserver"),"NTLM",System.Net.CredentialCache.DefaultCredentials.GetCredential(new
    Uri("http://proxyserver"),"NTLM"));
    prx.Credentials = cache;

    However this doesn't work when I put it in an asp.net app and try it
    with impersonation. I'm going to give up with impersonation for now and
    do the whole thing a different way. Thanks for all your help with this
    Joe!

    Kristan
    , Feb 28, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    686
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  2. Craig Deelsnyder

    Re: Pass Basic Auth. credentials to remote site?

    Craig Deelsnyder, Jul 21, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    655
    Craig Deelsnyder
    Jul 21, 2004
  3. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    543
    Elton Wang
    Jan 8, 2005
  4. Douglas J. Badin
    Replies:
    4
    Views:
    320
    Yan-Hong Huang[MSFT]
    Jan 29, 2004
  5. Chris McMahon

    credentials/auth in Ruby SOAP libs?

    Chris McMahon, Mar 25, 2006, in forum: Ruby
    Replies:
    0
    Views:
    110
    Chris McMahon
    Mar 25, 2006
Loading...

Share This Page