topic Re: How to get ticket without password in Alfresco Archive

How to get ticket without password

dok — Tue, 28 Dec 2010 16:06:28 GMT

I have to get ticket without password. I impersonate user and try to call http://alfrecoserver/alfresco/wcservice/mg/util/login by adding credentials to request, but I get error:The remote server returned an error: (500) Internal Server Error. at System.Net.HttpWebRequest.GetResponse()I'm writing

Re: How to get ticket without password

iblanco — Wed, 29 Dec 2010 17:59:29 GMT

Why are you using /wcservice in the URL ? /wcservice is the access using Webclient authentication. Shouldn't you be using /service instead so that HTTP authentication is requested instead ?

Re: How to get ticket without password

dok — Tue, 04 Jan 2011 12:48:25 GMT

Sorry for posting so late. I took days off.

When I use /wcservice in IE, I get ticket without writing username and password. When I use /service in IE, I get login window and after I write username and password I get ticket. Since I use don’t want users to write username and password (I use impersonation), I thought I should use /wcservice. This is the only reason.

I tried /wcservice and /service in my DLL and I get same error:
The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()

(Previously I accidentally wrote that I got Internal Server Error, but it was with some other program code ops: )

Re: How to get ticket without password

iblanco — Tue, 04 Jan 2011 13:09:09 GMT

I think you have quite a mess or I'm not understanding you well.

What wcservice does is use your web session authentication instead of requiring you an HTTP authentication, so if you are logged out of Alfresco in IE and try to access something that requires authentication through wcservice you will be sent to the login page or to whatever authentication system you have configured. If this sounds too strange to you and you have never "logged" in Alfresco that might be because you have NTLM configured in your Alfresco and are using your windows account to authenticate in a "transparent way".

Is "WindowsImpersonationContext" supposed to provide "NTLM" compatible authentication ? If this is so why do you have to specify the user in UPN ? NTLM should just take whole credentials from the session isn't it?

If you have access to the password as well as the user I would use /service and use a plain HTTP authentication. I'm not a .NET programmer so can't give you more detail.

Re: How to get ticket without password

dok — Tue, 04 Jan 2011 16:09:03 GMT

I don't have access to users' passwords. This is why my DLL must impersonate users (so I can get their default network credentials). I can impersonate users using only their User Principal Name (UPN, http://searchexchange.techtarget.com/definition/User-Principal-Name). It is explained here http://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_impersonatingbyusingwindowsidentity.

When I impersonate users, I get their default network credentials and set the network credentials of request to authenticate.

When I send request to /service from IE, Alfresco doesn’t authenticate me (same is when I send request to /service from my DLL). But then IE opens login window and asks me to enter username and password. Alfresco stdout.log records that after I entered username and password, it used BASIC HTTP authentication. I believe what for BASIC HTTP authentication I must provide username and password, but that is exactly what I’m trying to avoid.

I need to authenticate using impersonated user’s default network credentials in web request credentials. Is this possible? I believe it is because I can do this by sending request to /wcservice from IE without username and password. Does this make any sense?

This is my code with comments:

string URI = "http://alfrescoserver/alfresco/wcservice/mg/util/login";
string UPN = "username@domain";


// Make a request to a Uniform Resource Identifier (URI)
WebRequest request = WebRequest.Create(URI);
// Initializes a new instance of the WindowsIdentity class for the user represented by the specified User Principal Name (UPN)
WindowsIdentity identity = new WindowsIdentity(UPN);
// Represents the Windows user prior to an impersonation operation
WindowsImpersonationContext context = null;

try {
   // Start impersonating. Allows code to impersonate a different Windows user
   context = identity.Impersonate();
   // Now impersonating
   // Access resources using the identity of the authenticated user
   
   // Sets the network credentials used for authenticating the request with the Internet resource
   request.Credentials = CredentialCache.DefaultNetworkCredentials;
}
catch (Exception e) {
   return e.Message + Environment.NewLine + e.StackTrace;
}
finally {
   if (context != null) {
      // Revert impersonation. Reverts the user context to the Windows user represented by this object
      context.Undo();
   }
}

try {
   // Returns a response to an Internet request
   using (WebResponse response = request.GetResponse()) {
      StreamReader sr = new StreamReader(response.GetResponseStream());

      return sr.ReadToEnd();
   }
}
catch (Exception e) {
   return (e.Message + Environment.NewLine + e.StackTrace);
}
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Re: How to get ticket without password

iblanco — Tue, 04 Jan 2011 17:50:14 GMT

Are you using NTLM in Alfresco so that it accepts Windows Session Credentials ?

Re: How to get ticket without password

dok — Wed, 05 Jan 2011 16:21:06 GMT

Yes, I’m using NTLM in Alfresco.

When I change my program code in way that it doesn’t impersonate user and get default network credentials, but instead it gets network credentials with username and password and assign CookieContainer object of request (to have cookies returned in the Cookies property of the HttpWebResponse) IT WORKS, I GET TICKET! I send request to /wcservice.

Here is code with username and password and CookieContainer object:

string URI = "http://alfrescoserver/alfresco/wcservice/mg/util/login";
string UPN = "username@domain";

// Make a request to a Uniform Resource Identifier (URI)
WebRequest request = WebRequest.Create(URI);

request.CookieContainer = new CookieContainer(1);
request.Credentials = new NetworkCredential("username", "p@ssw0rd");

try {
   // Returns a response to an Internet request
   using (WebResponse response = request.GetResponse()) {
      StreamReader sr = new StreamReader(response.GetResponseStream());

      return sr.ReadToEnd();
   }
}
catch (Exception e) {
   return (e.Message + Environment.NewLine + e.StackTrace);
}
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

But, I need to authenticate using impersonated user’s default network credentials in web request credentials.

Here are records from Alfresco stdout.log:

Re: How to get ticket without password

dok — Thu, 20 Jan 2011 15:35:24 GMT

I've solved the problem!

You can read all about it here http://stackoverflow.com/questions/4627797/how-to-get-alfresco-login-ticket-without-user-password-but-with-impersonating-us.

Re: How to get ticket without password

iblanco — Thu, 20 Jan 2011 18:20:04 GMT

Congratulations, that was a hard one…

I'm going to paste your solution here just for completeness:

I've solved the problem!

I believe that we had a double-hop problem (http://blogs.msdn.com/b/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx).

This is what had to be done to solve this problem:

   1. User that runs my DLL must be Windows Server 2003 domain user
   2. Service that uses my DLL must have registered Service Principal Name in Domain controller with user that runs it (user that runs my DLL)
   3. User that runs my DLL must not have Account is sensitive and cannot be delegated option selected in Domain controller
   4. User that runs my DLL must have Trust this user for delegation to any service (Kerberos only) or Trust this user for delegation to specified services only option selected in Domain controller (if the user is in Windows Server 2003 functional domain this option is available only when you register Service Principal Name with this user)
   5. Computer that runs service that uses my DLL must have Trust computer for delegation to any service (Kerberos only) or Trust computer for delegation to specified services only option selected in Domain Controller

This all (and more) is explained in Microsoft document Troubleshooting Kerberos Delegation. It contains:

    * checklist for Active Directory,
    * checklist for Client application,
    * checklist for Middle tier,
    * checklist for Back-end

plus

    * configuration examples for common scenarios.

You can read more about Windows Authentication in ASP.NET 2.0 (http://msdn.microsoft.com/en-us/library/ff647076.aspx).

Re: How to get ticket without password

ganessan_p — Tue, 06 Mar 2012 22:56:38 GMT

I am just new to this forum… want to accompolish the same.
But for some reason , i could not open the url http://alfrecoserver/alfresco/wcservice/mg/util/login in my IE. Any thoughts , i replaced the alfrescoserver with my alfresco ip address and :8080. Still it does not open.

I assume the web script is the out of the box from Alfresco and its not custom built. Correct ?

Re: How to get ticket without password

dok — Wed, 07 Mar 2012 08:50:17 GMT

Yes, it was custom build. It was done by company we hired so I don't know details about it.

You could try http://localhost:8080/alfresco/service/api/login. You can read more about it here http://wiki.alfresco.com/wiki/2.1_REST_API#Get_Login_Ticket or here http://wiki.alfresco.com/wiki/Repository_RESTful_API_Reference#Login.

I hope that this will get you in right direction.

Re: How to get ticket without password

ganessan_p — Thu, 08 Mar 2012 18:27:17 GMT

Thanks for your reply. Those apis require username and password. I need to get a ticket from a browser through REST (AJAX xmlhttp) through the Active directory integration.

Looks like you have done similar stuff.