Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Bypassing windows credentials programmatically

Posted on 2004-08-27
5
839 Views
Last Modified: 2012-08-14
Good day. I have a page in WebApplication1 that redirects the users to WebApplication2 (restricted as Integrated Windows Authentication in IIS). As a result, windows prompts the user for credentials. What I would like to happen is that if WebApplication2 will be accessed through WebApplication1, it will not prompt for user credentials (e.g. automatically supply a valid credentials programmatically) else, it will prompt the user for credentials. Is this possible? If it is, could you give me a sample? Thanks in advance.
0
Comment
Question by:Marjorin
  • 3
  • 2
5 Comments
 
LVL 10

Expert Comment

by:jnhorst
ID: 11924180
Here is an idea, but I am not sure how well it will work.

In the page in WebApplication1 from which you want to navigate to WebApplication2, place this code (matbe in a button click event):

WebRequest req = HttpWebRequest.Create("{the url for the secured app}");
req.Method = "GET";
req.Credential = new NetworkCredential("username", "password");
WebResponse resp = req.GetResponse();
Stream rs = resp.GetResponseStream();
StreamReader sr = new StreamReader(rs);
Response.Write(sr.ReadToEnd());

The only problem with this sort of thing is that the page in WebApplication1 is basically replaced in the browser with the page from the
secured app.  So if the the secured app, say am IMG tab refers to "Images/someimg.gif" it will try to load that from WebApplication1, not
WebApplication2, so a lot of the secured app target page might not show up right.

Give it a shot and see if doesn't get you thinking in a direction that will accomplish what you're trying to do.

John
0
 
LVL 10

Expert Comment

by:jnhorst
ID: 11924184
Good grief my typing stinks...  I meant to say "an IMG tag"...

John
0
 

Author Comment

by:Marjorin
ID: 11986803
I tested your suggestion with two simple applications and it worked fine. However, when I tried it with my WebApplication 1 and 2, it generates a client-side error and the page had been rendered 3 times. I really doesn't have time to debugged it yet. If you're familiar with MSS Reporting Services, my WebApplication2 is the ReportServer.

Other solutions or possible work-around will be greatly appreciated. Thanks.
0
 
LVL 10

Accepted Solution

by:
jnhorst earned 100 total points
ID: 11986912
That is not surprising...  When you write a stream to the browser from one page to another you may be writing HTML that assumes client-side resources will be in a certain place on WebApplication2 when in fact the context is still WebApplication1.  As an example, let's say your page in WebApplication2 writes HTML that makes use of a javascript library file (e.g. somefile.js) that is referred to by a relative path like Scripts/somefile.js.  The script block written to the browser would be:

<script language="javascript" src="Scripts/somefile.js"></script>

But since you are executing a Resopnse.Write from WebApplication1, WebAPplication1 is still the context for resolving relative paths, and that Scripts folder and/or the file containing javascript functions may not exist in WebApplication1, and thus you will get client side errors.

Here's a thought, though, with respect to what you are doing (navigating to Reporting Services).  I have worked a little with Reporting Services (more by way of creating and deploying reports, nothing more in depth than that), so I do not know how well this will work, or even if it is possible.  Obviously, the Reporting Services has an aspx page that is used to render reports.  If you can inherit from that page, and add code to restrict access to the page by way of the referring url (see the Request.UrlReferrer uri class for various properties to get this info), then you could make the Reporting Services website accessible without authentication.  The page that inherits from the regaulr Reporting Services page would be the one you would navigate to, and you would kick out any Request that did not come from an approved referring page.

The only restriction this would place on your WebApplication1 is that you would not be able to do Response.Redirect() from code to WebApplication2.  When you navigate with Response.Redirect, Request.UrlReferrer does not contain any info.  You would have to use either regular hyperlinks (<a href="..."></a>), the HyperLink or LInkButton server controls (both render the <a> tag to the browser).  Again, I have no idea if this is even possible or how well it would work in your situation, but it may get you thinking along a profitable path.

Good luck.

John
0
 

Author Comment

by:Marjorin
ID: 11993188
Well, I guess I have to learn how Reporting Services renders a report so that I can manipulate its security aspects. I also posted this question a month ago to RS Forums but to no avail.

Thanks for the inputs ... I'll see what I can do or cannot do ...
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question