473,846 Members | 1,891 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

.NET IIS to IIS credentials problem...


Hi,

I'm writing this off the top of my head as I don't have the exact
information to hand.

We are attempting to set up a secure internet site using ASP.NET on IIS5.
We are having some authentication problems early on in the project. The
plan is to have 1 ASP.NET (IIS) forms application serving user requests
and another ASP.NET (IIS) webservice interfacing to the database.

ASP.NET 1 is configured as follows:
IIS - anonymous access
ASP.NET set to forms authentication

ASP.NET 2 is configured as follows:
IIS - Windows authentication - anonymous disabled
ASP.NET set to Windows authentication

The desired process is that when the user accesses the Web application
and keys in their username and password, ASP.NET 1 will access the
webservice on ASP.NET 2. Because ASP.NET 1 and 2 have the same ASPNET
account, both set with the same username and password (set in
machine.config for now) so the authentication should be successful.

The problem we have is that when you access the logon page on ASP.NET 1
and key in a correct username and password you get an HTTP 401 error
(permission denied).

We have found the problem to be the no credentials are being passed to
the ASP.NET 2 so the Windows authentication fails.

After trying various configurations there are various methods that work,
but I'm not convinced any are the correct way.

Successful methods:
1. Set ASP.NET 1 and 2 to anonymous
- Bad becuase the security is abscent

2. Set ASP.NET 1 impersonation on and set the IIS anonymous account to
the ASPNET account.
- Bad because the security isn't as tight as it should be?

3. In the code for the Login button on ASP.NET 1 it's possible to set
the Credentials of the webservice instance to username=ASPNET password=
<pass>
- Bad because set the ASPNET login and password will have to be
stored again.

We think we are closest with 3. Using the WindowsIdentity object in
ASP.NET 1 we can get the Principle object for ASPNET, however we can't
figure out how to set the Credentials of the webservice from this.

So to wrap up from what I have described above. Is there a way to get
ASP.NET 1 to talk to ASP.NET 2? Given that one is anonymous access and
one is Windows authentication? They have the same ASPNET account and
password. Or is there a way to populate the credentials of the webservice
instance by getting information from the WindowsIdentity object.

Thanks,
Craig

Nov 17 '05 #1
4 2210
Craig,

Here's how to set the web services credentials:

Public Function GetCredentialCa che(ByVal UserName As String, ByVal Password
As String, ByVal Domain As String) As CredentialCache

Try

Dim mncUser As New NetworkCredenti al(UserName, Password, Domain)

If IsNothing(_Appl icationObject) Then

Throw New Exception("The property: ApplicationObje ct in the class
KpLibrary.Authe ntication has not been set.")

Exit Function

End If

Dim PageUtilities1 As New Fortunate.PageU tilities

PageUtilities1. ApplicationObje ct = _ApplicationObj ect

Dim muri As Uri = PageUtilities1. Uri("")

Dim mcrCache As New CredentialCache

mcrCache.Add(mu ri, "NTLM", mncUser)

Return mcrCache

Catch e As Exception

Throw e

End Try

End Function

Public Sub UseWebService()

Dim Credentials As CredentialCache = GetCredentialCa che("UserName",
"Password", "DomainName ")

Dim MyWebService As New WebServiceName

MyWebService.Cr edentials = Credentials

'---If you know the web service absolutely will be called and requires
authentication tell

' it to preauthenticate .

MyWebService.Pr eAuthenticate = True

End Sub

I've created an "Authentication " object that encapsulates this method on my
website, www.aboutfortunate.com, and placed it in my code library. All the
objects on my site are free and are available as .net v1.1 projects.

I've also written a help file that explains how to use each object. The help
file should answer any questions you may have about the method I've included
above, but if you have other questions feel free to email me. (anyone)

Sincerely,

--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche
"Grind Boy" <no@email.com > wrote in message
news:Xn******** *************** **@216.65.98.9. ..

Hi,

I'm writing this off the top of my head as I don't have the exact
information to hand.

We are attempting to set up a secure internet site using ASP.NET on IIS5.
We are having some authentication problems early on in the project. The
plan is to have 1 ASP.NET (IIS) forms application serving user requests
and another ASP.NET (IIS) webservice interfacing to the database.

ASP.NET 1 is configured as follows:
IIS - anonymous access
ASP.NET set to forms authentication

ASP.NET 2 is configured as follows:
IIS - Windows authentication - anonymous disabled
ASP.NET set to Windows authentication

The desired process is that when the user accesses the Web application
and keys in their username and password, ASP.NET 1 will access the
webservice on ASP.NET 2. Because ASP.NET 1 and 2 have the same ASPNET
account, both set with the same username and password (set in
machine.config for now) so the authentication should be successful.

The problem we have is that when you access the logon page on ASP.NET 1
and key in a correct username and password you get an HTTP 401 error
(permission denied).

We have found the problem to be the no credentials are being passed to
the ASP.NET 2 so the Windows authentication fails.

After trying various configurations there are various methods that work,
but I'm not convinced any are the correct way.

Successful methods:
1. Set ASP.NET 1 and 2 to anonymous
- Bad becuase the security is abscent

2. Set ASP.NET 1 impersonation on and set the IIS anonymous account to
the ASPNET account.
- Bad because the security isn't as tight as it should be?

3. In the code for the Login button on ASP.NET 1 it's possible to set
the Credentials of the webservice instance to username=ASPNET password=
<pass>
- Bad because set the ASPNET login and password will have to be
stored again.

We think we are closest with 3. Using the WindowsIdentity object in
ASP.NET 1 we can get the Principle object for ASPNET, however we can't
figure out how to set the Credentials of the webservice from this.

So to wrap up from what I have described above. Is there a way to get
ASP.NET 1 to talk to ASP.NET 2? Given that one is anonymous access and
one is Windows authentication? They have the same ASPNET account and
password. Or is there a way to populate the credentials of the webservice
instance by getting information from the WindowsIdentity object.

Thanks,
Craig

Nov 17 '05 #2
Hi

I am not an experience programmer, but from what you described. I don't see
the point of having 2 IIS server one set to anonymous access and the other
set windows authentication. It doesn't improve security in anyway (I maybe
short sighted). Why not just make it all on one server? What exactly is your
standard of security? Do you want to have encrypted passwords or is plain
password good enough? If you think that having 2 IIS server as described in
your post improves security, please explain how (i think i am short sighted,
but that's why i am asking in the hope to learn more)

Also, from what you wrote, you seem to be saying that having windows
authentication improves the security of the system, I don't see how that
might be the case, you could have equally implement alogin system rather
than using integrated windows authentication, it wouldn't make any
difference security-wise. Or maybe i have misunderstood you totally.

Cheers

J :)
"Grind Boy" <no@email.com > wrote in message
news:Xn******** *************** **@216.65.98.9. ..

Hi,

I'm writing this off the top of my head as I don't have the exact
information to hand.

We are attempting to set up a secure internet site using ASP.NET on IIS5.
We are having some authentication problems early on in the project. The
plan is to have 1 ASP.NET (IIS) forms application serving user requests
and another ASP.NET (IIS) webservice interfacing to the database.

ASP.NET 1 is configured as follows:
IIS - anonymous access
ASP.NET set to forms authentication

ASP.NET 2 is configured as follows:
IIS - Windows authentication - anonymous disabled
ASP.NET set to Windows authentication

The desired process is that when the user accesses the Web application
and keys in their username and password, ASP.NET 1 will access the
webservice on ASP.NET 2. Because ASP.NET 1 and 2 have the same ASPNET
account, both set with the same username and password (set in
machine.config for now) so the authentication should be successful.

The problem we have is that when you access the logon page on ASP.NET 1
and key in a correct username and password you get an HTTP 401 error
(permission denied).

We have found the problem to be the no credentials are being passed to
the ASP.NET 2 so the Windows authentication fails.

After trying various configurations there are various methods that work,
but I'm not convinced any are the correct way.

Successful methods:
1. Set ASP.NET 1 and 2 to anonymous
- Bad becuase the security is abscent

2. Set ASP.NET 1 impersonation on and set the IIS anonymous account to
the ASPNET account.
- Bad because the security isn't as tight as it should be?

3. In the code for the Login button on ASP.NET 1 it's possible to set
the Credentials of the webservice instance to username=ASPNET password=
<pass>
- Bad because set the ASPNET login and password will have to be
stored again.

We think we are closest with 3. Using the WindowsIdentity object in
ASP.NET 1 we can get the Principle object for ASPNET, however we can't
figure out how to set the Credentials of the webservice from this.

So to wrap up from what I have described above. Is there a way to get
ASP.NET 1 to talk to ASP.NET 2? Given that one is anonymous access and
one is Windows authentication? They have the same ASPNET account and
password. Or is there a way to populate the credentials of the webservice
instance by getting information from the WindowsIdentity object.

Thanks,
Craig

Nov 17 '05 #3
I reread my post, it doesn't sound exactly friend, just want to say that i
don't mean no offence.
I am just a beginner programmer trying to learn stuff from these newsgroups.

Cheers

J :)

"James Zhuo" <na************ **@optusnet.com .au> wrote in message
news:ew******** ******@TK2MSFTN GP10.phx.gbl...
Hi

I am not an experience programmer, but from what you described. I don't see the point of having 2 IIS server one set to anonymous access and the other
set windows authentication. It doesn't improve security in anyway (I maybe
short sighted). Why not just make it all on one server? What exactly is your standard of security? Do you want to have encrypted passwords or is plain
password good enough? If you think that having 2 IIS server as described in your post improves security, please explain how (i think i am short sighted, but that's why i am asking in the hope to learn more)

Also, from what you wrote, you seem to be saying that having windows
authentication improves the security of the system, I don't see how that
might be the case, you could have equally implement alogin system rather
than using integrated windows authentication, it wouldn't make any
difference security-wise. Or maybe i have misunderstood you totally.

Cheers

J :)
"Grind Boy" <no@email.com > wrote in message
news:Xn******** *************** **@216.65.98.9. ..

Hi,

I'm writing this off the top of my head as I don't have the exact
information to hand.

We are attempting to set up a secure internet site using ASP.NET on IIS5. We are having some authentication problems early on in the project. The
plan is to have 1 ASP.NET (IIS) forms application serving user requests
and another ASP.NET (IIS) webservice interfacing to the database.

ASP.NET 1 is configured as follows:
IIS - anonymous access
ASP.NET set to forms authentication

ASP.NET 2 is configured as follows:
IIS - Windows authentication - anonymous disabled
ASP.NET set to Windows authentication

The desired process is that when the user accesses the Web application
and keys in their username and password, ASP.NET 1 will access the
webservice on ASP.NET 2. Because ASP.NET 1 and 2 have the same ASPNET
account, both set with the same username and password (set in
machine.config for now) so the authentication should be successful.

The problem we have is that when you access the logon page on ASP.NET 1
and key in a correct username and password you get an HTTP 401 error
(permission denied).

We have found the problem to be the no credentials are being passed to
the ASP.NET 2 so the Windows authentication fails.

After trying various configurations there are various methods that work,
but I'm not convinced any are the correct way.

Successful methods:
1. Set ASP.NET 1 and 2 to anonymous
- Bad becuase the security is abscent

2. Set ASP.NET 1 impersonation on and set the IIS anonymous account to
the ASPNET account.
- Bad because the security isn't as tight as it should be?

3. In the code for the Login button on ASP.NET 1 it's possible to set
the Credentials of the webservice instance to username=ASPNET password=
<pass>
- Bad because set the ASPNET login and password will have to be
stored again.

We think we are closest with 3. Using the WindowsIdentity object in
ASP.NET 1 we can get the Principle object for ASPNET, however we can't
figure out how to set the Credentials of the webservice from this.

So to wrap up from what I have described above. Is there a way to get
ASP.NET 1 to talk to ASP.NET 2? Given that one is anonymous access and
one is Windows authentication? They have the same ASPNET account and
password. Or is there a way to populate the credentials of the webservice instance by getting information from the WindowsIdentity object.

Thanks,
Craig


Nov 17 '05 #4
Turns out there was a restart required after setting the ASPNET
passwords.

My fault, all is well.

Simply by setting the webservice.Cred entials to the DefaultCredenti als
allows the public webapp to call the windows auth webservice.
Thanks for you help.

Craig
Grind Boy <no@email.com > wrote in news:Xns93D6B7E 637D46nonegrind com@
216.65.98.9:
Thanks for the reply, that's pretty much how we got it to work.

http://msdn.microsoft.com/library/de...l=/library/en-
us/dnnetsec/html/secnetlpMSDN.as p

--Chapter 7 - ASP.NET to Remote Enterprise Services to SQL Server

This describes that by having the 2 IIS servers using the same ASPNET
account with the same password. The article doesn't mention credentials at all. I'm confused.

Thanks,
Craig
"S. Justin Gengo" <sj*****@aboutf ortunate.com> wrote in
news:eE******** ******@TK2MSFTN GP12.phx.gbl:
Craig,

Here's how to set the web services credentials:

Public Function GetCredentialCa che(ByVal UserName As String, ByVal
Password As String, ByVal Domain As String) As CredentialCache

Try

Dim mncUser As New NetworkCredenti al(UserName, Password, Domain)

If IsNothing(_Appl icationObject) Then

Throw New Exception("The property: ApplicationObje ct in the class
KpLibrary.Authe ntication has not been set.")

Exit Function

End If

Dim PageUtilities1 As New Fortunate.PageU tilities

PageUtilities1. ApplicationObje ct = _ApplicationObj ect

Dim muri As Uri = PageUtilities1. Uri("")

Dim mcrCache As New CredentialCache

mcrCache.Add(mu ri, "NTLM", mncUser)

Return mcrCache

Catch e As Exception

Throw e

End Try

End Function

Public Sub UseWebService()

Dim Credentials As CredentialCache =
GetCredentialCa che("UserName",
"Password", "DomainName ")

Dim MyWebService As New WebServiceName

MyWebService.Cr edentials = Credentials

'---If you know the web service absolutely will be called and
requires
authentication tell

' it to preauthenticate .

MyWebService.Pr eAuthenticate = True

End Sub

I've created an "Authentication " object that encapsulates this method
on my website, www.aboutfortunate.com, and placed it in my code
library. All the objects on my site are free and are available as .net
v1.1 projects.

I've also written a help file that explains how to use each object.
The help file should answer any questions you may have about the
method I've included above, but if you have other questions feel free
to email me. (anyone)

Sincerely,

--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche



Nov 17 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
1838
by: Twan Kennis | last post by:
Hello! I do have the following problem: I've developed a Windows application which communicates with a DB2-database on the iSeries platform using an ODBC-connection string. This ODBC-connection-string refers to a system-connection configured within the iSeries Navigator based on the Windows username and password of the logged-on user.
0
1018
by: aspnet | last post by:
Hi, We are facing a problem with CredentialCache. We have an ASP.NET website running under integrated windows authentication. We have another website which has an ASP (not ASP.net) page, and this website is also running under windows authentication. we are using the HttpWebRequest method to make a request to this ASP page (this asp will return an xml), and we use
15
2422
by: Ron L | last post by:
We are working on a distributed VB.Net application which will access a SQL database located on a known server. Each client will run on the user's local machine. To implement this, we are trying to use remoting for our access to the SQL server, with the remoting being via IIS. Since all of our users will have accounts in the destination domain, we want to have IIS handle the security for us and not allow anonymous. We have set this up...
2
3579
by: David R | last post by:
I am writing a .NET web services client that is calling an Axis web service. I have two questions. 1. The following code should set the authentication; when I call a method on the web service, the call fails with "bad username/password". // wrWorkReq is the name of the service wrWorkReq.Credentials = new System.Net.NetworkCredential("adolph.ramirez", "xxx");
2
3122
by: tsanil | last post by:
Hi, I have installed Red hat 3.0 and If I login through the telnet with other system I am getting the error " Cannot resolve network address for KDC in requested realm while getting initial credentials" login incorrect... Its happens for new user and old user account is working fine... pls any body provide me a solution. Thanks and regards
0
1169
by: Fresno Bob | last post by:
This is a little off topic but I am finding security in a non domain environment totally mystifying Can anyone help me. I work in a workgroup environment as opposed to domain controlled. The minute I do anything with reporting services or analysis services that is between machines I get problems. Can anyone give me an overview of how credentials are passed in a non domain environment.
0
1974
by: BbEsy | last post by:
Helo I have one little problem, I need to navigate to url, fill txboxes, submmit, wait for load next page and call javascript function. but this Pages need credentials.. I tried this.. navigate to "https://username:pass@url" this work fine. fill boxes. submit...
0
9879
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
10976
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10640
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10705
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
1
7877
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7050
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5714
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
4521
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4111
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.