Need to spoof - pass NT authentication to another IIS server (in different domain)

Need to access a secured web application (on IIS2) from another "parent" secured web app (on IIS1), wish to bypass login for web app #2 (basic NT authentication).  IIS servers are in different domains, although I don't know if that's relevant.  IIS2 is WinNT4 / IIS 4.0...  IIS1 is Win2k / IIS 5.0 / .NET 1.1...  not limited to using legacy ASP, but I'm a noob to .NET - so, please be gentle with me...

The authentication for web app #2 is not handled at the OS/NTFS level, its handled programmatically; the web site allows anonymous access.  The code for the web app is squished into a DLL provided by a 3rd party.  It does, however, accept a WinNT username & password.  The point being, I believe the browser actually accesses the web page anonymously, but the code invokes a Windows login prompt.  The entire web app is self-contained in the one DLL file, so once authentication is established it stays accessible; it may be dropping a cookie on the client, for all I know...

Used to handle this by passing the userid & password in the URL (i.e.,, but that quit working years ago.  Has been broken ever since...

Have seen many posts on many sites asking about this, but haven't run across a good answer.  I just KNOW it can be done, but how?  
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

These two statements contradict each other:

> wish to bypass login for web app #2 (basic NT authentication)


> The authentication for web app #2 is not handled at the OS/NTFS
> level, its handled programmatically; the web site allows anonymous access

A web app can use Basic authentication or allow anonymous access, but not both.

To the best of my understanding if the web app uses Basic authentication then there's no way you can remotely access the web app programmatically from another web app. You must first negotiate the interactive login process (ie. actually answer the prompt). The only time you could do something like that is if both your web app's used NTLM auth AND they were on the same domain.

But I may be wrong...

However, if app #2 DOES use an entirely programmtic login then doesn't this mean you "simply" need to pass login info in the HTTP request? This could be done either by GET or POST, and I guess it would mean a change/addition in app #1 to read this info from the request then run the login process. The obvious downside to this is the security implications of passing account info in the HTTP header but maybe you could use SSL to tighten things up.
jwdvorakAuthor Commented:
You're correct, my mistake - I looked at the server's properties, not the website's... the website allows only Basic Authentication, not Anonymous.  So, there's probably no programmatic authentication in app #2 at all, just IIS/NT.

As stated above, used to embed the credentials in the URL for app #2 (using Redirect) - but that doesn't work, now.  I'm not worried much about the security issue, this is intranet - not internet - and the users have already authenticated to web app #1.  Having said that, though, I can't just disable the security on website #2, because it is medical info (HIPAA).  

So, what about increasing the security - adding WinNT Challenge/Response - can you pass domain/userid and password credentials from one web app to another in different domains?  Either way, using Basic or NTLM security, how?  
I guess the first question is how exactly do you intend to access app #1 from app #2 ??

I take this to mean that, from the server end, app #2 will call URL's on app #1 and use the resultant output.

But maybe you what you have in mind is more like a "unified login" whereby users browser's can come and go between applications without being prompted for login credentials.

If it's the second scenario then definitely consider using NTLM auth on both web app's.

Because you're running these app's in an intranet scenario it seems likely that users will already be logged on to the domain. In that case, so long as both app's are hosted in the same domain, end users will automatically be authenticated with their existing NT access token. It's entirely transparent and very secure.
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

jwdvorakAuthor Commented:
a) Wrong direction - web app #1 accesses web app #2 - that's why I numbered them that way...
b) Web app #1 doesn't call and redisplay data from app #2 - it opens a New Window and does a Redirect to website #2; that's when I get the Windows login prompt, which I wish to spoof.
c) No users are logged on to domain; they're application-level authenticated to web app #1.  Even if they were logged on to a domain, it'd be domain #1, not domain #2 - I'd still need to spoof...
OK, maybe I mis-understand your situation.

Are both web applications running in the same domain?

And I'm not sure what you mean by this:

> No users are logged on to domain

So you have an intranet application running in a domain with no logged on users? Surely not....
jwdvorakAuthor Commented:
The two web servers belong to different domains.  And most users are not logged on to either domain - we're slowly evolving from a Novell-only network environment; only 'non-standard' users log on to a domain.  Web app authentication is independent of network user credentials - users are typically authenticated at application/database level.  

Web app #2 (which I can't modify) accesses a SQL db, uses an application-level userid (not a SQL user, a db table of userids) which is 'mapped' to a WinNT userid (to establish NTLM access).  To grant access to web users, an application userid must be created for each user, and 'mapped' to domain account - not gonna happen.  I've got a single web-access userid in app #2, which is used to grant access to users who have authenticated to web app #1.  

May have found something pointing me toward a solution - see this link:

Article describes my problem exactly, suggests several workarounds, provides downloadable code examples.  Wish me luck...!
OK, thanks for the detailed explanation. Didn't think to consider a Novel network was in the mix...

The suggestions made in the MS Knowledge Base page look good. A bit of work perhaps, but thems the breaks.

Be sure to post your findings back here for the benefit of myself and anyone else who finds this page in the future.

Good luck.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.