How To "un-impersonate" (un-delegate?) In Kerberos
Jan 15, 2010
I have a web application using Kerberos to access an external resource useing ASP.NET 3.5 and IIS.
When a user connects with the application, Kerberos authentication auto-magically allows me to connect to external resources acting as the user using delegation. This was not easy to do. It is nice, but I've a problem. Sometimes I need to connect to an external resource using an account with more rights than the user. The service account which the app-pool is running under has the addition rights I need. How can I remove the user's Kerberos identification and connect with Kerberos using the service account running the application pool?
UPDATE
I'm not sure why I am getting no responses at all. I've never seen that before. post questions, they may clarify the problem (to me too).
I am trying to connect to a web service that uses Kerberos Authentication to authorize the user, but all I get is a 401 unauthorized everytime I try to make the request. Below is the code that I am using.
EDIT: I feel I should explain a bit more what I am attempting to do. I have been tasked with providing a new interface for my company's Google Search Appliance. I am using an ASP.NET page, which does some things like choose a Collection depending on where a user is located, etc. and then sends the appropriate search string the the GSA. This was all working well until they decided to turn authentication on, and now I can't get any results (I either get a 401 unauthorized, or a message stating that 'Data at the root level is invalid'). If I take the search string and provide it directly to the GSA, it authenticates fine, and displays the results, I just can't seem to get it through the HttpWebRequest.
EDIT 2: I did a little more looking (ran the request through Fiddler) and it looks like the request is only attempting Negotiate and not Kerberos. I set the credentials to use Kerberos explicitly as below, but it didn't help...
I'm trying to setup an internal website that will contact another backend service within the network on behalf of the user using a HttpWebRequest.I have to use Integrated Windows Authentication on the ASP.NET application as the backend system only supports this type of authentication.
I'm able to setup IWA on the ASP.NET application, and it's using kerberos as I expect it to. However when the authentication is delegated to the backend system it doesn't work anymore. This is because the backend system only supports kerberos IWA, but the delegation for some reason - even though the incoming request is kerberos authenticated - converts the authentication to NTLM before forwaring to the backend system.
what I need to do on the ASP.NET application in order to allow it to forward the identity using kerberos?I've tried the following but it doesn't seem to work
I am using Kerberos as the Authentication mode for a WCF Client to interact with an ASMX Web Service. I am using customBinding in the WCF Client. I am getting the below mentioned Fault Exception when I invoke the HelloWorld Method by creating a Proxy using SVCUTIL.
`System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE841: An error occured processing an outgoing fault response. ---> System.Web.Services.Protocols.SoapException:
System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.InvalidOperationException: WSE914: This instance of derived key token does not support encryption, decryption, or key wrapping. It can only be used to sign or verify signature. Please make sure that the length of the derived key matches the length of the key required by the symmetric encryption algorithm configured for the derived key token manager.
at Microsoft.Web.Services3.Security.Tokens.DerivedKeyToken.Psha1SymmetricKeyAlgorithm.get_EncryptionFormatter() at Microsoft.Web.Services3.Security.EncryptedData.ResolveDecryptionKey(String algorithmUri, KeyInfo keyInfo) at Microsoft.Web.Services3.Security.EncryptedData.Decrypt(XmlElement encryptedElement)
I am badly struck with this exception and unable to progress further.
I have a Web App server (WAS) and a database server (DBS). I need to know how to configure both servers, changes to make in the web.config, and any changes to the database needed to allow Windows Authentication from WAS to DBS. I know Kerberos needs to be setup and I know SPNs will need to be created, but I am not sure what all needs to be done.
I'm working on an ASP.net app and i'm trying to impersonate a user
I'm creating a windowsIdentity with a token
WindowsIdentity winId = new WindowsIdenty( token );
this token was got by calling the un managed code
[DllImport("advapi32.dll")] public static extern int LogonUserA(String lpszUserName, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
is there any other way to get a token without using this advapi32.dll unmanaged code?
I'm using WCF services ensuring that UserName/Password must be provided for each request. I need use same service from many clients, but I need impersonate the call to access the appropriate resources for each client. When I call the service directly from the client there is no problem, because I use for each client a pair UserName/Password defined in theirs web.config. The problem came when I need to call a second Web service from a call to the first-one using the same identity. This second Web service requires UserName/Password, but I only know who is the caller (UserName) but not the password.
How I can impersonate this second call without knowing the password for the corresponding username?
EDIT: The app (Web App and Services) is running in a shared hosting environment where I can't use Windows Authentication to configure Kerberos for Delegation. I have defined a UserNameValidator to process on each call the pair UserName/Password against a custom SQLServer database. Moreover, the intended customers of this app will use it from Internet, without requiring a windows account, that is because I need a more flexible, SQL-based, authentication schema.
I'm using IIS Express to host my website, and I would like to do something similar to Directory Security in IIS 6. In IIS 6, I was able to go to the Directory Security tab and allow the anonymous user to be a local windows account.
Is there something equivalent in IIS Express for that? What changes do I need to make in applicationhost.config?
I know how to impersonate a user for the entire site but how best to impersonate for a block of code; WindowsImpersonationContext or NetworkCredential?
Im deploying my website onto my new server (windows 2003) from my local pc (windows 7) and my local homeserver (windows 2008) and have run in to a issue.
I have a process that starts up with the below code. It is passed a video file which gets converted.
System.Diagnostics.ProcessStartInfo StartInfo = new System.Diagnostics.ProcessStartInfo(Command, Parameters);
Them problem I have is on my new windows 2003 server it fails to work. No error or anything. Looking at the server and its taskmgr.exe I see the Process start but nothing happens.
Looking into it, everyone seems to say I need to have impersonate="true" in the webconfig which I do have, I currently have it set to the Administrator account which I use to log into remote desktop (I assume this is fine???)
I have big trouble with impersonate IIS and SQL 2008 . I connect to the iis where I set the ASP.NET Impersonate and I want connect to the sql server with user credetionals . And there is trouble . SQL server run in the win 2008R2 cluster . I try set delegation in the Active directory on the cluster server and in the cluster application .Not work. Connect to the SQL server with anonymous user.
I have a webpage stored on a local server (Site A) which when I browse to it is given my windows account details, this site then checks within AD to get my email address. My email address is then passed to another website (Site B) and consumed. The Website A is set in IIS to Integrated Windows Auth Only, WebSite A has
<identity impersonate="false"/>
set in the web.config What I dont understand is what user is accessing AD from site A - with impersonate = false that is telling the site not impersonate the windows user, but this seems at odds with the setting in IIS.
I have a ASP.Net website that interacts with Dynamic CRM. It's also uses a local ASPNETDB.MDF for forms authentication. For the CRM I need to impersonate the identity created on the domain for this purpose. When identity impersonate is enabled I no longer have access to the local Membership Database. How can I allow the domain user used for the impersonation access to the membership database?
I am trying to translate or convert C# code that a friend gave me. I have limited C# knowledge but was going along OK until I hit the following code that includes a delegate. I cannot figure out how to get the equivalent functionality in VB.NET. I'm using .NET 2.0 and VS2005.
public bool TryGetRedirectMatch(UrlContext url, out RedirectMatch match) { if (url.Path.StartsWith("/product.aspx", StringComparison.InvariantCultureIgnoreCase))[code]....
I have a requirement I should connect to MS SQL server under IIS Application pool account from ASP.NET application where Windows Authentication is enabled. I cannot use user name and password in connection string.
ASP.NET application should use Entity Framework 4.0 to work with data.
I am working with .net 3.5 and making application in asp.net. I show some application which is make in C# in Windows form where i see following code in class level declaration
[Code].... and following code in form load
[Code]....
and following code in some event
[Code]....
Now my problem is I am making application in asp.net code behind VB.net where I cannot how to apply all this in my application. I more confuse with Delegate and BeginInvoke. I read somewhere that to use BeginInvoke in VB you should use Ajax.
I have an MVC 2.0 environment in a S#arp layout, everything works great, and I have Intellisense working in my aspx file (for things like HTML helpers and Model properties) As soon as I add the line:
[Code]....
To my web.config, I lose Intellisense on my aspx files! Does anyone have any idea of why this is happening? Or have any experience with this?
In my code behind on a button click event I want to set the text of a label to inform the user where in the process we are. How do I create a delegate to allow the label to get updated
I am using ASP .NET and C#, and using the code-behind-pages concept.I am trying to implement a business delegate pattern in ASP .NET to reduce coupling between the presentation and business tiers.I want to have several ASP pages send information (through asp buttons clicks) to a "business delegate" ASP page, which will in turn send the necessary information to a C# method.The problem is that each button_click event in ASP .NET is directly tied to a C# method. I am having trouble understanding how to separate the presentation and business logic because of that.
I am trying to get this to bind to a gridview, without any luck. I would like each asynctask to ultimately return seperate datasets, but for now I can deal with the same one being returned.
I am using c# and socket programming to create a web application. Anyone knows how to declare a useable delegate or using another method to invoke or call a method such that my codes will not have error? I am stuck for at least a week!