what is the difference between manually constructed NetworkCredentialand one from windowsidentity?

  • Thread starter Thread starter DAXU
  • Start date Start date
D

DAXU

Hello,
I have a winform (client) and windows service (server),
At client side, when I construct a NetworkCredential manually by
providing username, password and domain, I can do this:

clientSide.AuthenticateAsClient(new NetworkCredential
("administrator","8ik,7UJM","jerry.test"),
spn.ToString(),
ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Delegation);

however, if I get the default credential from current windows identity
after impersnate the user:
clientSide.AuthenticateAsClient
(System.Net.CredentialCache.DefaultNetworkCredentials,
spn.ToString(),
ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Delegation);

It always fails and error message is:
A security requirement was not fulfilled during authentication.
Required: Delegation, negotiated: Impersonation.

So what is the difference between above calls? Except one is manually
constructed?

Many Thanks

Jerry
 
Hello,
I have a winform (client) and windows service (server),
At client side, when I construct a NetworkCredential manually by
providing username, password and domain, I can do this:

clientSide.AuthenticateAsClient(new NetworkCredential
("administrator","8ik,7UJM","jerry.test"),
spn.ToString(),
ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Delegation);

however, if I get the default credential from current windows identity
after impersnate the user:
clientSide.AuthenticateAsClient
(System.Net.CredentialCache.DefaultNetworkCredentials,
spn.ToString(),
ProtectionLevel.EncryptAndSign, TokenImpersonationLevel.Delegation);

It always fails and error message is:
A security requirement was not fulfilled during authentication.
Required: Delegation, negotiated: Impersonation.

So what is the difference between above calls? Except one is manually
constructed?

When you say "get the default credential from current windows identity
after impersonate the user" what do you mean exactly? Is this a web
service (ASMX or WCF) that is impersonating, another system, etc?

Depending on what is impersonating, you may have the security of the
configuration set up incorrectly. For example, web services have to be
configured to use Windows authentication to get the proper user token.

Regardless, check the actual user that is in the windows identity
credential by querying it after it is filled. If it is not the same,
that is the issue. If it is, check all of the properties and see if
there are any differences. Somewhere there has to be a difference you
can find and alleviate.


--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

Twitter: @gbworld
Blog: http://gregorybeamer.spaces.live.com

*******************************************
| Think outside the box! |
*******************************************
 
Back
Top