End-to-end Kerberos Delegated Authentication In .NET?
Jun 3, 2010
I'm trying to setup an internal website that will contact another backend service within the network on behalf of the user using a HttpWebRequest.I have to use Integrated Windows Authentication on the ASP.NET application as the backend system only supports this type of authentication.
I'm able to setup IWA on the ASP.NET application, and it's using kerberos as I expect it to. However when the authentication is delegated to the backend system it doesn't work anymore. This is because the backend system only supports kerberos IWA, but the delegation for some reason - even though the incoming request is kerberos authenticated - converts the authentication to NTLM before forwaring to the backend system.
what I need to do on the ASP.NET application in order to allow it to forward the identity using kerberos?I've tried the following but it doesn't seem to work
CredentialCache credentialCache = new CredentialCache();
credentialCache.Add(request.RequestUri, "Negotiate", CredentialCache.DefaultCredentials.GetCredential(request.RequestUri, "Kerberos"));
request.Credentials = credentialCache;
I've also tried to set "Kerberos" where it now says "Negotiate", but it doesn't seem to do much.
View 1 Replies
Similar Messages:
Sep 14, 2010
I am trying to connect to a web service that uses Kerberos Authentication to authorize the user, but all I get is a 401 unauthorized everytime I try to make the request. Below is the code that I am using.
public XPathNavigator GSASearch(string url, string searchString)
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + searchString);
request.CookieContainer = new CookieContainer();
request.Credentials = CredentialCache.DefaultCredentials;
request.ContentType = "text/xml";
request.Method = "POST";
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Stream receiveStream = response.GetResponseStream();
XPathDocument doc = new XPathDocument(receiveStream);
return doc.CreateNavigator();
}
EDIT: I feel I should explain a bit more what I am attempting to do. I have been tasked with providing a new interface for my company's Google Search Appliance. I am using an ASP.NET page, which does some things like choose a Collection depending on where a user is located, etc. and then sends the appropriate search string the the GSA. This was all working well until they decided to turn authentication on, and now I can't get any results (I either get a 401 unauthorized, or a message stating that 'Data at the root level is invalid'). If I take the search string and provide it directly to the GSA, it authenticates fine, and displays the results, I just can't seem to get it through the HttpWebRequest.
EDIT 2: I did a little more looking (ran the request through Fiddler) and it looks like the request is only attempting Negotiate and not Kerberos. I set the credentials to use Kerberos explicitly as below, but it didn't help...
public XPathNavigator GSASearch(string url, string searchString)
{
CredentialCache credCache = new CredentialCache();
credCache.Add(new Uri(url), "Kerberos", CredentialCache.DefaultNetworkCredentials);
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + searchString);
request.CookieContainer = new CookieContainer();
request.PreAuthenticate = true;
request.Credentials = credCache;
request.ContentType = "text/xml";
request.Method = "POST";
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Stream receiveStream = response.GetResponseStream();
//StreamReader readStream = new StreamReader(receiveStream);
XPathDocument doc = new XPathDocument(receiveStream);
return doc.CreateNavigator();
}
EDIT 3: Ok, looking closer again, the CredentialCache.DefaultCredentials doesn't appear to have my network credentials in it...
View 1 Replies
Sep 15, 2010
I am using Kerberos as the Authentication mode for a WCF Client to interact with an ASMX Web Service. I am using customBinding in the WCF Client. I am getting the below mentioned Fault Exception when I invoke the HelloWorld Method by creating a Proxy using SVCUTIL.
`System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE841: An error occured processing an outgoing fault response. ---> System.Web.Services.Protocols.SoapException:
System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.InvalidOperationException: WSE914: This instance of derived key token does not support encryption, decryption, or key wrapping. It can only be used to sign or verify signature. Please make sure that the length of the derived key matches the length of the key required by the symmetric encryption algorithm configured for the derived key token manager.
at Microsoft.Web.Services3.Security.Tokens.DerivedKeyToken.Psha1SymmetricKeyAlgorithm.get_EncryptionFormatter()
at Microsoft.Web.Services3.Security.EncryptedData.ResolveDecryptionKey(String algorithmUri, KeyInfo keyInfo)
at Microsoft.Web.Services3.Security.EncryptedData.Decrypt(XmlElement encryptedElement)
I am badly struck with this exception and unable to progress further.
View 2 Replies
May 13, 2010
I have a Web App server (WAS) and a database server (DBS). I need to know how to configure both servers, changes to make in the web.config, and any changes to the database needed to allow Windows Authentication from WAS to DBS. I know Kerberos needs to be setup and I know SPNs will need to be created, but I am not sure what all needs to be done.
View 1 Replies
May 7, 2010
how to implement kerberos authentication in asp.net. Pros & Cons of this authentication process.
View 1 Replies
Jan 15, 2010
I have a web application using Kerberos to access an external resource useing ASP.NET 3.5 and IIS.
When a user connects with the application, Kerberos authentication auto-magically allows me to connect to external resources acting as the user using delegation. This was not easy to do. It is nice, but I've a problem. Sometimes I need to connect to an external resource using an account with more rights than the user. The service account which the app-pool is running under has the addition rights I need. How can I remove the user's Kerberos identification and connect with Kerberos using the service account running the application pool?
UPDATE
I'm not sure why I am getting no responses at all. I've never seen that before. post questions, they may clarify the problem (to me too).
View 1 Replies
Sep 17, 2010
Just going to start making a web application and was wondering which was better, or at least what are the main differences between them (as it probably matters what I am using them for)?
View 3 Replies
Jan 8, 2010
I have just installed SQL Server 2005. I selected windows mode authentication. I am not able to login in management studion. Now, I want to use mixed and server authentication option inplace of windows authentication. so, would that be possible after installation.
View 2 Replies
Jul 14, 2010
This could be very straight forward for some of you, but I got caught up. I am doing very simple test - browsing from IIS Manager to see the default page or "under Construction", however I am being challenged to provide my login credential . When I provide my login credential, I am able to see the default page. I wanted to see the default page without providing my credential since Enable anoymous access + basic authentication I am simply wanted to see the default page asit is working on other servers except this one. I have included screen print to make sure may question is clear.
View 3 Replies
Jan 4, 2011
What's the difference between Basic Authentication and Integrated Windows Authentication in IIS?
View 3 Replies
Mar 10, 2010
I set authentication mode to Windows in the web.config and I enable Windows Authentication and disable the Anonymous Authentication in IIS 7 on win 7, but HttpContext.Current.User is always null.It works fine when I host the web app in IIS 6.0.
View 1 Replies
Apr 15, 2010
'm using the AutoCompleteExtender from the AJAX control toolkit on my aspx page - I have it wired up to a WCF service that is returning a string array and everything works happily.
If I change my service definition to include a demand for the caller to be authenticated, like so:
<OperationContract(), PrincipalPermission(SecurityAction.Demand, Authenticated:=True)> _Public Function GetLookupValues(ByVal prefixText As String, ByVal count As Integer, ByVal contextKey As String) As String()
Then the autocomplete extender stops working, and I get an authentication error in the service. The service is set up to use ASPNetCompatibility mode, and I was hoping that the extender would pass the authentication credentials for my logged in user - does anyone know how to make this work?
View 2 Replies
Sep 3, 2010
What do I need to do in order to change an application from Forms Authentication to windows authentication?
View 2 Replies
Feb 8, 2011
I have a database which has form authentication tables for an website [let say website A], now I have attached a new website [Website B] to the same database, in this website [Website B] also I have to provide login/authentication which would be separate from the website A authentication system. So I want to have separate table for the users of new website. Specification:
[code]....
will there be any open source membership provider like we have .NET membership provider [form authentication].
View 2 Replies
Aug 9, 2010
I have a web farm web project, and want to make sure windows authentication is working well without any problem in web farm, can any one give me some web sites or information about that?
View 1 Replies
Feb 8, 2010
Am going to develop authentication part in the web site. I want my authentication module should not be hacked by any one and also want in secure side.
View 1 Replies
Sep 2, 2010
I needed information regarding the capabilities & integration of AzMan tool with Asp.net.Currently, I got a Sharepoint 2007 website along with ASP.NET 2008 where I am using Form Based Authenication.Now, the requirement is any user within a domain registered in AD should be able to login in website through intranet.
Can I acheive this using AzMan, or I need to create two websites one with FBA for internet users and the other one for the intranet users with AD authenication. Also my intenet website is deployed and in use where usermapping and roles are already created, so using this tool what will be the impact on existing webiste.
View 2 Replies
Mar 29, 2011
I have a web application (intranet based) which uses Windows Authentication. Unfortunately there are public computers that have public logins at some company locations. My web app doesn't support these public logins because I need to know the user workingSo, even though these public users are windows authentication users, my app will fail because I have no user account setup for that particular account. I want to then try Active Directory Authentication.In my Default.aspx.cs I'd have something like this
protected void Page_Load(object sender, EventArgs e)
{try
userContext = new UserContext(); // If the authenticated user isn't a user in my system then throw an exception
}
[code]...
View 2 Replies
Jun 3, 2010
I have developed the authenticated rss feed using the basic http authentication for my site.I also have the admin module for the site which uses the Asp.net Forms Authentication .Both are in the same project.When i turn on the forms authentication module to None in my web.config.My rss feed authentication works fine(the browser pop up the dialog box for the username and password) and upon entering the username and password the rss feed gets displayed.But with forms authentication turn on when i click the rss feed link i am getting redirected to the administrator login page.
If i set my authentication mode to none than the feed works like dream but the admin module do not work as it uses forms authentication.
How can i resolve the conflict for that one.I am using the asp.net mvc filter on my feed contoller to pop up the dialog box for the username and password.
[Code]....
View 1 Replies
Sep 15, 2010
I've been asked to convert an asp.net application from forms authentication with roles using the aspnetdb database to use windows authentication instead.
what is required to do this? can I still use the roles defined in the app and stored in aspnetdb?
View 1 Replies
Feb 12, 2010
I have an (ASP.NET 3.5) intranet application which has been designed to use forms authentication (along with the default aspnet membership system). I also store additional information about users in another table which shares its primary key with the aspnet_users table.
For users who are part of our domain I store their domain account name in the secondary users table, and I want to automatically log in users whose domain account name matches a name stored in the table.
I have read the guides which are available - they're all from two years ago or more and assume that you are able to activate Windows Authentication on a separate login page that allows you to extract the domain account name. From what I can tell, though, this is not possible in IIS7 (the overall authentication method is applied on all pages and cannot be selectively deactivated, and both authentication methods can't be applied on the same page).
Is there a way of getting IIS to pass through the windows domain account name of the requesting user? I don't need proper AD authentication, just the domain name.
View 6 Replies
Aug 19, 2010
We have a non-SSL ASP.NET web app that allows a user to login (ASP forms authentication, inproc).
Once authenticated, we redirect their browser to an external, SSL secured page on another web site / domain altogether that we do not control.
The client is redirected back to a pre-configured url on our original http web app when done.
However, the customer is then asked to "re-login" again on our side which is undesired...
It seems the forms authentication cookie is destroyed when transitioning between HTTP and HTTPS and back again.
How can I keep the forms authentication cookie alive so that the customer does not have to re-authenticate on the round trip?
View 2 Replies
Feb 16, 2011
I'm developing an internal booking sytem. Users log in to the sytem and can view existing bookings and search for bookings. They can also create new or edit existing bookings. When completing such actions I need a confirmation prior to completing the booking or updating the recorded. The confirmation is based on a reauthentication of the user.... in otherwords he needs to enter his passord again.
How can I achieve this? The system is internam and I'm using Forms Authentication. I an also using roles as som of the admin forms can only be viewed by administrators.
View 1 Replies
Apr 26, 2010
Is it possible to disable windows authentication on one or more subfolders of an ASP.net application using windows authentication?
For example:
A website contains several other folders that contain parts of the overall application: /frontend,/backend, /login
The bin folder is on the same level as these subfolder, i.e. the root of the website.
All of these subfolders contain pages that use binaries that reside in the bin folder of the root of the website.
The user must input windows credentials when visiting a page in the backend folder, but not when visiting a page in the login or frontend folder.
View 2 Replies
Jun 29, 2010
The webapp I am trying to deploy will have the IIS running on the same server as database.I have been assigned a domain account and have been asked to connect to the database using this account.I am not sure how to go about making the connection. I cannot enable impersonation as I need to mention the username and password and it will be security concern, also I need to give write permission onC:WINNTMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET Files (which is not allowed)The Webserver and SQL server runs with system account.Can you please let me know how to establish connectivity to the server using the domain account without mentioning the password anywhere.
View 1 Replies
