Passing windows credentials from server to server.

  • Thread starter Thread starter Wade Wegner
  • Start date Start date
W

Wade Wegner

Hello,

I have been desperately trying to programmatically authenticate a windows
user, create their credentials, and then redirect them to a different server
while passing the credentials at the same time so that they don't have to
login again.

Specifically, I have two webservers in the same domain. When I have a user
go to Webserver A (which uses basic authentication) I programmatically
create either a user credential or impersonate a user context (for now it's
hardcoded, but in the future it would be entered in forms). Then, I want to
let that user access a page on Webserver B (which uses basic
authentication), but I don't want them to have to login again -- rather, I
want to use the user context that I programmatically created on Webserver A.

For instance, here is an example of the code I use to create the user
credentials:

Dim strURI = "http://www.whatever.com"
Dim myCred As New NetworkCredential("userid", "password", "domain")
Dim myURI As New Uri(strURI)
Dim myCache As New CredentialCache
myCache.Add(myURI, "Basic", myCred)

From this, I have attempted to use WebRequests and WebResponses to somehow
allow me to direct the browser to a different page, and use the credential I
have generated. The most I can do, however, is create the request and
receive the response:

Dim myWebRequest As System.Net.WebRequest =
System.Net.WebRequest.Create(strURI)
myWebRequest.Credentials = myCache
Dim myWebResponse As WebResponse = myWebRequest.GetResponse()

If only I could use the response.redirect method, and somehow pass the
credentials with the redirection (like you can with the webrequest), it
could work!

I have also attempted to use the LogonUser API (from the advapi32.dll), and
impersonate a user based on the proper logon information -- this works, and
I'm able to successfully impersonate the user, but again, I don't know how
to pass along the user context to a different page.

I know that many people will say "just use form based authentication," but
this will not work for me, as I want this to work with tools like Outlook
Web Access, which requires windows authentication.

Any help would be greatly appreciated. Thank you!!

Wade
 
if they are your own servers, you could set up a webservice to transfer
session info back and forth...
 
Huh!

I never you could do that to pass login information to a site with basic
authentication. Is there a name for that? Something that would allow me to
look it up in MSDN? I wonder what the security considerations are. If used
with SSL, is it safe? Etc.

Thanks for the idea, though ... I'll look into it some more.

Wade
 
Okay, as I've been playing with the method you mentioned, I've noted the
following.

If I create a login form, and then programmatically create a URL string, and
then redirect to that URL, it prompts me to login. However, if I register a
vbscript that uses window.location to redirect the user to this script, it
doesn't. Does the response.redirect not work?

For example, this is what I use for the response.redirect:

Dim strURL as string
strURL = "http://" & txtUserID.Text & ":" & txtPassword.Text &
"@mydomain.com"

response.redirect(strURL)

That doesn't work, and it prompts me to login.

However, I can get the following to work fine:

Dim strURL as string
strURL = "http://" & txtUserID.Text & ":" & txtPassword.Text &
"@mydomain.com"

Dim txtScript as new System.Text.StringBuilder
txtScript.Append(vbCr & "<script language=vbscript>")
txtScript.Append(vbCr & "window.location = """ & strURL & """")
txtScript.Append(vbCr & "</script>" & vbCr & vbCr)

Page.RegisterStartupScript("redirect", txtScript.ToString)

When I redirect from the client, this works fine. Additionally, if I simply
type in the address into the browser, it works properly.

Any ideas? Will I have to do this from the client?

Thanks,

Wade
 
I don't like this approach (of passing credentials like this) at all.. it's
visible in the address bar.. so I'm not sure this is really a good idea.

it's an HTTP thingie.. so you would want to look at it there.. MSDN may have
it.. but may not...
 
See, I do not experience it displaying in the address bar. I have not been
able to find anything in MSDN concerning this, but I started to think that
all this method does is mimic what basic authentication does -- I mean,
basic authentication is unencrypted, clear text. Is employing this method
any different than using basic authentication? In both cases, obviously, it
would be worthwhile to encrypt using SSL.

I still wish I understood why this solution would not work if redirected
from the server, via response.redirect, but will if it is redirected at the
client. Even if this isn't a good solution, I'd like to know the answer to
that.
 
Look at HTTP specs... see what it says for 302 (that's what
response.redirect really is)...

as I said, all this is http stuff.. so MSDN may not have it (just like they
dont' have http specs there...) you'd probably want to start looking at
w3c's site
 
Back
Top