Last post Jul 16, 2019 02:55 PM by Richard Scannell
Jul 11, 2019 03:29 PM|Richard Scannell|LINK
I have an MVC intranet application with authenticates a user with Windows Authentication, & which successfully shows their credentials
Jul 11, 2019 03:48 PM|bruce (sqlwork.com)|LINK
as ntlm has a one hop rule, you will need to switch to kerberos and delegation. see:
you could also use basic authentication with windows accounts, and convert the login windows token to a primary token. and then impersonate the token before making the call.
convert to primary:
note: this only works with basic authentication. you can not convert a windows authentication token to a primary.
Jul 12, 2019 08:12 AM|Richard Scannell|LINK
Hi Bruce Many thanks for the quick response.
There's a couple of issues I did not mention
Both the rest api & the calling application sit on the same server, so my understanding is that Kerberos ( which is notoriously tricky to implement correctly ) may not be needed.
All the articles I have seen on impersonation, do it by logging on with a userName string and a Password string, which as I am sure you know is problematic on a number of levels.
Jul 15, 2019 04:16 PM|bruce (sqlwork.com)|LINK
Jul 16, 2019 02:55 PM|Richard Scannell|LINK
Thanks for this. I was able to get this working with impersonation in the calling code
WebClient Wclient = New WebClient();
Wclient.UseDefaultCredentials = true;
Wclient.Credentials = CredentialCache.DefaultNetworkCredentials;
IIdentity contextId = HttpContext.Current.User.Identity;
WindowsIdentity userId = (WindowsIdentity)contextId;
WindowsImpersonationContext imp = userId.Impersonate();
string data = Wclient.DownloadString;