Forwarding credentials with ASP.net WebClient - authentication

I have a basic asmx page which requests data from a reporting services server.
The User, Web Server running the asmx and the reporting services server are all on the same windows domain.
Webclient request = new WebClient();
request.Credentials = ?WhatGoesHere?;
byte[] fileData = request.DownloadData(......)
If I set UseDefaultCredentials = true; it tries to authenticate using the credentials of the user running IIS.
How do I get the WebClient to authenticate as the user accessing the asmx page?

i assume that you have integrated authentication enabled on the web server hosting the aspx page and that the server is IIS.
if the page is not on the reporting server then you may be experiencing the double hop issue related to authentication forwarding. the solution requires kerberos authentication and proper configuration of a few items at the domain level.

Related

C# Webservice Proxy Windows Authentication

I have a c# application which consumes a webservice through a client proxy. The webservice is setup to use windows authentication (HTTP 401 challange through Active Directory). My user account configured to be authorized to access the webservice.
When I call the webservice through the browser it worked well. The browser is able to do the 401 challange and does not ask for any user id password (as internally the server and client do it through AD controller).
The problem is that when I try to consume the service through the C# application, it throws HTTP request unauthorized error.
I have tried all the below options for the webservice proxy to do windows authentication.
ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation
ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultCredentials as System.Net.NetworkCredential
ClientCredentials.Windows.AllowedImpersonationLevel =System.Security.Principal.TokenImpersonationLevel.Impersonation
Can someone please help on how I can make the webservice call just like how the browser does. I cannot pass user id and password while calling the service.
I figured out myself a workaround.The service call works well (HTTP 401 challange) with HTTPWebRequest with Credentials = CredentialCache.DefaultCredentials. Browser seems to be using the same approach.The problem is while creating a client proxy which is unable to do this 401 challange.
I could not figureout the reason but may be the service does not have enough meta information to establish a proper handshake with a client proxy.

Request ADFS security token from the backend of single sign-on enabled ASP.NET website

I have a single sign-on enabled ASP.NET web site which uses ADFS for authentication. On logon users are redirected to the ADFS sign-in page, then my application gets FedAuth cookies back and doesn't store any user passwords.
What I need to do is to contact a third-party service (namely, SharePoint), which is configured to use the same ADFS server for authentication, from the web site backend. I've learned that I should be able to do so by getting another security token using some WIF (WCF in fact) calls described for example here http://blogs.technet.com/b/speschka/archive/2010/06/04/using-the-client-object-model-with-a-claims-based-auth-site-in-sharepoint-2010.aspx.
My problem is I don't know how to provide authentication for such calls using the information implicitly available in single sign-on cookies. I do not have explicit credentials nor Windows authentication.
The code I'm trying to use follows:
WSTrust13ContractClient trustClient = new WSTrust13ContractClient(binding, address);
trustClient.ClientCredentials.Windows.AllowNtlm = true;
trustClient.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
trustClient.ClientCredentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
System.ServiceModel.Channels.Message response =
trustClient.EndIssue(trustClient.BeginIssue(
System.ServiceModel.Channels.Message.CreateMessage(
MessageVersion.Default, WSTrust13Constants.Actions.Issue,
new RequestBodyWriter(trustSerializer, rst)), null, null));
It fails with "The HTTP request was forbidden with client authentication scheme 'Negotiate'" message.

WCF Service windows authentication

a WCF Service in hosted in our internal server. an external client will consume it and, our Service will consume our SharePoint service in order to edit an item list.
The WCF Service will have the automatically earn the windows authentication to access to the SharePoint site so I do not have to provide a login and password not domain name.
I am not sure how I am supposed to code my service:
NetworkCredential credential = CredentialCache.DefaultNetworkCredentials;
will be enough?
Architecture
But if you do need to use a specific account you could go for the following:
NetworkCredential credentials = new System.Net.NetworkCredential("name", "password", "optional:domain");
IMO, it should be enough, if your wcf and SharePoint services in same (or trusted) domains, and you select appropriative security mode.
See for more details:
http://msdn.microsoft.com/en-us/library/ms733836.aspx

WCF Changing credentials

I have a web app that calls a WCF web application with several services, all using basicHttBinding, on different servers (web server, app server and database server). One of the services has to connect to a database that must be called using an active directory account. Coming in from the web site the user is anonymous.
I have been given credentials to set this user to but I cannot get it to work. I create my channel on the web server like this:
ChannelFactory<T> channelFactory = GetChannelFactoryFromPool<T>(enpointAddress);
channelFactory.Credentials.Windows.ClientCredential.UserName = username;
channelFactory.Credentials.Windows.ClientCredential.Password = password;
channelFactory.Credentials.Windows.ClientCredential.Domain = domain;
proxy = channelFactory.CreateChannel();
In the service on the app server I am trying to determine if the credentials are correct by doing this:
var ssc = ServiceSecurityContext.Current;
but ssc is always null. Can this be done with basicHttpBinding?
Thanks,
Paul
The basicHttpBinding does support Windows authentication as documented in this good MSDN article. You also need to ensure the service operations are configured to allow impersonation of the client credentials to have the security context populated as expected.

Can WCF do WindowsAuthentication with username password?

I'm building an wcf service that is meant to run in an intranet environment using Windows Authentication. I have been merrily working along with some kind of default settings on the local computer.
Problem now is that I need to test it installed to an off site demo computer. I just need to get it running with username password used against the wcf service computer's user accounts.
This is my client code:
using (ImportServiceClient client = new ImportServiceClient("ImportServiceSoap12", REMOTE_ADDRESS))
{
client.ClientCredentials.Windows.AllowNtlm = true;
client.ClientCredentials.Windows.ClientCredential =
new NetworkCredential(userName, password, computerName);
result = client.Sync(items.ToArray());
}
Is it possible to configure the wcf service such that it translates the credential to a windows account on it's machine?
I've been reading contradicting posts here and there, but I feel rather sure IIS shouldn't be part of the authentication. I'm unsure wether ASP.Net authentication node applies or if it's all binding configuration.
Ideally I'd like it to be an NTLM type authentication so that I wouldn't need to set up https.
Is it possible to configure the wcf service such that it translates the credential to a windows account on its machine?
No. Integrated Windows Authentication requires that both the server and the client are part of the same domain (or domains with a trust relationship, in any case). You can't usefully run IWA against local computer accounts on the server.
You will have to use some other (potentially custom) form of authentication and then impersonate to the user you want to run as in the server code.