 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / June 2004Forward Credentials from ASP.NET Web-application to ASP.NET Web-Service?
Hello, I have an ASP.NET web-application using Windows Based authentication that references a web-service to do business logic type things. I would like to secure the web-service with Windows Authentication as well and would like to forward the credentials from the original web-request (to the web-form) on to the web-service. I can get the WindowsPrincipal / Identity of the requesting user but the generated proxy for the web-service requires a "NetworkCredentials". If I use: webservice.Credentials = System.net.CredentialsCache.DefaultCredentials the web-service authenticates the request with the ASPNET user (which makes sense) I don't know how to create credentials using the WindowsPrincipal (or even if this can be done?). Do I need to somehow create the XML-Web-service request myself using the base classes? Help! Thanks Using Windows Integrated authentication in the ASP.NET application, this can be done if you use impersonation in the ASP.NET app and enabled Kerberos delegation. Kerberos delegation allows the token that IIS generates on the ASP.NET box to hop to the machine on the web services box. There are a bunch of references to Kerberos delegation in the MS Knowledge Base. Kerberos can be tricky, so I suggest you read up on it. Also, if you use Basic Authentication in the ASP.NET application, it is trivially easy to get the user's username and password directly from the request headers or server variables and pass those directly to your proxy class. HTH, Joe K. > Hello, > I have an ASP.NET web-application using Windows Based authentication [quoted text clipped - 16 lines] > > Help! Thanks Hi, Thanks for the insight... I will look into Kerberos. I was sort of hoping for something where I could construct the credentials based on the Security Principal but I guess that's not possible. Just so I understand - when you're talking about getting the username and password from Basic authentication, are you referring to base64 decoding the Authorization header? I did try that and just got back a small string that wasn't the username or password. I think I may have had it configured incorrectly because the word "basic" wasn't in there anywhere which I believe it is supposed to be... Thanks again, Sean > Using Windows Integrated authentication in the ASP.NET application, this can > be done if you use impersonation in the ASP.NET app and enabled Kerberos [quoted text clipped - 12 lines] > > Joe K. Yes, for Basic auth, the authorization header will contain a string like: Basic dXNlcjpwYXNzd29yZA== The string after "Basic" are the Base64 encoded credentials in the form user:password. That is the easiest way to get the user's password to create a network credential. If you had the string "Negotiate" in there, you were using Integrated auth which uses NTLM or Kerberos. In that protocol, there is no plain-text password for you to recover (which is why you can use that protocol safely without SSL!). You can definitely get the Default Credentials thing to work as well using impersonation, but you will likely need Delegation in that scenario (thus Kerberos) in order for those credentials to work on a different machine on the network. Joe K. > Hi, > Thanks for the insight... I will look into Kerberos. I was sort of [quoted text clipped - 26 lines] > > > > Joe K. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.