Programmatic access to a password protected web page.
I can reach a https web page only if I provide my user id and password (credentials) -- please see the attached image. I do it with my fingers, the credentials being used are the same that I use for my LAN access. I want to be able to send (as simple as possible, i.e. minimal) Request and get Response from this same page from inside my C# code. I want to get the entire text of this response, including its HTTP headers. The code need not contain either user ID or password. It should be able to "say" something like "Use my current security context credentials".
This code is not a prolem
HttpWebRequest request = (HttpWebRequest)WebRequest
HttpWebResponse response = (HttpWebResponse)request.G
This one is:
request.Credentials =
...Please?
-.bmp
This code is not a prolem
HttpWebRequest request = (HttpWebRequest)WebRequest
HttpWebResponse response = (HttpWebResponse)request.G
This one is:
request.Credentials =
...Please?
-.bmp
graye
Are you in control of this web site.... and are able to change the authentication method being used?
ASKER
No, I am not.
OK, then that means you'll have to have the "clear text" password of the current user.... and that's just not possible without prompting the user.
Sorry...
Sorry...
ASKER
Thanks, graye. ? "Not possible" is very easy to say though. Could you please hint at something convincing? With references?
Well, that's the way the security system works for Windows... the clear text password is not stored anywhere on the PC. Instead, a hash is created and sent to the Domain Controler... the DC checks the hash using the same algorithm to see if they match. If they match a security token is created and sent back to the client. It's the token that is stored on the PC.
So, since it's never stored anywhere, you can't write a program to retrieve it. So, you're only real choice is to ask the user to provide the password, then you encrypt it via code and store it somewhere safe. Then when the user uses your app to get to the web site, you'd decrypt it and send it along. Quite frankly, that's not really an approach that many folks (including myself) would endorse...
I can't find a quick user authentication article...
So, since it's never stored anywhere, you can't write a program to retrieve it. So, you're only real choice is to ask the user to provide the password, then you encrypt it via code and store it somewhere safe. Then when the user uses your app to get to the web site, you'd decrypt it and send it along. Quite frankly, that's not really an approach that many folks (including myself) would endorse...
I can't find a quick user authentication article...
ASKER
'graye. ? "Not' -> 'graye. "Not',
Sorry.
Sorry.
ASKER
>>"...you can't write a program to retrieve it."
Sure, I could not expect or desire I could. All I want is to be able to say "Trust me because I am a user on your LAN that is logged in, and you know this user." This is something similar to "Windows Authentication" in SQL Server (please see the attached image).
This is not just a web site that I am talking about. This is "our" in some respects web site that "knows" about my account. To clarify what I mean consider this scenario. I log on to my LAN with "itsme", "p1" credentials. I go to the Web site in question. I must provide the same "itsme", "p1" credentials. I work with this (SharePoint) site and quit the browser.
Next, I change my LAN password to "P2", I go to the same web page. Now it only accepts my "itsme", "P2" credentials. Thus it "knows" me. ["Single password" policy is essentially violated here.]
-.bmp
Sure, I could not expect or desire I could. All I want is to be able to say "Trust me because I am a user on your LAN that is logged in, and you know this user." This is something similar to "Windows Authentication" in SQL Server (please see the attached image).
This is not just a web site that I am talking about. This is "our" in some respects web site that "knows" about my account. To clarify what I mean consider this scenario. I log on to my LAN with "itsme", "p1" credentials. I go to the Web site in question. I must provide the same "itsme", "p1" credentials. I work with this (SharePoint) site and quit the browser.
Next, I change my LAN password to "P2", I go to the same web page. Now it only accepts my "itsme", "P2" credentials. Thus it "knows" me. ["Single password" policy is essentially violated here.]
-.bmp
Yes, what you're describing is actually considered the "best practice" in web scenarios such as this. However, to adopt this approach, you need to make the change AT THE WEB SERVER.... not at the local client PCs.
That's why I asked if you had control over the web site... If you did, it'd be a trival task to change the authentication method (or prompt for the security token)
That's why I asked if you had control over the web site... If you did, it'd be a trival task to change the authentication method (or prompt for the security token)
ASKER
Please describe actions on both IIS ("trivial" -- see attached image) and in C# client code (request.Credentials = ...) sides of this communication. I can implement it on my workstation development IIS / MSVS environment, and then, well, negotiate the issue with admins of our QA and production servers.
Any solutions, compromising security (like "basic authentication") are not worth considering in this context.
-.bmp
Any solutions, compromising security (like "basic authentication") are not worth considering in this context.
-.bmp
Well, just about all you have to do is turn on "Integrated Windows Authentication" (just as you've done) and turn off "Anonymous access". Then configure your browser to put that web site in the Local or Trusted zone. An easy way to temporarily use the "Local" zone is to use the NetBIOS name of the server instead of the internet name of the server in the URL (such as http://mysite instead of http://www.mysite.com).
After that, you might have to "prime the pump" to force the browser to "refresh" its credentials from the OS (otherwise, in some rare cases it will still prompt the user). This is typically done with few simple lines of code, something like this:
If Request("REMOTE_USER") = "" Then
Response.Status = "401 Unauthorized"
End If
Again, after this is done, there's no need to pass any credentials at all in your application... the browser will automagically take care of all of that.
After that, you might have to "prime the pump" to force the browser to "refresh" its credentials from the OS (otherwise, in some rare cases it will still prompt the user). This is typically done with few simple lines of code, something like this:
If Request("REMOTE_USER") = "" Then
Response.Status = "401 Unauthorized"
End If
Again, after this is done, there's no need to pass any credentials at all in your application... the browser will automagically take care of all of that.
ASKER
>>configure your browser
What (of 4 that I have on my computer) browser? I am trying to access the aforementioned web page from, well,.. let's say "Console Application" written in C#, remember?
What (of 4 that I have on my computer) browser? I am trying to access the aforementioned web page from, well,.. let's say "Console Application" written in C#, remember?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Than you for your patience graye.