473,545 Members | 2,081 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Does NetworkCredenti al itself encrypt user credentials?

I have a website (call it WinAuthWeb) that uses Integrated Windows
Authentication.

In my ASP.NET web application, I collect user name, password and
domain info and pass them to WinAuthWeb for authentication (formerly
known as NTLM).

I construct the user credentials like this:

theUserCredenti al = New NetworkCredenti al(username, userpassword,
userdomain)

And attach it to my HttpWebRequest object like this:

myRequest.Crede ntials = userCredential

I know that I can create an SSL channel and send this info over, but I
am specifically asking about regular HTTP transmission of such data.

I captured the traffic using Ethereal, and interestingly, I was not
able to find my user credentials in plain text in the packets. I did
see the web page returned from WinAuthWeb in plain text.

I cannot look into the implementation details of NetworkCredenti al, so
I am wondering if NetworkCredenti al class actually encrypts the user
credentials by default. Or does it Base64-encode it (I know this
isn't encryption, and thus insecure, but not human-readable)

Anyone knows about this? Thanks if you could share.

Jul 9 '07 #1
3 6733
the security is based on the site. ntlm is challenge/response protocol.
the password is never passed, only hashes. if the site is set to basic,
then the password is only encoded in base64 and included with the request.

-- bruce (sqlwork.com)

an***********@y ahoo.com wrote:
I have a website (call it WinAuthWeb) that uses Integrated Windows
Authentication.

In my ASP.NET web application, I collect user name, password and
domain info and pass them to WinAuthWeb for authentication (formerly
known as NTLM).

I construct the user credentials like this:

theUserCredenti al = New NetworkCredenti al(username, userpassword,
userdomain)

And attach it to my HttpWebRequest object like this:

myRequest.Crede ntials = userCredential

I know that I can create an SSL channel and send this info over, but I
am specifically asking about regular HTTP transmission of such data.

I captured the traffic using Ethereal, and interestingly, I was not
able to find my user credentials in plain text in the packets. I did
see the web page returned from WinAuthWeb in plain text.

I cannot look into the implementation details of NetworkCredenti al, so
I am wondering if NetworkCredenti al class actually encrypts the user
credentials by default. Or does it Base64-encode it (I know this
isn't encryption, and thus insecure, but not human-readable)

Anyone knows about this? Thanks if you could share.
Jul 9 '07 #2
On Jul 9, 2:04 pm, bruce barker <nos...@nospam. comwrote:
the security is based on the site. ntlm is challenge/response protocol.
the password is never passed, only hashes. if the site is set to basic,
then the password is only encoded in base64 and included with the request.

-- bruce (sqlwork.com)
Thank you. I am a little bit confused. The security is based on the
remote site (in my case, WinAuthWeb)? And for Integrated Windows
Authentication, only the hash of the password is sent? If that's the
case, it seems to be good enough even if we send such credentials
through regular HTTP.

What does it mean by "the site is set to basic"? You meant "Basic
Authentication" which is one option at the directory security tab of
IIS configuration?

Jul 9 '07 #3
On Jul 9, 2:49 pm, "antonyliu2...@ yahoo.com" <antonyliu2...@ yahoo.com>
wrote:
On Jul 9, 2:04 pm, bruce barker <nos...@nospam. comwrote:
the security is based on the site. ntlm is challenge/response protocol.
the password is never passed, only hashes. if the site is set to basic,
then the password is only encoded in base64 and included with the request.
-- bruce (sqlwork.com)

Thank you. I am a little bit confused. The security is based on the
remote site (in my case, WinAuthWeb)? And for Integrated Windows
Authentication, only the hash of the password is sent? If that's the
case, it seems to be good enough even if we send such credentials
through regular HTTP.

What does it mean by "the site is set to basic"? You meant "Basic
Authentication" which is one option at the directory security tab of
IIS configuration?
OK, I think I am clearer about the situation now.

I did a little bit research, and realized (I know this from a long
time ago, but just didn't link it properly with my current situation)
that Active Directory does not store the user password per se, but
instead stores its hash, just like a Unix system.

Therefore, just like Bruce Barker has said, if the web site is
configured for Integrated Windows Authentication, then the website
will only request the hash of the user password, in addition to user
name and domain.

I guess somehow, something in the NetworkCredenti al for ASP.NET or the
Microsoft.XMLHT TP for classic ASP will take care of the hashing
process.

Given this understanding, in our web application, even if we connect
to the remote web server through HTTP to transmit user credentials for
NTLM authentication, we seem to be OK (as long as the password is
strong enough to be hash-dictionary-proof).

This is my preliminary conclusion. Correct me if I am wrong.

That said, we can still easily create an SSL channel in ASP.NET to
transmit such sensitive data for added security by implementing our
own CertificatePoli cy. It is a little harder to do so in classic ASP.

Jul 9 '07 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
3
2544
Starting a process (.exe-file) from ASP.NET with different user credentials
by: Jørn A. | last post by:
I'm working on a web based user interface for a job scheduling system (running scripts). The system is using a non-windows scheduler software, but it's installed and running as a windows service. The service is running with the credentials of a specified domain user, and all processes kicked off by the scheduler service runs with these...
ASP.NET
5
4383
Passing User Credentials to site running under Integrated Security
by: cdlipfert | last post by:
Our intranet is running under windows integrated security. We have domain users that want to access our intranet site via ssl vpn. SSL VPN can not authenticate against services that run under windows integrated security. In order to get around this issue it seems that we would need to create a login page on a separate site that runs under...
ASP.NET
0
5463
User credentials cannot be used for local connections
by: James | last post by:
Dim connection As New ConnectionOptions connection.Username = m_ntid connection.Password = m_pwd connection.Authority = "ntlmdomain:" & m_domain Dim scope As New ManagementScope("\\" + computer + "\root\CIMV2", connection)
Visual Basic .NET
3
10904
System.IO alternative user credentials? Is it possible?
by: Dmitry | last post by:
I am trying to figure out how to pass set of credentials to System.IO Challenge is: App is running under one set of credentials, but via GUI user have a chance to enter another set. I would like to be able to use supplied credentials with System.IO versus using default credentials that app is running under. So far I am forced to use WMI...
C# / C Sharp
0
3187
User credentials delegation from IIS on WinXP to SQL Server on Win2003SRV fails
by: kkos | last post by:
I noticed the following issue posted as a double-hop issue in many discussion boards but found no answers that explain how to pass the second hop with windows auth from IIS ASPX page to remote SQL Server. Problem: -------------- I am trying to create an asp.net website with integrated windows authentication to access SQL databases. IIS...
ASP / Active Server Pages
1
7526
Erros -> User credentials cannot be used for local connections
by: LamSoft | last post by:
I am writing a web portal to modify the users account password. However, it is confusing me... for a few days for this error. It has been work fine while debugging on the development web server, however when i run on the on the IIS (on same computer), it has this error: A specified logon session does not exist. It may already have been...
ASP.NET
2
8506
C# app: How do I write to a network share using different user credentials?
by: IronMike | last post by:
I'm writing a program that needs to write files to a network share. My problem is that the program users are working on PCs that are not connected to our domain and the program needs to save files to a network share on the domain. It's not feasible to change all of the user accounts on the PCs to match the user's domain credentials so I want to...
.NET Framework
1
20347
Install Windows Service with Custom User Credentials
by: =?Utf-8?B?Qi5BaGxzdGVkdA==?= | last post by:
Hi all, This is something that I have been toying with for about a week now. What I want to achieve is Install a Service with Customised parameters (using InstallUtil.exe) for User Name. Example (C#); public class MyServiceInstaller : System.Configuration.Install.Installer { private System.ServiceProcess.ServiceProcessInstaller...
.NET Framework
0
1140
access ms sql though a web service with user credentials
by: crowl | last post by:
Following scenario: client (c# app) -asp.net web service - sql server The client hast to authenticated via Basic authentications. This user account should be used to access the sql server on another machine. Is this possible? The web servcie uses integrated security=SSPI; for connecting to sql server, however, it seems to use anonymous...
.NET Framework
0
7468
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
General
0
7656
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
C / C++
1
7423
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
Windows Server
0
5972
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
Career Advice
1
5329
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
Microsoft Access / VBA
0
3450
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
Networking - Hardware / Configuration
0
3443
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
1014
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
0
704
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us