Hey folks,
I'm trying to use the HttpWebResponse object in an ASP application, but I
get a 401 unauthorized error on this line:
HttpWebResponse response = (HttpWebRespons e)webRequest.Ge tResponse();
I have:
identity impersonate = true
authentication mode = windows
IIS set to use windows authentication
and I set: webRequest.Cred entials = CredentialCache .DefaultCredent ials;
This works when I run the page from the server, but from a remote machine it
gives me the unauthorized error. However, if in the web config file I
specify identity impersonate = true with a username and password, then it
works fine. I don't want to do this however.
Is there any way to avoid specifying a username and password in the
web.config and without setting up delegation on the server (not an option)?
Thanks! 4 5362
Hi John,
can you tell me whether you are using NTFS in your domain? NTFS is only
able to make 1 'hop' using impersonation. This is due to the fact that
there are no credentials passed, only tokens.
You probably have the following scenario (3 distinct machines):
Client ---> WebServer ---> Database server
As you can see, this setup takes two hops and will not work using
impersonation. If you switch to Kerberos for authentication this will
work. But I do believe this isn't used to mutch...
Hope it helps,
Grtz, Wouter van Vugt
Info Support - Netherlands www.infosupport.com
blogs.infosuppo rt.com/wouterv
John Smith schreef: Hey folks,
I'm trying to use the HttpWebResponse object in an ASP application, but I get a 401 unauthorized error on this line: HttpWebResponse response = (HttpWebRespons e)webRequest.Ge tResponse();
I have: identity impersonate = true authentication mode = windows IIS set to use windows authentication and I set: webRequest.Cred entials = CredentialCache .DefaultCredent ials;
This works when I run the page from the server, but from a remote machine it gives me the unauthorized error. However, if in the web config file I specify identity impersonate = true with a username and password, then it works fine. I don't want to do this however.
Is there any way to avoid specifying a username and password in the web.config and without setting up delegation on the server (not an option)?
Thanks!
I'm guessing you don't want to put it in the config for security
reasons. I wouldn't want to either! You can store the username and
password as encrypted values in the registry. You then point the
web.config file to look in the registry for the values.
This site explains the process of using aspnet_setreg.e xe to encrypt
the values in the registry as well as how to reference them in your
web.config file. http://support.microsoft.com/default...b;en-us;329290
If you are running Windows 2000 as your server environment there is an
additional step; the ASPNET account (the account which the Aspnet
process runs under) needs to have something called TCB (Trusted
Computing Base) or what is more commonly known as "Act as part of the
operating system." privileges. These privileges are pretty powerful and
it's not recommended to grant them to any account.
Note: From what I gather, the above requirement only applies to the
..NET Framework 1.0 on Windows 2000. Windows XP and .NET 1.1 don't
require this.
This is one way to use impersonation securely.
Experts please correct my inaccuracies. :)
-Jay
Thanks for the link. If there's no other way of doing it, then I'll do this.
I'm still just confused on why it's not impersonating the logged in user and
why I have to specify a new username and password.
"ja*@gloryfish. org" wrote: I'm guessing you don't want to put it in the config for security reasons. I wouldn't want to either! You can store the username and password as encrypted values in the registry. You then point the web.config file to look in the registry for the values.
This site explains the process of using aspnet_setreg.e xe to encrypt the values in the registry as well as how to reference them in your web.config file.
http://support.microsoft.com/default...b;en-us;329290
If you are running Windows 2000 as your server environment there is an additional step; the ASPNET account (the account which the Aspnet process runs under) needs to have something called TCB (Trusted Computing Base) or what is more commonly known as "Act as part of the operating system." privileges. These privileges are pretty powerful and it's not recommended to grant them to any account.
Note: From what I gather, the above requirement only applies to the ..NET Framework 1.0 on Windows 2000. Windows XP and .NET 1.1 don't require this.
This is one way to use impersonation securely.
Experts please correct my inaccuracies. :)
-Jay
I'm using the logged in credentials to connect to our database server and it
works fine.
"wo******@hotma il.com" wrote: Hi John,
can you tell me whether you are using NTFS in your domain? NTFS is only able to make 1 'hop' using impersonation. This is due to the fact that there are no credentials passed, only tokens. You probably have the following scenario (3 distinct machines):
Client ---> WebServer ---> Database server
As you can see, this setup takes two hops and will not work using impersonation. If you switch to Kerberos for authentication this will work. But I do believe this isn't used to mutch...
Hope it helps,
Grtz, Wouter van Vugt Info Support - Netherlands www.infosupport.com blogs.infosuppo rt.com/wouterv
John Smith schreef:
Hey folks,
I'm trying to use the HttpWebResponse object in an ASP application, but I get a 401 unauthorized error on this line: HttpWebResponse response = (HttpWebRespons e)webRequest.Ge tResponse();
I have: identity impersonate = true authentication mode = windows IIS set to use windows authentication and I set: webRequest.Cred entials = CredentialCache .DefaultCredent ials;
This works when I run the page from the server, but from a remote machine it gives me the unauthorized error. However, if in the web config file I specify identity impersonate = true with a username and password, then it works fine. I don't want to do this however.
Is there any way to avoid specifying a username and password in the web.config and without setting up delegation on the server (not an option)?
Thanks!
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Anil Krishnamurthy |
last post by:
We have an ASP.NET application that uses COM objects through Interop. The
web application requires access to network and database resources and hence,
needs to impersonate a domain account. The problem is that even when it is
configured to run under a certain identity through Web.config, the
impersonation is not carried through to COM library. Consequently, the code
in COM object runs under a local account and any code that needs to access...
|
by: Svein Terje Gaup |
last post by:
I have a website running on Windows 2000 Server, that should be able to
retrieve data from a datawarehouse on another machine running Windows 2000
Server, SQL Server 2000 and SQL Server 2000 Analysis Services. It seems
impossible to make the impersonation work. Every path I try seems to be
blocked.
Path number one: set <identity impersonate=false/> in web.config
OK. The Website is up, but it cannot access the datawarehouse because the...
|
by: Sorin Sandu |
last post by:
How can I override Identity Impersonate setting from machine.config on a
site on the same server ?
I am using impersonate on most web sites but on one I need to use Windows
Identity.
|
by: Razak |
last post by:
Hi,
I have a class which basically do Impersonation in my web application. From
MS KB sample:-
++++++++++++++++++++code starts
Dim impersonationContext As
System.Security.Principal.WindowsImpersonationContext
Dim currentWindowsIdentity As System.Security.Principal.WindowsIdentity
|
by: franzhe |
last post by:
Hi all,
in a simple ASP.Net application with resources in satellite assemblies I
have the following problem:
If I set <identity impersonate="true"/>, accessing a culture specific
resource from a satellite assembly fails with the error message:
"Could not find any resources appropriate for the specified culture (or the
neutral culture) in the given assembly. ..."
| |
by: Sonal |
last post by:
I am trying to impersonate user with windows account.
If I write following lines in web.config it show error
<identity impersonate="true" userName="contoso\Jane" password="pass"/>
ERROR:
Error while trying to run project: Unable to start debugging on the web
server. Server side-error occurred on sending debug HTTP request.
Make sure the server is operating correctly. Verify there are no syntax
|
by: Meena Desai |
last post by:
Hi,
What are the effects of using <identity impersonate="true"/> in web.config
on windows auhtentication? Does it affect windows security?
Thanx in advance,
Meena.
|
by: martin |
last post by:
Hi,
I am having trouble using impersonation -- with integrated security - on a
domain controller.
The authentication on IIS is set to integrated security only --- (NO
annoymosy access allowed)
The authentication element in webconfig is set to <authentication
mode="Windows" />
The identity element in webconfig is set to <identity impersonate="true"/>
|
by: Doug |
last post by:
Visual Studio 2005, SQL Server 2000, ASP.NET/VB.NET
Not allowed to use the ASPNET machine account in SQL Server (very
strict environment).
Need to use Windows authentication, so we use "Identity
Impersonate=true" in the web.config file.
Trying to implement a system-wide error trapping mechanism. Nothing
fancy, just writing to a log file. The recommended procedure was to
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |