Home > Uncategorized > WebRequest and suffering from double hop syndrome

WebRequest and suffering from double hop syndrome

September 16th, 2006 Leave a comment Go to comments

This post applies to SharePoint or any ASP.NET applications whose authentication mechanism is NTLM and impersonation is enabled. SharePoint,by default,uses impersonation which results in an impersonated token, which is not primary token on the SPS Server.When HTTP request leaves machine boundaries, the impersonated token becomes the root of all evil.Let’s have a deeper look by running the code below in your web part/web part page or generally speaking in any http context:

1. HttpWebRequest userReq = (HttpWebRequest)WebRequest.Create(“http://mysite/sharedDoc/test.xml“);
2. userReq.AllowAutoRedirect=false;
3. userReq.Credentials = System.Net.CredentialCache.DefaultCredentials;
4. HttpWebResponse serverResponse = (HttpWebResponse) userReq.GetResponse();

It works fine on your development enviroment (if everything is on the same server),but as soon as you go live on production where IIS and SQL Server are located in two differnet machines , you will get : The remote server returned an error: (401) Unauthorized

Use the code below instead and everything just works fine!!!!

1. HttpWebRequest userReq = (HttpWebRequest)WebRequest.Create(fullLink);
2. userReq.AllowAutoRedirect=false;
3. userReq.Credentials = new System.Net.NetworkCredential(“Bob”,”pass@word”,”Domain“);
4. HttpWebResponse serverResponse = (HttpWebResponse) userReq.GetResponse();

Here is the brief explanation of what’s happening when you receive the error for the first snippet.                                              
I ) Bob authenticates with web server via browser using NTLM ,so no password is sent over the wire and only a windows security token will be created
II) IIS creates a windows security token for poor Bob.This token is an impersonation token  and not a primary token (because impersonation is enabled). It has also no network credentials and cannot be delegated to any remote servers (because NTLM is used)                                 
III)ASP.NET code accesses DefaultCredentials to use in WebRequest. DefaultCredentials are based on impersonation token,but DefaultCredentials contains an impersonated token and not the primary one,  so it cannot hop to SharePoint Content Database (where the document and document library is stored) to create the web request.                    

Main reason that the second  snippet works is the fact that you are re-creating the windows security context and providing the password. To solve issues of this type you have couple of solutions :      

Solution 1)As mentioned above use direct creation of the security context (store credentials in a safe palce)                               

Solution 2)Use Kerberos along with Delegation of both Bob’s credential and the machine which hosts SPS (IIS Server).These setting must be done in AD , so refer to this excellent article : http://support.microsoft.com/kb/810572/                                   

Solution3)Use Basic Authentication to send users credential in plaintext  (Make sure you secure the transportation layer though using  HTTPS,etc)                                                                

Categories: Uncategorized Tags:
  1. No comments yet.