How To "un-impersonate" (un-delegate?) In Kerberos

Jan 15, 2010

I have a web application using Kerberos to access an external resource useing ASP.NET 3.5 and IIS.

When a user connects with the application, Kerberos authentication auto-magically allows me to connect to external resources acting as the user using delegation. This was not easy to do. It is nice, but I've a problem. Sometimes I need to connect to an external resource using an account with more rights than the user. The service account which the app-pool is running under has the addition rights I need. How can I remove the user's Kerberos identification and connect with Kerberos using the service account running the application pool?

UPDATE

I'm not sure why I am getting no responses at all. I've never seen that before. post questions, they may clarify the problem (to me too).

View 1 Replies


Similar Messages:

HttpWebRequest With Kerberos Authentication?

Sep 14, 2010

I am trying to connect to a web service that uses Kerberos Authentication to authorize the user, but all I get is a 401 unauthorized everytime I try to make the request. Below is the code that I am using.

public XPathNavigator GSASearch(string url, string searchString)
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + searchString);
request.CookieContainer = new CookieContainer();
request.Credentials = CredentialCache.DefaultCredentials;
request.ContentType = "text/xml";
request.Method = "POST";
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Stream receiveStream = response.GetResponseStream();
XPathDocument doc = new XPathDocument(receiveStream);
return doc.CreateNavigator();
}

EDIT: I feel I should explain a bit more what I am attempting to do. I have been tasked with providing a new interface for my company's Google Search Appliance. I am using an ASP.NET page, which does some things like choose a Collection depending on where a user is located, etc. and then sends the appropriate search string the the GSA. This was all working well until they decided to turn authentication on, and now I can't get any results (I either get a 401 unauthorized, or a message stating that 'Data at the root level is invalid'). If I take the search string and provide it directly to the GSA, it authenticates fine, and displays the results, I just can't seem to get it through the HttpWebRequest.

EDIT 2: I did a little more looking (ran the request through Fiddler) and it looks like the request is only attempting Negotiate and not Kerberos. I set the credentials to use Kerberos explicitly as below, but it didn't help...

public XPathNavigator GSASearch(string url, string searchString)
{
CredentialCache credCache = new CredentialCache();
credCache.Add(new Uri(url), "Kerberos", CredentialCache.DefaultNetworkCredentials);
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + searchString);
request.CookieContainer = new CookieContainer();
request.PreAuthenticate = true;
request.Credentials = credCache;
request.ContentType = "text/xml";
request.Method = "POST";
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Stream receiveStream = response.GetResponseStream();
//StreamReader readStream = new StreamReader(receiveStream);
XPathDocument doc = new XPathDocument(receiveStream);
return doc.CreateNavigator();
}

EDIT 3: Ok, looking closer again, the CredentialCache.DefaultCredentials doesn't appear to have my network credentials in it...

View 1 Replies

End-to-end Kerberos Delegated Authentication In .NET?

Jun 3, 2010

I'm trying to setup an internal website that will contact another backend service within the network on behalf of the user using a HttpWebRequest.I have to use Integrated Windows Authentication on the ASP.NET application as the backend system only supports this type of authentication.

I'm able to setup IWA on the ASP.NET application, and it's using kerberos as I expect it to. However when the authentication is delegated to the backend system it doesn't work anymore. This is because the backend system only supports kerberos IWA, but the delegation for some reason - even though the incoming request is kerberos authenticated - converts the authentication to NTLM before forwaring to the backend system.

what I need to do on the ASP.NET application in order to allow it to forward the identity using kerberos?I've tried the following but it doesn't seem to work

CredentialCache credentialCache = new CredentialCache();
credentialCache.Add(request.RequestUri, "Negotiate", CredentialCache.DefaultCredentials.GetCredential(request.RequestUri, "Kerberos"));
request.Credentials = credentialCache;

I've also tried to set "Kerberos" where it now says "Negotiate", but it doesn't seem to do much.

View 1 Replies

WCF / ASMX :: Kerberos Authentication Custom Binding?

Sep 15, 2010

I am using Kerberos as the Authentication mode for a WCF Client to interact with an ASMX Web Service. I am using customBinding in the WCF Client. I am getting the below mentioned Fault Exception when I invoke the HelloWorld Method by creating a Proxy using SVCUTIL.

`System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE841: An error occured processing an outgoing fault response. ---> System.Web.Services.Protocols.SoapException:

System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.InvalidOperationException: WSE914: This instance of derived key token does not support encryption, decryption, or key wrapping. It can only be used to sign or verify signature. Please make sure that the length of the derived key matches the length of the key required by the symmetric encryption algorithm configured for the derived key token manager.

at Microsoft.Web.Services3.Security.Tokens.DerivedKeyToken.Psha1SymmetricKeyAlgorithm.get_EncryptionFormatter()
at Microsoft.Web.Services3.Security.EncryptedData.ResolveDecryptionKey(String algorithmUri, KeyInfo keyInfo)
at Microsoft.Web.Services3.Security.EncryptedData.Decrypt(XmlElement encryptedElement)

I am badly struck with this exception and unable to progress further.

View 2 Replies

Security :: Windows Authentication/Kerberos Configuration?

May 13, 2010

I have a Web App server (WAS) and a database server (DBS). I need to know how to configure both servers, changes to make in the web.config, and any changes to the database needed to allow Windows Authentication from WAS to DBS. I know Kerberos needs to be setup and I know SPNs will need to be created, but I am not sure what all needs to be done.

View 1 Replies

Security :: Implement Kerberos Authentication - Pros & Cons?

May 7, 2010

how to implement kerberos authentication in asp.net. Pros & Cons of this authentication process.

View 1 Replies

C# - How To Impersonate Another User

Feb 17, 2010

I'm working on an ASP.net app and i'm trying to impersonate a user

I'm creating a windowsIdentity with a token

WindowsIdentity winId = new WindowsIdenty( token );

this token was got by calling the un managed code

[DllImport("advapi32.dll")]
public static extern int LogonUserA(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);

is there any other way to get a token without using this advapi32.dll unmanaged code?

View 1 Replies

How To Use Hashed Password In Impersonate

May 26, 2010

I have an ASP.NET application that requires impersonation as an administrator user. In web.config:

<identity impersonate="true" userName="administrator" password="password"/>

The customer complained about saving the password in clear text format. Is there a way to save the password here as hashed?

View 1 Replies

Impersonate User In WCF From Multiple Callers?

Nov 26, 2010

I'm using WCF services ensuring that UserName/Password must be provided for each request. I need use same service from many clients, but I need impersonate the call to access the appropriate resources for each client. When I call the service directly from the client there is no problem, because I use for each client a pair UserName/Password defined in theirs web.config. The problem came when I need to call a second Web service from a call to the first-one using the same identity. This second Web service requires UserName/Password, but I only know who is the caller (UserName) but not the password.

How I can impersonate this second call without knowing the password for the corresponding username?

EDIT: The app (Web App and Services) is running in a shared hosting environment where I can't use Windows Authentication to configure Kerberos for Delegation. I have defined a UserNameValidator to process on each call the pair UserName/Password against a custom SQLServer database. Moreover, the intended customers of this app will use it from Internet, without requiring a windows account, that is because I need a more flexible, SQL-based, authentication schema.

View 2 Replies

Accessing Active Directory Without Impersonate?

Jul 7, 2010

accessing active directory without impersonate?

View 2 Replies

IIS Express - Impersonate A Windows Account?

Dec 3, 2010

I'm using IIS Express to host my website, and I would like to do something similar to Directory Security in IIS 6. In IIS 6, I was able to go to the Directory Security tab and allow the anonymous user to be a local windows account.

Is there something equivalent in IIS Express for that? What changes do I need to make in applicationhost.config?

View 2 Replies

Security :: How To Impersonate User For A Block Of Code?

Apr 1, 2010

I know how to impersonate a user for the entire site but how best to impersonate for a block of code; WindowsImpersonationContext or NetworkCredential?

And how would this code look like?

View 2 Replies

C# - Unable To Start External Process With Impersonate

Feb 24, 2010

Im deploying my website onto my new server (windows 2003) from my local pc (windows 7) and my local homeserver (windows 2008) and have run in to a issue.

I have a process that starts up with the below code. It is passed a video file which gets converted.

System.Diagnostics.ProcessStartInfo StartInfo = new System.Diagnostics.ProcessStartInfo(Command, Parameters);

Them problem I have is on my new windows 2003 server it fails to work. No error or anything. Looking at the server and its taskmgr.exe I see the Process start but nothing happens.

Looking into it, everyone seems to say I need to have impersonate="true" in the webconfig which I do have, I currently have it set to the Administrator account which I use to log into remote desktop (I assume this is fine???)

<identity impersonate="true" userName="Administrator" password="********" />

This still doesn't work.. Looking in the taskmgr.exe the process is started with the username ="NETWORK SERVICE" ...

View 1 Replies

DataSource Controls :: Impersonate To Sql Server 2008?

Mar 22, 2010

I have big trouble with impersonate IIS and SQL 2008 . I connect to the iis where I set the ASP.NET Impersonate and I want connect to the sql server with user credetionals . And there is trouble . SQL server run in the win 2008R2 cluster . I try set delegation in the Active directory on the cluster server and in the cluster application .Not work. Connect to the SQL server with anonymous user.

View 5 Replies

Security :: Identity Impersonate - False And IIS In Windows Mode

Feb 21, 2011

I have a webpage stored on a local server (Site A) which when I browse to it is given my windows account details, this site then checks within AD to get my email address. My email address is then passed to another website (Site B) and consumed. The Website A is set in IIS to Integrated Windows Auth Only, WebSite A has

<identity impersonate="false"/>

set in the web.config What I dont understand is what user is accessing AD from site A - with impersonate = false that is telling the site not impersonate the windows user, but this seems at odds with the setting in IIS.

View 3 Replies

When Using Identity Impersonate Cannot Access Local ASPNETDB.MDF Database?

Dec 2, 2010

I have a ASP.Net website that interacts with Dynamic CRM. It's also uses a local ASPNETDB.MDF for forms authentication. For the CRM I need to impersonate the identity created on the domain for this purpose. When identity impersonate is enabled I no longer have access to the local Membership Database. How can I allow the domain user used for the impersonation access to the membership database?

View 1 Replies

Translating C# Delegate To VB.NET?

Nov 19, 2010

I am trying to translate or convert C# code that a friend gave me. I have limited C# knowledge but was going along OK until I hit the following code that includes a delegate. I cannot figure out how to get the equivalent functionality in VB.NET. I'm using
.NET 2.0 and VS2005.

public bool TryGetRedirectMatch(UrlContext url, out RedirectMatch match)
{
if (url.Path.StartsWith("/product.aspx", StringComparison.InvariantCultureIgnoreCase))[code]....

View 5 Replies

Security :: Impersonate A Connection To SQL Server Under IIS App Pool Account If Windows Authentication?

Aug 31, 2010

I have a requirement I should connect to MS SQL server under IIS Application pool account from ASP.NET application where Windows Authentication is enabled. I cannot use user name and password in connection string.

ASP.NET application should use Entity Framework 4.0 to work with data.

View 1 Replies

How To Apply Delegate And BeginInvoke

Mar 12, 2010

I am working with .net 3.5 and making application in asp.net. I show some application which is make in C# in Windows form where i see following code in class level declaration

[Code]....
and following code in form load

[Code]....

and following code in some event

[Code]....

Now my problem is I am making application in asp.net code behind VB.net where I cannot how to apply all this in my application. I more confuse with Delegate and BeginInvoke. I read somewhere that to use BeginInvoke in VB you should use Ajax.

View 4 Replies

Visual Studio :: Intellisense Stops Working In Aspx Files When Identity Impersonate Is Set

Nov 11, 2010

I have an MVC 2.0 environment in a S#arp layout, everything works great, and I have Intellisense working in my aspx file (for things like HTML helpers and Model properties) As soon as I add the line:

[Code]....

To my web.config, I lose Intellisense on my aspx files! Does anyone have any idea of why this is happening? Or have any experience with this?

View 1 Replies

How To Create A Delegate To Allow The Label To Get Updated

Dec 14, 2010

In my code behind on a button click event I want to set the text of a label to inform the user where in the process we are. How do I create a delegate to allow the label to get updated

View 1 Replies

Trying To Implement A Business Delegate Pattern?

Jun 28, 2010

I am using ASP .NET and C#, and using the code-behind-pages concept.I am trying to implement a business delegate pattern in ASP .NET to reduce coupling between the presentation and business tiers.I want to have several ASP pages send information (through asp buttons clicks) to a "business delegate" ASP page, which will in turn send the necessary information to a C# method.The problem is that each button_click event in ASP .NET is directly tied to a C# method. I am having trouble understanding how to separate the presentation and business logic because of that.

View 1 Replies

AJAX :: Protected Delegate Sub AsyncTaskDelegate ()

Sep 2, 2010

I am trying to get this to bind to a gridview, without any luck. I would like each asynctask to ultimately return seperate datasets, but for now I can deal with the same one being returned.

[Code]....

View 1 Replies

Implement For Each Delegate In Razor Viewengine?

Feb 22, 2011

The following code works for webform view engine.

<% Model.Categories.ForEach(x => { %>
<li><a href="#">@x.Name</a></li>
<% }) %>

I wrote the above code as below in razor view:

@Model.Categories.ForEach(x => {
<li><a href="#">@x.Name</a></li>
})

But this doesn't work. Is there any way to achieve this in razor view?

View 2 Replies

Web Forms :: How To Declare Delegate Or Call Upon Method

Jan 6, 2011

I am using c# and socket programming to create a web application. Anyone knows how to declare a useable delegate or using another method to invoke or call a method such that my codes will not have error? I am stuck for at least a week!

View 1 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved