[lnkForumImage]
TotalShareware - Download Free Software

Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

microsoft.public.dotnet.framework.aspnet.webservices

.NET IIS to IIS credentials problem...

Jari

8/13/2003 12:40:00 PM


Hi,

I'm writing this off the top of my head as I don't have the exact
information to hand.

We are attempting to set up a secure internet site using ASP.NET on IIS5.
We are having some authentication problems early on in the project. The
plan is to have 1 ASP.NET (IIS) forms application serving user requests
and another ASP.NET (IIS) webservice interfacing to the database.

ASP.NET 1 is configured as follows:
IIS - anonymous access
ASP.NET set to forms authentication

ASP.NET 2 is configured as follows:
IIS - Windows authentication - anonymous disabled
ASP.NET set to Windows authentication

The desired process is that when the user accesses the Web application
and keys in their username and password, ASP.NET 1 will access the
webservice on ASP.NET 2. Because ASP.NET 1 and 2 have the same ASPNET
account, both set with the same username and password (set in
machine.config for now) so the authentication should be successful.

The problem we have is that when you access the logon page on ASP.NET 1
and key in a correct username and password you get an HTTP 401 error
(permission denied).

We have found the problem to be the no credentials are being passed to
the ASP.NET 2 so the Windows authentication fails.

After trying various configurations there are various methods that work,
but I'm not convinced any are the correct way.

Successful methods:
1. Set ASP.NET 1 and 2 to anonymous
- Bad becuase the security is abscent

2. Set ASP.NET 1 impersonation on and set the IIS anonymous account to
the ASPNET account.
- Bad because the security isn't as tight as it should be?

3. In the code for the Login button on ASP.NET 1 it's possible to set
the Credentials of the webservice instance to username=ASPNET password=
<pass>
- Bad because set the ASPNET login and password will have to be
stored again.

We think we are closest with 3. Using the WindowsIdentity object in
ASP.NET 1 we can get the Principle object for ASPNET, however we can't
figure out how to set the Credentials of the webservice from this.

So to wrap up from what I have described above. Is there a way to get
ASP.NET 1 to talk to ASP.NET 2? Given that one is anonymous access and
one is Windows authentication? They have the same ASPNET account and
password. Or is there a way to populate the credentials of the webservice
instance by getting information from the WindowsIdentity object.

Thanks,
Craig

4 Answers

S. Justin Gengo

8/13/2003 2:02:00 PM

0

Craig,

Here's how to set the web services credentials:

Public Function GetCredentialCache(ByVal UserName As String, ByVal Password
As String, ByVal Domain As String) As CredentialCache

Try

Dim mncUser As New NetworkCredential(UserName, Password, Domain)

If IsNothing(_ApplicationObject) Then

Throw New Exception("The property: ApplicationObject in the class
KpLibrary.Authentication has not been set.")

Exit Function

End If

Dim PageUtilities1 As New Fortunate.PageUtilities

PageUtilities1.ApplicationObject = _ApplicationObject

Dim muri As Uri = PageUtilities1.Uri("")

Dim mcrCache As New CredentialCache

mcrCache.Add(muri, "NTLM", mncUser)

Return mcrCache

Catch e As Exception

Throw e

End Try

End Function

Public Sub UseWebService()

Dim Credentials As CredentialCache = GetCredentialCache("UserName",
"Password", "DomainName")

Dim MyWebService As New WebServiceName

MyWebService.Credentials = Credentials

'---If you know the web service absolutely will be called and requires
authentication tell

' it to preauthenticate.

MyWebService.PreAuthenticate = True

End Sub

I've created an "Authentication" object that encapsulates this method on my
website, www.aboutfortunate.com, and placed it in my code library. All the
objects on my site are free and are available as .net v1.1 projects.

I've also written a help file that explains how to use each object. The help
file should answer any questions you may have about the method I've included
above, but if you have other questions feel free to email me. (anyone)

Sincerely,

--
S. Justin Gengo, MCP
Web Developer

Free code library at:
www.aboutfortunate.com

"Out of chaos comes order."
Nietzche


"Grind Boy" <no@email.com> wrote in message
news:Xns93D68AF913E5nonegrindcom@216.65.98.9...
>
> Hi,
>
> I'm writing this off the top of my head as I don't have the exact
> information to hand.
>
> We are attempting to set up a secure internet site using ASP.NET on IIS5.
> We are having some authentication problems early on in the project. The
> plan is to have 1 ASP.NET (IIS) forms application serving user requests
> and another ASP.NET (IIS) webservice interfacing to the database.
>
> ASP.NET 1 is configured as follows:
> IIS - anonymous access
> ASP.NET set to forms authentication
>
> ASP.NET 2 is configured as follows:
> IIS - Windows authentication - anonymous disabled
> ASP.NET set to Windows authentication
>
> The desired process is that when the user accesses the Web application
> and keys in their username and password, ASP.NET 1 will access the
> webservice on ASP.NET 2. Because ASP.NET 1 and 2 have the same ASPNET
> account, both set with the same username and password (set in
> machine.config for now) so the authentication should be successful.
>
> The problem we have is that when you access the logon page on ASP.NET 1
> and key in a correct username and password you get an HTTP 401 error
> (permission denied).
>
> We have found the problem to be the no credentials are being passed to
> the ASP.NET 2 so the Windows authentication fails.
>
> After trying various configurations there are various methods that work,
> but I'm not convinced any are the correct way.
>
> Successful methods:
> 1. Set ASP.NET 1 and 2 to anonymous
> - Bad becuase the security is abscent
>
> 2. Set ASP.NET 1 impersonation on and set the IIS anonymous account to
> the ASPNET account.
> - Bad because the security isn't as tight as it should be?
>
> 3. In the code for the Login button on ASP.NET 1 it's possible to set
> the Credentials of the webservice instance to username=ASPNET password=
> <pass>
> - Bad because set the ASPNET login and password will have to be
> stored again.
>
> We think we are closest with 3. Using the WindowsIdentity object in
> ASP.NET 1 we can get the Principle object for ASPNET, however we can't
> figure out how to set the Credentials of the webservice from this.
>
> So to wrap up from what I have described above. Is there a way to get
> ASP.NET 1 to talk to ASP.NET 2? Given that one is anonymous access and
> one is Windows authentication? They have the same ASPNET account and
> password. Or is there a way to populate the credentials of the webservice
> instance by getting information from the WindowsIdentity object.
>
> Thanks,
> Craig
>


James Zhuo

8/13/2003 2:04:00 PM

0

Hi

I am not an experience programmer, but from what you described. I don't see
the point of having 2 IIS server one set to anonymous access and the other
set windows authentication. It doesn't improve security in anyway (I maybe
short sighted). Why not just make it all on one server? What exactly is your
standard of security? Do you want to have encrypted passwords or is plain
password good enough? If you think that having 2 IIS server as described in
your post improves security, please explain how (i think i am short sighted,
but that's why i am asking in the hope to learn more)

Also, from what you wrote, you seem to be saying that having windows
authentication improves the security of the system, I don't see how that
might be the case, you could have equally implement alogin system rather
than using integrated windows authentication, it wouldn't make any
difference security-wise. Or maybe i have misunderstood you totally.

Cheers

J :)
"Grind Boy" <no@email.com> wrote in message
news:Xns93D68AF913E5nonegrindcom@216.65.98.9...
>
> Hi,
>
> I'm writing this off the top of my head as I don't have the exact
> information to hand.
>
> We are attempting to set up a secure internet site using ASP.NET on IIS5.
> We are having some authentication problems early on in the project. The
> plan is to have 1 ASP.NET (IIS) forms application serving user requests
> and another ASP.NET (IIS) webservice interfacing to the database.
>
> ASP.NET 1 is configured as follows:
> IIS - anonymous access
> ASP.NET set to forms authentication
>
> ASP.NET 2 is configured as follows:
> IIS - Windows authentication - anonymous disabled
> ASP.NET set to Windows authentication
>
> The desired process is that when the user accesses the Web application
> and keys in their username and password, ASP.NET 1 will access the
> webservice on ASP.NET 2. Because ASP.NET 1 and 2 have the same ASPNET
> account, both set with the same username and password (set in
> machine.config for now) so the authentication should be successful.
>
> The problem we have is that when you access the logon page on ASP.NET 1
> and key in a correct username and password you get an HTTP 401 error
> (permission denied).
>
> We have found the problem to be the no credentials are being passed to
> the ASP.NET 2 so the Windows authentication fails.
>
> After trying various configurations there are various methods that work,
> but I'm not convinced any are the correct way.
>
> Successful methods:
> 1. Set ASP.NET 1 and 2 to anonymous
> - Bad becuase the security is abscent
>
> 2. Set ASP.NET 1 impersonation on and set the IIS anonymous account to
> the ASPNET account.
> - Bad because the security isn't as tight as it should be?
>
> 3. In the code for the Login button on ASP.NET 1 it's possible to set
> the Credentials of the webservice instance to username=ASPNET password=
> <pass>
> - Bad because set the ASPNET login and password will have to be
> stored again.
>
> We think we are closest with 3. Using the WindowsIdentity object in
> ASP.NET 1 we can get the Principle object for ASPNET, however we can't
> figure out how to set the Credentials of the webservice from this.
>
> So to wrap up from what I have described above. Is there a way to get
> ASP.NET 1 to talk to ASP.NET 2? Given that one is anonymous access and
> one is Windows authentication? They have the same ASPNET account and
> password. Or is there a way to populate the credentials of the webservice
> instance by getting information from the WindowsIdentity object.
>
> Thanks,
> Craig
>


James Zhuo

8/13/2003 2:19:00 PM

0

I reread my post, it doesn't sound exactly friend, just want to say that i
don't mean no offence.
I am just a beginner programmer trying to learn stuff from these newsgroups.

Cheers

J :)

"James Zhuo" <nano_electronics@optusnet.com.au> wrote in message
news:ewF6CPaYDHA.1056@TK2MSFTNGP10.phx.gbl...
> Hi
>
> I am not an experience programmer, but from what you described. I don't
see
> the point of having 2 IIS server one set to anonymous access and the other
> set windows authentication. It doesn't improve security in anyway (I maybe
> short sighted). Why not just make it all on one server? What exactly is
your
> standard of security? Do you want to have encrypted passwords or is plain
> password good enough? If you think that having 2 IIS server as described
in
> your post improves security, please explain how (i think i am short
sighted,
> but that's why i am asking in the hope to learn more)
>
> Also, from what you wrote, you seem to be saying that having windows
> authentication improves the security of the system, I don't see how that
> might be the case, you could have equally implement alogin system rather
> than using integrated windows authentication, it wouldn't make any
> difference security-wise. Or maybe i have misunderstood you totally.
>
> Cheers
>
> J :)
> "Grind Boy" <no@email.com> wrote in message
> news:Xns93D68AF913E5nonegrindcom@216.65.98.9...
> >
> > Hi,
> >
> > I'm writing this off the top of my head as I don't have the exact
> > information to hand.
> >
> > We are attempting to set up a secure internet site using ASP.NET on
IIS5.
> > We are having some authentication problems early on in the project. The
> > plan is to have 1 ASP.NET (IIS) forms application serving user requests
> > and another ASP.NET (IIS) webservice interfacing to the database.
> >
> > ASP.NET 1 is configured as follows:
> > IIS - anonymous access
> > ASP.NET set to forms authentication
> >
> > ASP.NET 2 is configured as follows:
> > IIS - Windows authentication - anonymous disabled
> > ASP.NET set to Windows authentication
> >
> > The desired process is that when the user accesses the Web application
> > and keys in their username and password, ASP.NET 1 will access the
> > webservice on ASP.NET 2. Because ASP.NET 1 and 2 have the same ASPNET
> > account, both set with the same username and password (set in
> > machine.config for now) so the authentication should be successful.
> >
> > The problem we have is that when you access the logon page on ASP.NET 1
> > and key in a correct username and password you get an HTTP 401 error
> > (permission denied).
> >
> > We have found the problem to be the no credentials are being passed to
> > the ASP.NET 2 so the Windows authentication fails.
> >
> > After trying various configurations there are various methods that work,
> > but I'm not convinced any are the correct way.
> >
> > Successful methods:
> > 1. Set ASP.NET 1 and 2 to anonymous
> > - Bad becuase the security is abscent
> >
> > 2. Set ASP.NET 1 impersonation on and set the IIS anonymous account to
> > the ASPNET account.
> > - Bad because the security isn't as tight as it should be?
> >
> > 3. In the code for the Login button on ASP.NET 1 it's possible to set
> > the Credentials of the webservice instance to username=ASPNET password=
> > <pass>
> > - Bad because set the ASPNET login and password will have to be
> > stored again.
> >
> > We think we are closest with 3. Using the WindowsIdentity object in
> > ASP.NET 1 we can get the Principle object for ASPNET, however we can't
> > figure out how to set the Credentials of the webservice from this.
> >
> > So to wrap up from what I have described above. Is there a way to get
> > ASP.NET 1 to talk to ASP.NET 2? Given that one is anonymous access and
> > one is Windows authentication? They have the same ASPNET account and
> > password. Or is there a way to populate the credentials of the
webservice
> > instance by getting information from the WindowsIdentity object.
> >
> > Thanks,
> > Craig
> >
>
>


Jari

8/14/2003 1:00:00 PM

0

Turns out there was a restart required after setting the ASPNET
passwords.

My fault, all is well.

Simply by setting the webservice.Credentials to the DefaultCredentials
allows the public webapp to call the windows auth webservice.


Thanks for you help.

Craig


Grind Boy <no@email.com> wrote in news:Xns93D6B7E637D46nonegrindcom@
216.65.98.9:

> Thanks for the reply, that's pretty much how we got it to work.
>
> http://msdn.microsoft.com/library/default.asp?url=/l...
> us/dnnetsec/html/secnetlpMSDN.asp
>
> --Chapter 7 - ASP.NET to Remote Enterprise Services to SQL Server
>
> This describes that by having the 2 IIS servers using the same ASPNET
> account with the same password. The article doesn't mention
credentials
> at all. I'm confused.
>
> Thanks,
> Craig
>
>
> "S. Justin Gengo" <sjgengo@aboutfortunate.com> wrote in
> news:eEC#$NaYDHA.1620@TK2MSFTNGP12.phx.gbl:
>
>> Craig,
>>
>> Here's how to set the web services credentials:
>>
>> Public Function GetCredentialCache(ByVal UserName As String, ByVal
>> Password As String, ByVal Domain As String) As CredentialCache
>>
>> Try
>>
>> Dim mncUser As New NetworkCredential(UserName, Password, Domain)
>>
>> If IsNothing(_ApplicationObject) Then
>>
>> Throw New Exception("The property: ApplicationObject in the class
>> KpLibrary.Authentication has not been set.")
>>
>> Exit Function
>>
>> End If
>>
>> Dim PageUtilities1 As New Fortunate.PageUtilities
>>
>> PageUtilities1.ApplicationObject = _ApplicationObject
>>
>> Dim muri As Uri = PageUtilities1.Uri("")
>>
>> Dim mcrCache As New CredentialCache
>>
>> mcrCache.Add(muri, "NTLM", mncUser)
>>
>> Return mcrCache
>>
>> Catch e As Exception
>>
>> Throw e
>>
>> End Try
>>
>> End Function
>>
>> Public Sub UseWebService()
>>
>> Dim Credentials As CredentialCache =
>> GetCredentialCache("UserName",
>> "Password", "DomainName")
>>
>> Dim MyWebService As New WebServiceName
>>
>> MyWebService.Credentials = Credentials
>>
>> '---If you know the web service absolutely will be called and
>> requires
>> authentication tell
>>
>> ' it to preauthenticate.
>>
>> MyWebService.PreAuthenticate = True
>>
>> End Sub
>>
>> I've created an "Authentication" object that encapsulates this method
>> on my website, www.aboutfortunate.com, and placed it in my code
>> library. All the objects on my site are free and are available as .net
>> v1.1 projects.
>>
>> I've also written a help file that explains how to use each object.
>> The help file should answer any questions you may have about the
>> method I've included above, but if you have other questions feel free
>> to email me. (anyone)
>>
>> Sincerely,
>>
>> --
>> S. Justin Gengo, MCP
>> Web Developer
>>
>> Free code library at:
>> www.aboutfortunate.com
>>
>> "Out of chaos comes order."
>> Nietzche
>>
>
>