How to get authenticated password of sharepoint site user to pass on NetworkCredential() method as parameters
- 0
I am creating a user control page(ascx) using the web services from SharePoint Services/Project Server site. As we know that the user name and password needs to access the sites of them. I
used the following code(C#) to access the web services, it will work fine. There is already Windows Authentication in Sharepoint Site.//UserGroupWS is Added Web Service
private static UserGroupWS.UserGroup userGroup = new UserGroupWS.UserGroup();userGroup.Url = "http://DomainName/_vti_bin/UserGroup.asmx";
userGroup.Credentials = new System.Net.NetworkCredential("UserName", "Password", "DomainName");
Note that there are the parameters namded "Password" also in NetworkCredential() method. While this page is using as webpart in SharePoint Site, I can access the UserName currently logined to pass as first parameter in this method. But how to retrieve Password of the current UserName currently logined to pass as second parameter in this method? Is there any idea?
Please help!!!
All Replies
- 0
Instead of passing password, look at getting hte crenedtiols from the Default Credential Cache. You will be able to get a token to pass along in your web request.
NOTE: In order for this to work, you must have delegation configured correctly, so if you have issues I would recommend the following:
1) Create your own simple web service on your network that you can write code for (I would write something that simply returns the login name of the requesting user)
2) Create your web part and have it pass the credentials from the credential cache ot the request.
3) ensure that the web service works correctly.
If it doesn't (s3ecurity exceptions, etc..) then post back here and I can help you look into how to get Kerberos Delegation set up on your Sharepoint Site.
- 0
A bit more info... From :http://msdn2.microsoft.com/en-us/library/system.net.credentialcache.defaultcredentials.aspx
// Ensure Directory Security settings for default web site in IIS is "Windows Authentication".
string url = "http://localhost";
// Create a 'HttpWebRequest' object with the specified url.
HttpWebRequest myHttpWebRequest = (HttpWebRequest)WebRequest.Create(url);
// Assign the credentials of the logged in user or the user being impersonated.
myHttpWebRequest.Credentials = CredentialCache.DefaultCredentials;
// Send the 'HttpWebRequest' and wait for response.
HttpWebResponse myHttpWebResponse = (HttpWebResponse)myHttpWebRequest.GetResponse();
Console.WriteLine("Authentication successful");
Console.WriteLine("Response received successfully");Hope that helps !
- 0
Thank you for your kind response. I have tried above code with my code but still those errors of authentication(Error no 401) are not solved.
Note that in my server there is
Authentication Type : Windows
Integrated Windows Authentication: NTLM and
Enable Client Integration: Yes
please Help!!
- 0
Ok, Here's what I think is hapenning...
In order to delgate credentials on your network, you must use Kerberos Authentication (Not just NTLM). Kerberos allows you to trust that computer to pass credentials from end users to the other server (the one with the web services) without further interaction with the user. THis is not possible using NTLM from what I understand.
So, User Kerberos, In Active Directory, Trust your server for delegation, and if you are using a host name for your portal other than the server name, you must registar a Service Prinicipal name on your network to allow the delgegation to occur.
Does any of this make sense ? It's a security thing. If you allowed anyone to pass credentials around like that on your network, it could make for some pretty crafty folks getting lots of people's credentials ;-)
Hope that helps.
- 0
Thank you, Walker for response again.
I have tried using Kerberos Authentication also for my authentication code. but the same error. I want to tell you in more details about my code. This is a user control page (ascx) to display the groups as well as user name of sharepoint server using sharepoint web services. This control page will be uploaded as a webpart using son of smart part in the sharepoint site. The main code for the windows authentication is as below.
1. string url = "http://" + _ServerName;
2. HttpWebRequest myHttpWebRequest = (HttpWebRequest)WebRequest.Create(url);
3. myHttpWebRequest.Credentials = CredentialCache.DefaultNetworkCredentials;
4. HttpWebResponse myHttpWebResponse = (HttpWebResponse)myHttpWebRequest.GetResponse();
5. userGroup.Url = "http://" + _ServerName + "/_vti_bin/UserGroup.asmx";
6. //userGroup.Credentials = new System.Net.NetworkCredential(_UserName, _Password, _ServerName);
7. userGroup.Credentials =
CredentialCache.DefaultNetworkCredentials;In Line no. 1, _ServerName defines SharePoint Server where web services are located.
Line No. 2 to 4 are codes that you sent to me. Due to line no. 4, it occures an error of The remote server returned an error: (401) Unauthorized.
In Line No 5, there is using an object named userGroup of web service named UserGroup.asmx of sharepoint.
Line No 7 represents for credentials used for web service named userGroup. Using this line instead of Line No. 6, there occuring an error of The request failed with HTTP status 401: Unauthorized.
Note that I have tried these code with both of credentials DefaultNetworkCredentials and DefaultCredentials, the errors don't change. Also, when using line no 6 instead of line no 7, it works fine. And the authentication given in my SharePoint server is as previous posted message.
Please Help!!!
- 0
Ok, you have a couple of different things going on...
1) the following would be the code:
1. string url = "http://" + _ServerName + "/_vti_bin/UserGroup.asmx";
2. HttpWebRequest myHttpWebRequest = (HttpWebRequest)WebRequest.Create(url);
3. myHttpWebRequest.Credentials = CredentialCache.DefaultNetworkCredentials;
4. HttpWebResponse myHttpWebResponse = (HttpWebResponse)myHttpWebRequest.GetResponse();
This is the HTTPWeb Request way of doing it... If you have a web reference in your project to a web service and you simply need to invoke that it would be something like:
1. string url = "http://" + _ServerName + "/_vti_bin/UserGroup.asmx";
2. userGroup groupService = new userGroup(); // this is instantiating a new object to call3. groupService.Credentials =
CredentialCache.DefaultNetworkCredentials; 4. groupService.Url = url;// Invoke the method on the server, etc..
That should get you calling the right service , attaching credentials, etc..
The other issue that you have relates to Kerberos Delegation.
Sicne you can create a credential using the name and password, and then pass that along, kerberos doesn't come into play. the server happily accepts the user name and password and creates a login token for the user on the WEB SERVICE machine... no problem. this requires you to have the users password (which is not a valid scenario IMHO)
In order to use the credentials from the credential cache, your SharePoint server must be trusted for delegation in AD to allow it the rights to pass a users token back to another server, there are also some other settings that you must set based on your environment.. Not knowing much about your internal setup / network / etc... it's hard to give a consise answer.. short answer is your Kerberos is not working right.. without that, you will not be able to pass authentication through the tiers the way that you want
Another way you may accomplish this is to impersonate a user that has enough rights to perform the actions that you wish (an administrative user, etc...) the only drawback to this is you must ensure you aren't exposing functionality to end users that you shouldn't :-)
Hope that helped a bit :-)
- 0
Dear Walker,
From your responses, i got much knowledge about passing credentials to call web services. Thank you very much!
Now, I am using following codes only
1. string url = "http://" + _ServerName + "/_vti_bin/UserGroup.asmx";
2. userGroup groupService = new userGroup(); // this is instantiating a new object to call
3. groupService.Credentials = CredentialCache.DefaultNetworkCredentials;
4. groupService.Url = url;
Using these codes, for passing credentials to call web services from sharepoint server/project server (PWA), it's compulsory needed to configure AD to work on Kerberos? In my system, there is not configured AD so no Domain. The users are simply stored in windows. In this type of network NTLM doesn't work?
What may be the best idea?
Please help!!!
- 0
In order to pass credentials through multiple tiers like that, you will need kerberos.. If you think about it a minute, it would be pretty scary if I could get someone to call my server and execute some code, then I would be able to pass the windows credentials they sent to me along to another server and happily use thier credentials to get at data that maybe I shouldn't :-) This needs to be configured at the network level in order to work successfully.
What you need to do then would be to have a "Service Account" or another account that you create specifically for this purpose (so you can control the username and password), configure this user account to have the apropriate permissions on the web service you are calling and then go back to your method of creating a NetworkCredential using the login / password (which I would store in a confgi file vs embedding it in your code :-) ). When you user interacts with your web part, you are actually calling the web service using these other credentials. The problem here is that the web service you are calling will not have any idea of the original calling user, so that may introduce some complexity here as well.
Hope that helps.
- 0
Hi,
The post is very good... and helpful. I am also facing this problem.
I have one question that... how Out of the Box webpart works for example MyInbox webpart, it asks user credential first time and uses it.
Is it possible to open a popup and ask user about his/her AD credential, so that after getting it, it can be used further?
I also tried to setup kerberos, but couldnot
... the problem I was facing is that I couldnot register SPN.could you please help me.
Thanks.
- 0
What you've described is exactly how SSO works. I'd suggest looking at the available SharePoint resources for SSO. SharePointing is correct that Kerberos is the ideal way to get the delegation to work. SSO can be used as a workaround when Kerberos isn't practical or possible.
- 0
Hi,
I have tried SSO, but I couldnot get success
SsoCredential.UserName or SsoCredential.Password or SsoCredential.Evidance[0] all these returns empty string.
NOTE: I have configured the SSO for windows application.Thanks
