Using NetworkCredential then a Redirect to the site requiring the credientails

Discussion in 'ASP .Net' started by Jay Douglas, Mar 6, 2004.

  1. Jay Douglas

    Jay Douglas Guest

    Hello all.

    Ever since the latest patch for IE 6 it is impossible to pass the
    username and password to Exchange 2000 (or any site) in the url (i.e.
    http://username:) ... so I've possibly
    came up with a solution (which I'm sure is thought of and implemented
    already) Please review my strategy and offer any suggestions / solutions:

    - A user is logged into an asp.net / c# website with the same user name and
    password for the domain / exchange server
    - To prevent a duplicate login, I used to pass the username and password in
    the url (as detailed above), this no longer works
    - I would have a simple link with the user name and password in the url
    that would automatically log the user in
    - I was hoping that somehow, with a combination of a WebRequest /
    NetworkCredential I could log the user in behind the scenes and redirect
    them to the proper location to the OWA inbox for the particular user without
    needing to log them in twice.

    I'm having a struggle locating the proper information to achieve this goal.

    Any and all input is appreciated.

    Thanks in advance.

    --
    Jay Douglas
    Fort Collins, CO
    Jay Douglas, Mar 6, 2004
    #1
    1. Advertising

  2. Jay Douglas

    Joe Fallon Guest

    I thought MS "reversed" that in a followup patch!
    It broke too many things.

    There is a registry hack to undo it to.
    --
    Joe Fallon



    "Jay Douglas" <> wrote in
    message news:...
    > Hello all.
    >
    > Ever since the latest patch for IE 6 it is impossible to pass the
    > username and password to Exchange 2000 (or any site) in the url (i.e.
    > http://username:) ... so I've possibly
    > came up with a solution (which I'm sure is thought of and implemented
    > already) Please review my strategy and offer any suggestions / solutions:
    >
    > - A user is logged into an asp.net / c# website with the same user name

    and
    > password for the domain / exchange server
    > - To prevent a duplicate login, I used to pass the username and password

    in
    > the url (as detailed above), this no longer works
    > - I would have a simple link with the user name and password in the url
    > that would automatically log the user in
    > - I was hoping that somehow, with a combination of a WebRequest /
    > NetworkCredential I could log the user in behind the scenes and redirect
    > them to the proper location to the OWA inbox for the particular user

    without
    > needing to log them in twice.
    >
    > I'm having a struggle locating the proper information to achieve this

    goal.
    >
    > Any and all input is appreciated.
    >
    > Thanks in advance.
    >
    > --
    > Jay Douglas
    > Fort Collins, CO
    >
    >
    >
    >
    Joe Fallon, Mar 6, 2004
    #2
    1. Advertising

  3. No, it has not and will not be reversed.

    There is a registry patch to turn the behavior off if you'd like.


    --
    Thanks,

    Eric Lawrence
    Program Manager
    Assistance and Worldwide Services

    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Joe Fallon" <> wrote in message
    news:...
    > I thought MS "reversed" that in a followup patch!
    > It broke too many things.
    >
    > There is a registry hack to undo it to.
    > --
    > Joe Fallon
    >
    >
    >
    > "Jay Douglas" <> wrote in
    > message news:...
    > > Hello all.
    > >
    > > Ever since the latest patch for IE 6 it is impossible to pass the
    > > username and password to Exchange 2000 (or any site) in the url (i.e.
    > > http://username:) ... so I've

    possibly
    > > came up with a solution (which I'm sure is thought of and implemented
    > > already) Please review my strategy and offer any suggestions /

    solutions:
    > >
    > > - A user is logged into an asp.net / c# website with the same user name

    > and
    > > password for the domain / exchange server
    > > - To prevent a duplicate login, I used to pass the username and

    password
    > in
    > > the url (as detailed above), this no longer works
    > > - I would have a simple link with the user name and password in the url
    > > that would automatically log the user in
    > > - I was hoping that somehow, with a combination of a WebRequest /
    > > NetworkCredential I could log the user in behind the scenes and redirect
    > > them to the proper location to the OWA inbox for the particular user

    > without
    > > needing to log them in twice.
    > >
    > > I'm having a struggle locating the proper information to achieve this

    > goal.
    > >
    > > Any and all input is appreciated.
    > >
    > > Thanks in advance.
    > >
    > > --
    > > Jay Douglas
    > > Fort Collins, CO
    > >
    > >
    > >
    > >

    >
    >
    Eric Lawrence [MSFT], Mar 6, 2004
    #3
  4. > Ever since the latest patch for IE 6 it is impossible to pass the
    > username and password to Exchange 2000 (or any site) in the url (i.e.
    > http://username:) ... so I've possibly
    > came up with a solution (which I'm sure is thought of and implemented
    > already) Please review my strategy and offer any suggestions / solutions:


    Hopefully, the setup wasn't ~really~ broadcasting your unencrypted username
    and password to the world at large without any protection?

    > - I was hoping that somehow, with a combination of a WebRequest /
    > NetworkCredential I could log the user in behind the scenes and redirect
    > them to the proper location to the OWA inbox for the particular user

    without
    > needing to log them in twice.


    I don't think this will work. Arguably, if you wanted to get really fancy,
    you could create a C# Proxy which passed all requests and responses between
    the client and the server and added the authentication information to the
    headers on every transaction-- but this would get insanely complicated and
    would be very fragile.

    If you'd like to reverse the effects of this security update, there's a
    well-documented registry key to turn it off. However, I must caution you
    that the approaches you've described are very much vulnerable to even the
    most inept of hackers.

    Thanks,

    Eric Lawrence
    Program Manager
    Assistance and Worldwide Services

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Eric Lawrence [MSFT], Mar 6, 2004
    #4
  5. Jay Douglas

    Jay Douglas Guest

    Eric, Thanks for your response....

    > Hopefully, the setup wasn't ~really~ broadcasting your unencrypted

    username
    > and password to the world at large without any protection?


    Yes I was, as a temporary solution. The latest I.E. patch was almost a
    blessing in disguise.. I'm now in a position where I can tell the customer
    they need to budget for an additional component.

    > If you'd like to reverse the effects of this security update, there's a
    > well-documented registry key to turn it off. However, I must caution you
    > that the approaches you've described are very much vulnerable to even the
    > most inept of hackers.


    Changing the registry key is not an option. This functionality needs to be
    accessed from a lot of PCs, some of which I have no control over the
    registry.

    > I don't think this will work. Arguably, if you wanted to get really

    fancy,
    > you could create a C# Proxy which passed all requests and responses

    between
    > the client and the server and added the authentication information to the
    > headers on every transaction-- but this would get insanely complicated and
    > would be very fragile.


    Is there a middle ground? I was hoping I could use C# to start the request,
    pass the user information, and then pass the control over to the users
    browser. I don't really want to write an application that acts as an
    intermediary for all of this communication. It would be a bandwidth
    nightmare, and like you said, flakey.

    Possibly some more suggestions may help.

    Thanks a ton.


    --
    Jay Douglas
    Fort Collins, CO



    "Eric Lawrence [MSFT]" <> wrote in message
    news:...
    > > Ever since the latest patch for IE 6 it is impossible to pass the
    > > username and password to Exchange 2000 (or any site) in the url (i.e.
    > > http://username:) ... so I've

    possibly
    > > came up with a solution (which I'm sure is thought of and implemented
    > > already) Please review my strategy and offer any suggestions /

    solutions:
    >
    > Hopefully, the setup wasn't ~really~ broadcasting your unencrypted

    username
    > and password to the world at large without any protection?
    >
    > > - I was hoping that somehow, with a combination of a WebRequest /
    > > NetworkCredential I could log the user in behind the scenes and redirect
    > > them to the proper location to the OWA inbox for the particular user

    > without
    > > needing to log them in twice.

    >
    > I don't think this will work. Arguably, if you wanted to get really

    fancy,
    > you could create a C# Proxy which passed all requests and responses

    between
    > the client and the server and added the authentication information to the
    > headers on every transaction-- but this would get insanely complicated and
    > would be very fragile.
    >
    > If you'd like to reverse the effects of this security update, there's a
    > well-documented registry key to turn it off. However, I must caution you
    > that the approaches you've described are very much vulnerable to even the
    > most inept of hackers.
    >
    > Thanks,
    >
    > Eric Lawrence
    > Program Manager
    > Assistance and Worldwide Services
    >
    > This posting is provided "AS IS" with no warranties, and confers no

    rights.
    >
    >
    Jay Douglas, Mar 6, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BradM
    Replies:
    2
    Views:
    701
    BradM
    May 30, 2007
  2. wgo
    Replies:
    0
    Views:
    184
  3. Carlton858

    using System.Net.NetworkCredential class

    Carlton858, May 18, 2004, in forum: ASP .Net Security
    Replies:
    7
    Views:
    423
    Carlton Nettleton
    May 25, 2004
  4. Patrick Fogarty

    Authentication not working on HTTP-POST using NetworkCredential

    Patrick Fogarty, Aug 25, 2003, in forum: ASP .Net Web Services
    Replies:
    2
    Views:
    241
    Feroze [MSFT]
    Aug 27, 2003
  5. Replies:
    0
    Views:
    273
Loading...

Share This Page