Proxy auth with default credentials

[kristan.mcdonald]

Ok, I've managed to get authenticated on my proxy by doing :

System.Net.WebRequest req;
req = System.Net.WebRequest.Create("http://www.mywebsite.com/");
System.Net.WebProxy prx = new
System.Net.WebProxy("http://myproxyserver",true);
System.Net.CredentialCache cache = new System.Net.CredentialCache();
cache.Add( new Uri( "http://myproxyserver" ), "NTLM", new
System.Net.NetworkCredential("username", "password", "domain") );

I want this to be an app on the intranet and use the impersonated users
details. I've setup IIS to auth using integrated authentication, the
..net app is set to impersonate=true and windows authentication. The box
is set to be trusted for delegation etc.

But I can't figure out how in code to create the cache entry for the
proxy server for the impersonated user. I don't want to hardcode a
un/pw for obvious reasons but I can't see any other way. I've tried to
use the System.Net.CredentialCache.DefaultCredential but I just get a
proxy auth required message if I try it.

BTW, for some reason setting the proxies credential to the
DefaultCredential doesn't seem to work, if I look at a packet trace it
tries to negotiate authentication with the proxy server but it does it
under "Negotiate" rather than "NTLM" - this seems to make a difference.

Help!

 

[Joe Kaplan \(MVP - ADSI\)]

I'm pretty sure I read that .NET can't do proxy server authentication using
Kerberos authentication. You would need that in your scenario as you would
be delegating the user's login credentials to the proxy server.

I think there is a kbase article that covers this.
http://support.microsoft.com/kb/321728/

That Kbase mentions it in terms of IE, but System.Net uses WinInet under the
covers, so I would not be surprised if the same rules apply.

Joe K.

 

[kristan.mcdonald]

Ok, I'm still getting my head around the whole windows security setup,
but from what you've said my understanding is:
I can't auth with kerberos to the proxy, impersonation is a function of
kerberos, so I won't be able to authenticate against the proxy with an
impersonated user.

I'm happy I can't do that, but seeing as I'm impersonating the user on
the IIS box, I've therefore got a thread running as mydomain\myuser on
the IIS box. Why can't I use that users credentials to create something
I can assign to the proxy object so I can use with NTLM authentication
(which does work against the proxy)?

Basically I'm trying to get a way of creating a
System.Net.NetworkCredential with the details of the user IIS is
impersonating - I just can't see how to do it?

 

[Joe Kaplan \(MVP - ADSI\)]

It is actually delegation that is a function of Kerberos. Impersonation can
be done with most types of Windows authentication. The issue is that you
are impersonating a user who was authenticated from a remote browser via
IWA, so in order to pass their credentials on to another network node (the
proxy server in this case), you must use delegation.

If you authenticated with Basic authentication, then you could capture the
user's plaintext credentials and use that to build a NetworkCredential or
you might be able to simply impersonate the user and authenticate via NTLM
to the proxy server. That depends a little on how IIS did the Basic
authentication.

I'm not sure there is another good solution for you though if you need to
use the authenticated user's credentials to access the web resource and the
proxy requires authentication.

Joe K.

 

[kristan.mcdonald]

What I thought I could do was just impersonate the user on IIS,
configure the proxy's credentials to DefaultCredentials (which should
be that of the logged on user) and then everything should work. It
didn't though and I a 407 proxy authentication required so I assumed it
wasn't passing anything. However when I captured the conversation
between IIS and the proxy, it was trying to authentication using
"Negotiate" rather than "NTLM" which appears to be what is needed. This
failing is probably because of the restrictions in the article you
mentioned.

The only way I seemed to be able to force the IIS to send NTLM was to
create the credentials myself, hence me now needing a way to get from
the impersonated user to a NetworkCredential object I can use. The only
other thing I can think of is if there is someway to force the WebProxy
object to only use NTLM and not Negotiate - any ideas??

Thanks

 

[kristan.mcdonald]

Done a bit more digging and it may not be the auth type that's the
problem, I've tried doing:

System.Net.NetworkCredential myCred =
System.Net.CredentialCache.DefaultCredentials.GetCredential(new Uri(
"http://myproxyserver" ), "NTLM");

and if I examine the contents of myCred, everything is blank - no
matter what URI I specify, it comes back with blank username, blank
domain etc. If I look at User.Identity it's got it running as the right
person, am I being really thick as to what DefaultCredentials should
allow me to do? Is it maybe just not populated when you're
impersonating and I have to do something extra to make it work?

 

[Joe Kaplan \(MVP - ADSI\)]

I don't think DefaultCredentials ever shows you who the person is. It is
just some kind of a wrapper around an internal handle. I could be wrong
about that.

The issue is that you can't get the right kind of NTLM credentials for the
user if you authenticated them with IWA on the front end. You would need to
prompt the user for their plaintext credentials.

Is it possible for you to use a service account's credentials to get through
the proxy server authentication? You would be building a NetworkCredential
with explicit credentials, but it would not require getting the user's
plaintext credentials.

Joe K.

 

[kristan.mcdonald]

I've tried a slightly different tack now and I'm still getting nowhere.
I've created a c# console app and pasted in the following :

System.Net.WebRequest req;
req = System.Net.WebRequest.Create("http://test.com");
System.Net.WebProxy prx = new
System.Net.WebProxy("http://myproxy",true);
prx.Credentials = System.Net.CredentialCache.DefaultCredentials;

//comment out to switch between default proxy and proxy specified above
//req.Proxy = prx;
req.Proxy = System.Net.WebProxy.GetDefaultProxy();

System.Net.WebResponse resp = req.GetResponse();


In both cases (using GetDefaultProxy and DefaultCredentials) I get a
407 error. This is running on my PC, logged in as me - if I open IE I
can connect fine - I'm getting confused now! I don't really want to
have to hard code credentials in (or pull them from registry/config or
something) but I can't see any way around it at the moment. I must be
doing something really basic wrong. Incidentially, if I create my own
NetworkCredential object and specify them that way, it works.

 

[Joe Kaplan \(MVP - ADSI\)]

This I can't tell you. I'd suggest sniffing the network traffic with a tool
like Ethereal and seeing what is different between IE and your code.
However, you should be able to make this work with the right combo of
parameters.

Joe K.

 

[kristan.mcdonald]

Well I've got it working in the console app, basically it looks like
you have to request the credential for the URI you're trying to request
from DefaultCredentials instead of just assigning the lot, this has the
effect of forcing it to use NTLM instead of Negoitate which seems to
work, basically swapping:

prx.Credentials = System.Net.CredentialCache.DefaultCredentials;

for

System.Net.CredentialCache cache = new System.Net.CredentialCache();
cache.Add(new
Uri("http://proxyserver"),"NTLM",System.Net.CredentialCache.DefaultCredentials.GetCredential(new
Uri("http://proxyserver"),"NTLM"));
prx.Credentials = cache;

However this doesn't work when I put it in an asp.net app and try it
with impersonation. I'm going to give up with impersonation for now and
do the whole thing a different way. Thanks for all your help with this
Joe!

Kristan