Impersonation with NTLM

  • Thread starter Thomas Mueller-Lynch
  • Start date
T

Thomas Mueller-Lynch

I want to use impersonation within a second thread of an httpwebrequest.
While configuring IIS with basic authentication everything works fine.
Changing to Intergrated Windows Authentication the thread (which should return a secure web-page) returns the http status code 401.

My web.config looks like:
.....
<identity impersonate="true"/><authentication mode="Windows" />
.....


My Testpage looks like:

dim url as String = "https://server/secure/index.html"
dim Req as HttpWebRequest = DirectCast(WebRequest.Create(url), HttpWebRequest)

Req.Method = "GET"
Req.ContentType = "application/x-www-form-urlencoded;charset=iso-8859-1"
Req.PreAuthenticate = true

if Request.ServerVariables("AUTH_TYPE") = "Basic"
Req.Credentials = new System.Net.NetworkCredential(Request.ServerVariables("AUTH_USER"),Request.ServerVariables("AUTH_PASSWORD"))
else
Req.Credentials = CredentialCache.DefaultCredentials
' Should impersonate the user in case of NTLM, shouldn't it???
end if

dim Resp as HttpWebResponse = DirectCast(req.GetResponse(),HttpWebResponse)
dim Reader as StreamReader

Reader = new StreamReader(Resp.GetResponseStream())

while Reader.Peek() > -1
strLine = Reader.ReadLine()
Trace.write(strLine)
end while

Reader.Close()
Resp.Close()

The included thread should impersonate the logged-on user (NTLM or Basic).

What did I do wrong?

Thomas
 
P

Paul Glavich

At a guess, you are trying to do a "double hop" in that, you have used
windows auth/NTLM to logon to your web app, then that same security token to
go to another web site on another machine. Using NTLM, you cannot
impersonate a user, then use that impersonation to authenticate to another
machine (this is the double hop). Basic works because the credentials are
propagated in clear text as part of the Http header. NTLM used a security
token and cannot propagate the same token and be valid.

Kerberos can do it, but you still need to mark the user account as
"Delegateable". (Win2000+)
--
- Paul Glavich


Thomas Mueller-Lynch said:
I want to use impersonation within a second thread of an httpwebrequest.
While configuring IIS with basic authentication everything works fine.
Changing to Intergrated Windows Authentication the thread (which should
Click to expand...
return a secure web-page) returns the http status code 401.
 
P

Paul Glavich

It may still be suffering the "double hop" syndrome if it thinks that the
page you are trying to access (even though its on the same machine) is on
another machine. when you specify the "host" part of the URL is it as you
specified below (ie. https://server/....) or does it contain periods (eg.
https://my.server/...)?

Also, try it without using SSL (ie. http://server/....) to see what happens.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Impersonation with users of 2 domain (nor trusted) 0
Impersonation with users of 2 domain (nor trusted) 0
(401) Unauthorized on subsequent requests? 0
http request and asp.net 2.0 0
The remote server returned an error: (403) Forbidden - even with a valid verisign certificate 4
WebRequests & 401 Unauthorized errors 0
HttpWebRequest/.ServerXMLHTTP.4.0 - different results 8
HttpWebRequest POST result is not the same as POST via ServerXMLHT 1

Members online

No members online now.
Total: 39 (members: 1, guests: 38)
Robots: 428

Forum statistics

Threads
473,768
Messages
2,569,575
Members
45,053
Latest member
billing-software

Latest Threads

Top