NTLM Question...

Hi Nicholas,

Thanks for your post. I asked one who expertise on this issue to reply this
thread. In the meantime, I recommend you the following MSDN articles on
..NET Remoting Security:

..NET Remoting Security Solution, Part 1: Microsoft.Samples.Security.SSPI
Assembly
http://msdn.microsoft.com/library/de...us/dndotnet/ht
ml/remsspi.asp

..NET Remoting Security Solution, Part 2:
Microsoft.Samples.Runtime.Remoting.Security Assembly
http://msdn.microsoft.com/library/de...us/dndotnet/ht
ml/remsec.asp

Have a nice day!

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! -- www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Hi Nicholas,

I need some more information and clarification.

First, here is my understanding of your question:
You have four computers involved as follows.
- IIS server at work
- remote application server at work
- your own workstation at work
- your own workstation at home

You have a windows application on your workstation which calls a .NET web
service on the IIS machine and the web service uses remoting to access a
windows application on the remote server. The web service and the remote
application both require windows authentication.

All this works normally when you are at work, but fails when you are at
home. You suspect that the problem is with authentication credentials not
being passed properly from the web service to the remote application.

Is this a correct problem description?

---
Do you get an error message? If yes, please post the error message.

What version of Windows are you using on each machine?

What language was each component written in?

At home, do you logon with the same user name and password as you do at
work?

How do you access your work network from home?
For example, is your web service on the internet & you just call into it?
Or, do you use virtual private networking to access you network at work?

Thank you, Mike
Microsoft, ASP.NET Support Professional

Microsoft highly recommends to all of our customers that they visit the
http://www.microsoft.com/protect site and perform the three straightforward
steps listed to improve your computer’s security.

This posting is provided "AS IS", with no warranties, and confers no rights.
--------------------

Content-Class: urn:content-classes:message
From: "Nicholas Then" <ni**@unitedagy.com>
Sender: "Nicholas Then" <ni**@unitedagy.com>
Subject: NTLM Question...
Date: Tue, 9 Dec 2003 07:20:37 -0800
Lines: 12
Message-ID: <09****************************@phx.gbl>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Thread-Index: AcO+Z/9psPN5MrogRIOlS3NWzStOVw==
Newsgroups: microsoft.public.dotnet.general
Path: cpmsftngxa07.phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.general:117577
NNTP-Posting-Host: tk2msftngxa08.phx.gbl 10.40.1.160
X-Tomcat-NG: microsoft.public.dotnet.general

I am writing an application that uses Remoting that is
hosted within IIS. We have an SSL cert enabled on the
server. We are using windows authentication on this
remoting service. Everything works fine here in the
office however when I try from home for example the
application does not work because the credentials do not
match. How do I pass the credentials from my .NET
windows application to the IIS server running the remoted
object. Also is this encrypted because we are using SSL
or does this use challenge/response so things aren't sent
in plain text. I would hate to turn this service on
publically knowing that the encryption is not working.

well to clearify a few things, I have a database, IIS Server which has
an assembly exposed over the internet, and my application. The assembly
talking to the database works just fine. The directory where the
assembly is exposed will only allow NTLM authentication, at least that
is how I have it set up. When a user makes a request from the
application it goes to the IIS server and from there to my database. I
know that the service works because on my local network there is no
problem. When I log onto my application without my domain, I have
captured the event that is returned when a user cannot log onto the
service. I then have a prompt appear which the user can type in his
network username and password to authenticate. I have SSL enabled on
the IIS server, but does it send the username and password on the same
SSL channel? Is there a better, more secure way to authenticate? I am
using remoting over HTTP instead of TCP so it is more firewall friendly.
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Hi Nicolas,

To clarify your doubts, you are discussing two topics here authentication
and encryption, let me discuss each one by one:

1. Authentication: For a remote object that is placed in a Virtual
direcotry with only Integrated security checked.
All requests comming in, including remote instantiation and remote calls,
need to authenticate themselves to the IIS server.
You can configure the allow and deny list in the web.config file to
configure your server. From the client side you can use
useDefaultCredentials attribute to pass the credentials under which client
is running as a part of remoting request.
Or if you want to pass custom credentials then you can create any derived
class of ICredentials class(NetworkCredential is most commonly used) to
give in the username, password and domain that you want to pass to the
server. With .net 1.1 you would need to set this on your transparent proxy
sink chain. As in following code:

NetworkCredential nc = new NetworkCredential(userName,password,domain);
IDictionary ChannelProps = new Hashtable();
ChannelProps["port"] = "0";
HttpChannel channel = new HttpChannel(ChannelProps, ClientBinFormatter,
ServerBinFormatter);
ChannelServices.RegisterChannel(channel);
RemObject X =
(RemObject)Activator.GetObject(typeof(RemObj.RemOb ject),"http://localhost/Re
mobj/RemObj.soap");
ChannelServices.GetChannelSinkProperties(X)["credentials"]=nc;

Please refer the following article for more details:
http://msdn.microsoft.com/library/de...us/dnnetsec/ht
ml/THCMCh13.asp

all requests would be send with NTLM authentication so the username/pass is
never send in plaintext.

2. Encryption: if you use SSL then all data would be encrypted with the
server's certificate. this include all requests and responses.

Hope this clears your doubts,
thanks,
Anant Dimri

That helped a lot thank you :)

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!