|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Propagate Credentials from Internet Explorer Host Instead of DefauHi,
I have a fully trusted .Net Control hosted by the Internet Explorer. The actual user is authenticated against domain x and the control comes from a website within domain y. Assume that the user authenticated itself by using any type of authentication, except Windows (NTLM) using credentials from domain y. The control must propagate the domain y credentials and not those from the logon domain x which are accessible via CredentialCache.DaultCredentials. Is this possible? Thanks for you're help. Markus No, it's not possible. If it were, it would represent a security hole in IE
since hosted controls (.NET, ActiveX, applet, etc.) would be able to potentially misuse those credentials, for example in traffic redirected at other sites. Show quoteHide quote "Markus" <markusWERB***@awisto.de> wrote in message news:E64C0595-C753-429C-8BAE-88DE59AB1F72@microsoft.com... > Hi, > > I have a fully trusted .Net Control hosted by the Internet Explorer. The > actual user is authenticated against domain x and the control comes from a > website within domain y. Assume that the user authenticated itself by > using > any type of authentication, except Windows (NTLM) using credentials from > domain y. > > The control must propagate the domain y credentials and not those from the > logon domain x which are accessible via CredentialCache.DaultCredentials. > > Is this possible? > > Thanks for you're help. > > Markus Hi Nicole,
thanks for you're fast reply. I understand you're issue but: - The control is fully trusted (!) - The control can propagate the credentials the ie process has been opened with (the network logon) So why can't it propagate those credentials the site it is hosted by has been access with? Is there a WIN 32 API allowing this behaviour? Is this possible with COM/ATL/ActiveX? Thanks for you're help Show quoteHide quote "Nicole Calinoiu" wrote: > No, it's not possible. If it were, it would represent a security hole in IE > since hosted controls (.NET, ActiveX, applet, etc.) would be able to > potentially misuse those credentials, for example in traffic redirected at > other sites. > > > > "Markus" <markusWERB***@awisto.de> wrote in message > news:E64C0595-C753-429C-8BAE-88DE59AB1F72@microsoft.com... > > Hi, > > > > I have a fully trusted .Net Control hosted by the Internet Explorer. The > > actual user is authenticated against domain x and the control comes from a > > website within domain y. Assume that the user authenticated itself by > > using > > any type of authentication, except Windows (NTLM) using credentials from > > domain y. > > > > The control must propagate the domain y credentials and not those from the > > logon domain x which are accessible via CredentialCache.DaultCredentials. > > > > Is this possible? > > > > Thanks for you're help. > > > > Markus > > > "Markus" <markusWERB***@awisto.de> wrote in message Even unmanaged code does not have access to this informaiton.news:CDD2539E-98AB-4410-A4B2-08898CEC996D@microsoft.com... > Hi Nicole, > > thanks for you're fast reply. > > I understand you're issue but: > > - The control is fully trusted (!) > - The control can propagate the credentials the ie process has been opened Those are the credentials under which the control is running, not > with (the network logon) credentials cached under another process (IE). In addition, the control doesn't actually have direct access to the credentials themselves. Don't forget that the target site may use basic authentication, in which case the user name and password will both be exposed. > So why can't it propagate those credentials the site it is hosted by has Presumably because Microsoft has deemed the risk to be too great.> been access with? > Is there a WIN 32 API allowing this behaviour? AFAIK, IE does not allow this information to be divulged to any hosted > Is this possible with COM/ATL/ActiveX? control, regardless of the technologies used to build it. You might want to try an IE programming group if you want to confirm this. That said, there are other ways to work around the problem. See http://groups-beta.google.com/group/microsoft.public.dotnet.security/browse_frm/thread/21ffb3fbbe4b1aa4/3805e0f0a2e45d7c for some options. Show quoteHide quote > > Thanks for you're help > > > "Nicole Calinoiu" wrote: > >> No, it's not possible. If it were, it would represent a security hole in >> IE >> since hosted controls (.NET, ActiveX, applet, etc.) would be able to >> potentially misuse those credentials, for example in traffic redirected >> at >> other sites. >> >> >> >> "Markus" <markusWERB***@awisto.de> wrote in message >> news:E64C0595-C753-429C-8BAE-88DE59AB1F72@microsoft.com... >> > Hi, >> > >> > I have a fully trusted .Net Control hosted by the Internet Explorer. >> > The >> > actual user is authenticated against domain x and the control comes >> > from a >> > website within domain y. Assume that the user authenticated itself by >> > using >> > any type of authentication, except Windows (NTLM) using credentials >> > from >> > domain y. >> > >> > The control must propagate the domain y credentials and not those from >> > the >> > logon domain x which are accessible via >> > CredentialCache.DaultCredentials. >> > >> > Is this possible? >> > >> > Thanks for you're help. >> > >> > Markus >> >> >> 
Other interesting topics
Import RSA parameters from .PEM format
LogonUser Succeeds - but fails later Getting User Information from a SID Forms Authentication Not Redirecting To Login Page HttpWebRequest.GetRequestStream - Trust Failure In Windows Service Get an unauthenticated windowsIdentity? Cryptography implementation using memeorystream Export and Import RSA Key Container problem to run WINDOW user control in IE I'm not sure I get this 'salt' thing |
|||||||||||||||||||||||
