Developer Forum

Hello,
I have an ASP.NET web-application using Windows Based authentication
that references a web-service to do business logic type things. I
would like to secure the web-service with Windows Authentication as
well and would like to forward the credentials from the original
web-request (to the web-form) on to the web-service. I can get the
WindowsPrincipal / Identity of the requesting user but the generated
proxy for the web-service requires a "NetworkCredentials". If I use:

webservice.Credentials =
System.net.CredentialsCache.DefaultCredentials

the web-service authenticates the request with the ASPNET user (which
makes sense)

I don't know how to create credentials using the WindowsPrincipal (or
even if this can be done?). Do I need to somehow create the
XML-Web-service request myself using the base classes?

Help! Thanks

Using Windows Integrated authentication in the ASP.NET application, this can
be done if you use impersonation in the ASP.NET app and enabled Kerberos
delegation. Kerberos delegation allows the token that IIS generates on the
ASP.NET box to hop to the machine on the web services box.

There are a bunch of references to Kerberos delegation in the MS Knowledge
Base. Kerberos can be tricky, so I suggest you read up on it.

Also, if you use Basic Authentication in the ASP.NET application, it is
trivially easy to get the user's username and password directly from the
request headers or server variables and pass those directly to your proxy
class.

HTH,

Joe K.

Hi,
Thanks for the insight... I will look into Kerberos. I was sort of
hoping for something where I could construct the credentials based on
the Security Principal but I guess that's not possible.
Just so I understand - when you're talking about getting the username
and password from Basic authentication, are you referring to base64
decoding the Authorization header? I did try that and just got back a
small string that wasn't the username or password. I think I may have
had it configured incorrectly because the word "basic" wasn't in there
anywhere which I believe it is supposed to be...

Thanks again,
Sean

Yes, for Basic auth, the authorization header will contain a string like:

Basic dXNlcjpwYXNzd29yZA==

The string after "Basic" are the Base64 encoded credentials in the form
user:password. That is the easiest way to get the user's password to create
a network credential.

If you had the string "Negotiate" in there, you were using Integrated auth
which uses NTLM or Kerberos. In that protocol, there is no plain-text
password for you to recover (which is why you can use that protocol safely
without SSL!).

You can definitely get the Default Credentials thing to work as well using
impersonation, but you will likely need Delegation in that scenario (thus
Kerberos) in order for those credentials to work on a different machine on
the network.

Joe K.




can
the
Knowledge
proxy