If WebApp is configured as Windows Authentication, how to get the user credential in code?
How to create NetworkCredential using this exsiting user credential?
System.Net.CredentialCache.DefaultCredentials;
The DefaultCredentials property
applies only to NTLM, negotiate, and
Kerberos-based authentication.
DefaultCredentials represents the
system credentials for the current
security context in which the
application is running. For a
client-side application, these are
usually the Windows credentials (user
name, password, and domain) of the
user running the application. For
ASP.NET applications, the default
credentials are the user credentials
of the logged-in user, or the user
being impersonated.
Example:
System.Net.WebProxy proxyObject = new System.Net.WebProxy();
proxyObject.Credentials = System.Net.CredentialCache.DefaultCredentials;
Related
I developped a windows service that is running Logged On as: a specific windows user.
I use this user, because it has permission for web site I need to request in this windows service.
The issue is that when requesting the web, using CredentialsCache.DefaultNetworkCredentials i uses the credentials of the current user logged in(WindowsIdentity.GetCurrent()) to windows which has no access to this web. I
I need in some way to pass the Credentials of the Windows service's "Log In as" user:
WebRequest request = WebRequest.Create("some url");
// the user running the service can be get from here:
// WindowsIdentity.GetCurrent(), but not the password
request.Credentials = "some code tobtain the user from the service user"
If I use:
request.Credentials = CredentialCache.DefaultNetworkCredentials;
it uses the user from the windows account NOT the windows service account.
Any ideas?
the user running the service can be get from here: WindowsIdentity.GetCurrent(), but not the password
If you can get the current WindowsIdentity, you should be able to impersonate it:
WindowsIdentity currentIdentity = WindowsIdentity.GetCurrent();
using (WindowsImpersonationContext impersonatedUser = currentIdentity.Impersonate())
{
// Check the identity.
Console.WriteLine("After impersonation: " + WindowsIdentity.GetCurrent().Name);
// Make the request
WebRequest request = WebRequest.Create("https://google.com");
// etc
}
I would like to use the app pool credentials to avoid a double-hop issue from a web API method. However, I do not want all requests to be impersonated but just this one particular request. The code currently looks something like this:
[Route("api/mycontroller/mymethod")]
public string GetDataFromOtherInternalSystem(int id)
{
var client = new WebClient ( Credentials = CredentialCache.DefaultNetworkCredentials);
return client.DownloadString('http://internaldomain/api/method/id')
}
From what I understand of MSDN, the user context is the logged in user for that browser session (i.e. my account going through Active Directory and not the app pool's account).
The credentials returned by DefaultNetworkCredentials represents the
authentication credentials for the current security context in which
the application is running. For a client-side application, these are
usually the Windows credentials (user name, password, and domain) of
the user running the application. For ASP.NET applications, the
default network credentials are the user credentials of the logged-in
user, or the user being impersonated.
This then creates the double-hop issue which could be eliminated if the request comes cleanly from the web application as the service account (without me having to construct credentials on the fly).
Any ideas on how to impersonate the app pool without me specifying user credentials as follows:
var cred = new NetworkCredential("myusername", "mypassword")
Again I'm trying to avoid the other web service being properly set up for Kerberos or CORS.
This can be accomplished by passing a null pointer (IntPtr.Zero) to the static Impersonate method of the WindowsIdentity class. Here is how it is described in the MSDN document for the Impersonate method:
Calling the Impersonate(IntPtr) method with a userToken value of Zero is equivalent to calling the Win32 RevertToSelf function. If another user is currently being impersonated, control reverts to the original user.
Usage would look something like the following:
using (var impersonationContext = WindowsIdentity.Impersonate(IntPtr.Zero))
{
try
{
// this code is now using the application pool indentity
}
finally
{
if (impersonationContext != null)
{
impersonationContext.Undo();
}
}
}
I'm trying to impersonate a remote active directory account in my asp.net c# website which is hosted on a none domain computer (or other domain). I've gotten this to work:
IntPtr token = IntPtr.Zero;
LogonUser( "username", "ad.some.other.domain.com", "password", LOGON_TYPE_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, ref token))
{
WindowsImpersonationContext wic;
wic = WindowsIdentity.Impersonate(token);
//run code under the impersonated user.
//System.Environment.UserName returns windows user (not impersonated one)
//WindowsIdentity.GetCurrent() returns windows user (not impersonated one)
}
My code runs, but I'm not able to get the 'username' of the impersonated user. I understand this is because i'm using LOGON_TYPE_NEW_CREDENTIALS as my logon type, which technically doesn't impersonate, but runs network connections under the impersonated account using the token. This works fine, but ideally my site would run under the impersonated user, so I can get the username, and possibly other features. Basically I want to interact with the site as the impersonated user, not just run network connections as the impersonated user. I've tried LOGON32_LOGON_INTERACTIVE as the logon type, but this doesn't allow me to authenticate domain accounts on my site which is running on a none domain computer.
Is there something I can do so that I can fully impersonate (get the username, etc.) and authenticate using active directory from a none domain computer?
I am not sure what kind of website you are using, if ASP.Net or MVC you need to do
<identity impersonate="true" />
http://msdn.microsoft.com/en-CA/library/aa292118%28v=vs.71%29.aspx
We're trying to authenticate to our hosted TFS service account in c# using TeamFoundationServer .net control, here is my code :
NetworkCredential tfsCredential = new NetworkCredential(username, password);
TeamFoundationServer tfsServer = new TeamFoundationServer(tfsAddress, tfsCredential);
tfsServer.Authenticate();
Note that this is not an on-premises TFS server, it is the hosted TFS service at tfspreview.com and we try to sign-in with windows live account and with alternate authentication credentials but every time we try to authenticate, internet explorer open in a new windows and ask for credentials.
If we use the IE prompt to connect it works but we want to store the credentials and connect to the server without asking for the credentials every time,
You can either configure basic authentication under your profile or you can use a service credential. It all depends on what sort of permission you need. The basic auth operates under a user account which tends to be bad practice while the service account had elevated permissions.
Configure basic authentication for TF Service
For basic user authentication you should connect to TF Service and open your profile as indicated. There is a "Credentials" tab on your profile which will let you configure those credentials. This is good for per/user access through the API but is not good if you want to run things through a server or service.
Retrieve TFS Service Credentials
I created an application called the TFS Service Credential Viewer that allows you to retrieve the service credentials for your TF Service instance. This is the same thing that the Build & Test servers do when you configure them locally to work against the cloud.
I hope this helps...
You can try with this code based on impersonation of server
var serverUrl = "";
ICredentials credentials = new NetworkCredential(username, password, domain);
ICredentialsProvider TFSProxyCredentials = new NetworkCredentialsProvider(credentials);
TfsTeamProjectCollection currentCollection = new TfsTeamProjectCollection(new Uri(serverUrl), credentials);
// Get the TFS Identity Management Service
IIdentityManagementService identityManagementService = currentCollection.GetService<IIdentityManagementService>();
// Look up the user that we want to impersonate
TeamFoundationIdentity identity = identityManagementService.ReadIdentity(IdentitySearchFactor.AccountName, username, MembershipQuery.None, ReadIdentityOptions.None);
// Open collection impersonated
TfsTeamProjectCollection tfs = new TfsTeamProjectCollection(new Uri(serverUrl), credentials, TFSProxyCredentials, identity.Descriptor);
//For example we can access to service WorkItemStore
var workItemStore = tfs.GetService<WorkItemStore>();
Tfspreview.com now supports basic authentication which would eliminate IE being displayed at all. See here for details on how to set this up for your tfspreview.com and then use the username and password you configured.
I have an asp.net site which authenticates users based on their current windows login as shown below
WindowsPrincipal wp = new WindowsPrincipal(WindowsIdentity.GetCurrent());
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(username, false, Session.Timeout);
string sEncTicket = FormsAuthentication.Encrypt(ticket);
string redirectUrl = FormsAuthentication.GetRedirectUrl(username, false);
This works perfectly fine unless a different username/password combination has been stored in the local system's credential vault, at which time it is the stored credential that gets passed as the login credential.
Making this more difficult, if I try to debug in VS with a stored credential saved, then correctly the current logged in username is passed.
Has anyone come across this before & if so how can I either
Write the login code in such a way that it will never look at the credential vault or
Configure IIS in such a way as to ignore the credential valut
Thanks