• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 570
  • Last Modified:

Programmatic access to a password protected web page.

I can reach a https web page only if I provide my user id and password (credentials) -- please see the attached image. I do it with my fingers, the credentials being used are the same that I use for my LAN access. I want to be able to send (as simple as possible, i.e. minimal) Request and get Response from this same page from inside my C# code. I want to get the entire text of this response, including its HTTP headers. The code need not contain either user ID or password. It should be able to "say" something like "Use my current security context credentials".
This code is not a prolem
             HttpWebRequest request = (HttpWebRequest)WebRequest.Create(...);
             HttpWebResponse response = (HttpWebResponse)request.GetResponse();
This one is:
             request.Credentials =

...Please?
             
-.bmp
0
midfde
Asked:
midfde
  • 7
  • 6
1 Solution
 
grayeCommented:
Are you in control of this web site.... and are able to change the authentication method being used?
0
 
midfdeAuthor Commented:
No, I am not.
0
 
grayeCommented:
OK, then that means you'll have to have the "clear text" password of the current user....  and that's just not possible without prompting the user.

Sorry...
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
midfdeAuthor Commented:
Thanks, graye. ? "Not possible" is very easy to say though. Could you please hint at something convincing? With references?
0
 
grayeCommented:
Well, that's the way the security system works for Windows... the clear text password is not stored anywhere on the PC.   Instead, a hash is created and sent to the Domain Controler... the DC checks the hash using the same algorithm to see if they match.  If they match a security token is created and sent back to the client.  It's the token that is stored on the PC.

So, since it's never stored anywhere, you can't write a program to retrieve it.   So, you're only real choice is to ask the user to provide the password, then you encrypt it via code and store it somewhere safe.  Then when the user uses your app to get to the web site, you'd decrypt it and send it along.  Quite frankly, that's not really an approach that many folks (including myself) would endorse...

I can't find a quick user authentication article...

0
 
midfdeAuthor Commented:
'graye. ? "Not'  ->  'graye.  "Not',
Sorry.
0
 
midfdeAuthor Commented:
>>"...you can't write a program to retrieve it."
Sure, I could not expect or desire I could. All I want is to be able to say "Trust me because I am a user on your LAN that is logged in, and you know this user." This is something similar to "Windows Authentication" in SQL Server (please see the attached image).

This is not just a web site that I am talking about. This is "our" in some respects web site that "knows" about my account. To clarify what I mean consider this scenario. I log on to my LAN with "itsme", "p1" credentials. I go to the Web site in question. I must provide the same "itsme", "p1" credentials. I work with this (SharePoint) site and quit the browser.
Next, I change my LAN password to "P2", I go to the same web page. Now it only accepts my "itsme", "P2" credentials. Thus it "knows" me. ["Single password" policy is essentially violated here.]
-.bmp
0
 
grayeCommented:
Yes, what you're describing is actually considered the "best practice" in web scenarios such as this.   However, to adopt this approach, you need to make the change AT THE WEB SERVER.... not at the local client PCs.

That's why I asked if you had control over the web site...  If you did, it'd be a trival task to change the authentication method (or prompt for the security token)
0
 
midfdeAuthor Commented:
Please describe actions on both IIS ("trivial" -- see attached image) and in C# client code (request.Credentials = ...) sides of this communication. I can implement it on my workstation development IIS / MSVS environment, and then, well, negotiate the issue with admins of our QA and production servers.
Any solutions, compromising security (like "basic authentication") are not worth considering in this context.
-.bmp
0
 
grayeCommented:
Well, just about all you have to do is turn on "Integrated Windows Authentication" (just as you've done) and turn off "Anonymous access". Then configure your browser to put that web site in the Local or Trusted zone.  An easy way to temporarily use the "Local" zone is to use the NetBIOS name of the server instead of the internet name of the server in the URL (such as http://mysite instead of http://www.mysite.com).

After that, you might have to "prime the pump" to force the browser to "refresh" its credentials from the OS (otherwise, in some rare cases it will still prompt the user).  This is typically done with few simple lines of code, something like this:

If Request("REMOTE_USER") = "" Then
    Response.Status = "401 Unauthorized"
End If

Again, after this is done, there's no need to pass any credentials at all in your application... the browser will automagically take care of all of that.
0
 
midfdeAuthor Commented:
>>configure your browser
What (of 4 that I have on my computer) browser? I am trying to access the aforementioned web page from, well,.. let's say "Console Application" written in C#, remember?
0
 
grayeCommented:
Yeah, but the same security zones that apply to the browser (OK... Internet Explorer) also apply to applications using HTTP protocols
0
 
midfdeAuthor Commented:
Than you for your patience graye.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now