Impersonation and webproxy credentials

[Davide Bedin]

I configured my asp.net 1.1 application to impersonate a specific user
account that has the rights to access the web through the network ISA
server.

So I tried to access a web resource, an external web service, specifying the
ISA address for the webproxy class and setting the webproxy.Credentials =
System.Net.CredentialCache.DefaultCredentials, I knew that in this scenario
the DefaultCredentials would be the credentials of the impersonated user.

Using the default credentials doesn't let me access the web service through
the ISA Server as I get a 407 Proxy Authentication Error. If I explicitly
create a new credentials object using the same user info of the impersonated
user account everything works as expected.

This sounds really strange to me, probably there is some additional setting
I might have set in a wrong way.

Thanks,
Davide

 

[Alek Davis]

Davide,

This is expected behavior. You can only use pass-through credentials (from
computer A through computer B to computer C) only if Kerberos/delegation are
enabled on the network, which is not a recommended configuration (from
security perspective). There must be a few posts related to this issue (just
do a search on keywords such as Kerberos, delegation, NTLM, IIS, etc).

Alek

 

[Davide Bedin]

Thanks for the response.
As I'm passing the credentials of the impersonated ASP.Net app account and
not of the client account I don't see how I'm passing credentials from A to
B to C. From my point of view I'm passing credentials from B to C. This is
the web.config setting:
<identity impersonate="true" userName="user" password="password"/>

So why I'm able to pass the default credentials (the credentials of the
impersonated user account) to another web service with Windows
authentication in order to be authenticated (or to access SQL Server with
integrated security) but not to pass it to the proxy?

From MSDN I read that DefaultCredentials in ASP.Net are the the default
credentials are the user credentials of the logged-in user, or the user
being impersonated
http://msdn.microsoft.com/library/d...edentialcacheclassdefaultcredentialstopic.asp

This code will run only if Kerberos delegation in enabled even If I'm not
impersonating the client user?
Dim proxy As New System.Net.WebProxy("proxy", True)
proxy.Credentials = System.Net.CredentialCache.DefaultCredentials
System.Net.GlobalProxySelection.Select = proxy

This is quite confusing to me.
Thank you for your help,
Davide

 

[Alek Davis]

Oh, I see. Not sure I completely understand your configuration and I haven't
worked with ISA servers, but these are my 2 cents. Just thinking logically
(although given that APIs are not necessarily logical, so take this with a
grain of suspicion), when you specify "identity impersonate" with userName
and password, your whole ASP.NET application should run under this identity
(instead of the default ASPNET account). If you do not explicitly set
credentials info, these credentials should be passed to the outbound calls.
So if you had a SQL server somewhere, you would be able to connect to it
using the application credentials without explicitly specifying them
(assuming that SQL server allows access by impersonated user). But in your
configuration there is an ISA server and a proxy server, so I do not know
how they handle credentials info (haven't worked with ISA at all and have
limited knowledge of proxy servers). For example, it may be a case that
proxy server needs explicit credentials to pass (delegate) them to the
external site (think of it as 3 systems: your Web server - proxy server -
external Web site). As I said, I am not an expert in this particular area,
so I may be wrong here. Hopefully someone more knowledgeable can answer your
question.

Alek