I am working with HttpWebRequest in dotnet. I am using delegation (impersonation) to do this,
request.Credentials = CredentialCache.DefaultCredentials;
request.ImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegation;
in webconfig file
identity impersonate="true"
for Impersonation Kerberos is required...
So i need to ensure wether the site authenticates using kerberos or NTLM
because my code throws 401 unauthorized error
so please help me in this!!!!!!!!!!!!!!!!!
Is the account you are impersonating trusted for delegation in the AD?
Related
My project is already using basic spring secuity auth. I am integrating another system into my project, and in order for it to make requests to the necessary URLs, this system needs to be authorized in mine. But in the system that needs to be integrated, authentication is set by a token, which I can verify on my side. How can I validate or verify this token and then authenticate such a request without breaking the existing username and password authentication? After the authorization, I will give the role to this user so that he can make a request to the desired endpoint. Thanks in advance for your reply and any suggestions.
I'm working on accessing Microsoft Endpoint Configuration Manager (SCCM)and it uses Kerberos authentication. I need help in understanding how can I generate the Authorization header (negotiate) with the given username and password which have access to the SCCM server.
I have a single sign-on enabled ASP.NET web site which uses ADFS for authentication. On logon users are redirected to the ADFS sign-in page, then my application gets FedAuth cookies back and doesn't store any user passwords.
What I need to do is to contact a third-party service (namely, SharePoint), which is configured to use the same ADFS server for authentication, from the web site backend. I've learned that I should be able to do so by getting another security token using some WIF (WCF in fact) calls described for example here http://blogs.technet.com/b/speschka/archive/2010/06/04/using-the-client-object-model-with-a-claims-based-auth-site-in-sharepoint-2010.aspx.
My problem is I don't know how to provide authentication for such calls using the information implicitly available in single sign-on cookies. I do not have explicit credentials nor Windows authentication.
The code I'm trying to use follows:
WSTrust13ContractClient trustClient = new WSTrust13ContractClient(binding, address);
trustClient.ClientCredentials.Windows.AllowNtlm = true;
trustClient.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
trustClient.ClientCredentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
System.ServiceModel.Channels.Message response =
trustClient.EndIssue(trustClient.BeginIssue(
System.ServiceModel.Channels.Message.CreateMessage(
MessageVersion.Default, WSTrust13Constants.Actions.Issue,
new RequestBodyWriter(trustSerializer, rst)), null, null));
It fails with "The HTTP request was forbidden with client authentication scheme 'Negotiate'" message.
I have the following scenario:
Sharepoint 2010 with Claims based authentication web application.
ADFS 2.0 which has configured Claims provider trust to the ThinkTecture IdentityServer.
ThinkTecture IdentityServer which has configured ADFS 2.0 as a relying party.
Sharepoint 2010 has SPTrustedIdentityTokenIssuer configured pointing to ADFS 2.0.
Now when I'm loging to the Sharepoint, I'm redirected to the ADFS 2.0 Home Realm page, when I choose Identity Provider. Then I'm redirected to the ThinkTecture IdentityServer. Then I'm logged with my credentials from IdentityServer and I'm redirected back to the ADFS and then to the Sharepoint. The problem is, that sharepoint show error message. I'am adding log records from sharepoint:
Authenticated with login provider. Validating request security token.
Trusted login provider 'SAML2 Provider' is not sending configured input identity claim type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm.
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateTrustedLoginRequest()
Access Denied: Authentication is required.
I was find out, that the token returned from Identity Server to ADFS contains emailaddress claim, but the token returned from ADFS to SP does not. It is a strange, because I have ADFS configured to support emailaddress to pass through for all claims
(in Claims provider trust for identity server). Do I need to setup adfs somewhere else? I am newbie in adfs.
What I want to achieve is to forward my request through the ADFS to the IdentityProvider (in this case ThinkTecture IdentityServer) and to get back the token from IdentityProvider. ThinkTecture IdentityServer is only in my test environment in the real environment it will replaced by Oracle Identity Federation.
The target problem is to integrate Sharepoint 2010 with the Oracle Identity Federation. But the problem is, that the Sharepoint doesn't support SAML 2 protocol which OIF will provides as exclusive endpoint binding. So I'm trying to hack it with the ADFS (as a somethinkg like proxy) which will communicate with Sharepoint based on the SAML 1.1 on one side and with the OIF based on the SAML 2 on other side.
This is the following extract from IdP metadata:
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">...
So I have no option to use WS-Federation.
I will appreciate advise if this is a good way how to achieve the required behaviour.
thanks
So your path is SP -> ADFS -> IdentityServer?
The problem is that the email address is not being passed through. So you have to set up IdentityServer to generate the email address claim and you have to setup ADFS to pass through all claims. Then configure SP to accept email address as a claim (using the SP Powershell commands).
Add: You need to create pass through claim rules for the email claim in ADFS - both for the claims provider trust and the relying party trust.
OIF supports WS-Federation - refer ORACLE IDENTITY FEDERATION 11g R2 - so no problem to federate OIF with SP.
We are connecting to a WCF web service which has Anonomous Access turned off, Windows Authentication turned on. The web.config file has a local user account for allow users and deny users="?".
I can download and generate the service proxy fine (being prompted for creds), however from my windows form project (even when passing in the credentials), I get the following error:
System.ServiceModel.Security.MessageSecurityException was unhandled
Message="The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Basic realm=\"SEIPART001\"'."
Message="The remote server returned an error: (401) Unauthorized."
Here is my sample code:
ip.eIPCShoppingCartWSSoapClient client = new iParts.ip.eIPCShoppingCartWSSoapClient();
System.Net.NetworkCredential creds = new System.Net.NetworkCredential("username", "password", "domain");
client.ClientCredentials.Windows.ClientCredential = creds;
iParts.ip.OrderListItem[] listItem = client.GetOrderList("1234"); //throws exception here
Looks like your service is asking for basic authentication; not windows integrated authentication.
In that case, I think you need to specify the credentials on the client proxy using in the ClientCredentials.UserName property and not ClientCredentials.Windows.
No change. The virtual directory is asking for Windows Auth and passing in a local user. It works fine in the browser but the service keeps erroring out.
Looks like you should switch to transport security.
Lookin the security section of your configuration.