Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to get ticket without password

dok
Champ in-the-making
Champ in-the-making

‎12-28-2010 11:06 AM

I have to get ticket without password. I impersonate user and try to call http://alfrecoserver/alfresco/wcservice/mg/util/login by adding credentials to request, but I get error:

The remote server returned an error: (500) Internal Server Error.
   at System.Net.HttpWebRequest.GetResponse()

I'm writing a C# DLL that can call Alfresco REST API services. Here is my code:


string URI = "http://alfrescoserver/alfresco/wcservice/mg/util/login";
string UPN = "username@domain";

HttpWebRequest request = WebRequest.Create(URI) as HttpWebRequest;
WindowsIdentity identity = new WindowsIdentity(UPN);
WindowsImpersonationContext context = null;

try {
   context = identity.Impersonate();
   request.Credentials = CredentialCache.DefaultNetworkCredentials;
}
catch (Exception e) {
   return e.Message + Environment.NewLine + e.StackTrace;
}
finally {
   if (context != null) {
      context.Undo();
   }
}

IWebProxy proxy = new WebProxy(proxyServer, proxyPort);
proxy.Credentials = new NetworkCredential(proxyUsername, proxyPassword);
request.Proxy = proxy;

try {
   using (HttpWebResponse response = request.GetResponse() as HttpWebResponse) {
      StreamReader sr = new StreamReader(response.GetResponseStream());

      return sr.ReadToEnd();
   }
}
catch (Exception e) {
   return (e.Message + Environment.NewLine + e.StackTrace);
}

Is there any other way I can get ticket without password?

Thanks!

Domagoj Krišto
Labels:
0 Kudos
11 REPLIES 11

iblanco
Confirmed Champ
Confirmed Champ

‎12-29-2010 12:59 PM

Why are you using /wcservice in the URL ? /wcservice is the access using Webclient authentication. Shouldn't you be using /service instead so that HTTP authentication is requested instead ?
0 Kudos

dok
Champ in-the-making
Champ in-the-making

‎01-04-2011 07:48 AM

Sorry for posting so late. I took days off.

When I use /wcservice in IE, I get ticket without writing username and password. When I use /service in IE, I get login window and after I write username and password I get ticket. Since I use don’t want users to write username and password (I use impersonation), I thought I should use /wcservice. This is the only reason.

I tried /wcservice and /service in my DLL and I get same error:
The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()

(Previously I accidentally wrote that I got Internal Server Error, but it was with some other program code  Smiley Surprisedops: )
0 Kudos

iblanco
Confirmed Champ
Confirmed Champ

‎01-04-2011 08:09 AM

I think you have quite a mess or I'm not understanding you well.

What wcservice does is use your web session authentication instead of requiring you an HTTP authentication, so if you are logged out of Alfresco in IE and try to access something that requires authentication through wcservice you will be sent to the login page or to whatever authentication system you have configured. If this sounds too strange to you and you have never "logged" in Alfresco that might be because you have NTLM configured in your Alfresco and are using your windows account to authenticate in a "transparent way".

Is "WindowsImpersonationContext" supposed to provide "NTLM" compatible authentication ? If this is so why do you have to specify the user in UPN ?  NTLM should just take whole credentials from the session isn't it?

If you have access to the password as well as the user I would use /service and use a plain HTTP authentication. I'm not a .NET programmer so can't give you more detail.
0 Kudos

dok
Champ in-the-making
Champ in-the-making

‎01-04-2011 11:09 AM

I don't have access to users' passwords. This is why my DLL must impersonate users (so I can get their default network credentials). I can impersonate users using only their User Principal Name (UPN, http://searchexchange.techtarget.com/definition/User-Principal-Name). It is explained here http://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_impersonatingbyusingwindowsidentit....

When I impersonate users, I get their default network credentials and set the network credentials of request to authenticate.

When I send request to /service from IE, Alfresco doesn’t authenticate me (same is when I send request to /service from my DLL). But then IE opens login window and asks me to enter username and password. Alfresco stdout.log records that after I entered username and password, it used BASIC HTTP authentication. I believe what for BASIC HTTP authentication I must provide username and password, but that is exactly what I’m trying to avoid.

I need to authenticate using impersonated user’s default network credentials in web request credentials. Is this possible? I believe it is because I can do this by sending request to /wcservice from IE without username and password. Does this make any sense?

This is my code with comments:
string URI = "http://alfrescoserver/alfresco/wcservice/mg/util/login";
string UPN = "username@domain";


// Make a request to a Uniform Resource Identifier (URI)
WebRequest request = WebRequest.Create(URI);
// Initializes a new instance of the WindowsIdentity class for the user represented by the specified User Principal Name (UPN)
WindowsIdentity identity = new WindowsIdentity(UPN);
// Represents the Windows user prior to an impersonation operation
WindowsImpersonationContext context = null;

try {
   // Start impersonating. Allows code to impersonate a different Windows user
   context = identity.Impersonate();
   // Now impersonating
   // Access resources using the identity of the authenticated user
   
   // Sets the network credentials used for authenticating the request with the Internet resource
   request.Credentials = CredentialCache.DefaultNetworkCredentials;
}
catch (Exception e) {
   return e.Message + Environment.NewLine + e.StackTrace;
}
finally {
   if (context != null) {
      // Revert impersonation. Reverts the user context to the Windows user represented by this object
      context.Undo();
   }
}

try {
   // Returns a response to an Internet request
   using (WebResponse response = request.GetResponse()) {
      StreamReader sr = new StreamReader(response.GetResponseStream());

      return sr.ReadToEnd();
   }
}
catch (Exception e) {
   return (e.Message + Environment.NewLine + e.StackTrace);
}
0 Kudos

iblanco
Confirmed Champ
Confirmed Champ

‎01-04-2011 12:50 PM

Are you using NTLM in Alfresco so that it accepts Windows Session Credentials ?
0 Kudos

dok
Champ in-the-making
Champ in-the-making

‎01-05-2011 11:21 AM

Yes, I’m using NTLM in Alfresco.

When I change my program code in way that it doesn’t impersonate user and get default network credentials, but instead it gets network credentials with username and password and assign CookieContainer object of request (to have cookies returned in the Cookies property of the HttpWebResponse) IT WORKS, I GET TICKET! I send request to /wcservice.

Here is code with username and password and CookieContainer object:
string URI = "http://alfrescoserver/alfresco/wcservice/mg/util/login";
string UPN = "username@domain";

// Make a request to a Uniform Resource Identifier (URI)
WebRequest request = WebRequest.Create(URI);

request.CookieContainer = new CookieContainer(1);
request.Credentials = new NetworkCredential("username", "p@ssw0rd");

try {
   // Returns a response to an Internet request
   using (WebResponse response = request.GetResponse()) {
      StreamReader sr = new StreamReader(response.GetResponseStream());

      return sr.ReadToEnd();
   }
}
catch (Exception e) {
   return (e.Message + Environment.NewLine + e.StackTrace);
}

But, I need to authenticate using impersonated user’s default network credentials in web request credentials.

Here are records from Alfresco stdout.log:
    17:11:35,616 User:username DEBUG [app.servlet.NTLMAuthenticationFilter] Processing request: /alfresco/wcservice/mg/util/login SID:3CC295C26ADFCFAF71149F395431490E
    17:11:35,616 User:username DEBUG [web.scripts.DeclarativeRegistry] Web Script index lookup for uri /mg/util/login took 0.601263ms
    17:11:35,616 User:username DEBUG [app.servlet.NTLMAuthenticationFilter] New NTLM auth request from 10.**.**.** (10.**.**.**:1512)
    17:11:35,631 User:username DEBUG [app.servlet.NTLMAuthenticationFilter] Processing request: /alfresco/wcservice/mg/util/login SID:3CC295C26ADFCFAF71149F395431490E
    17:11:35,631 User:username DEBUG [web.scripts.DeclarativeRegistry] Web Script index lookup for uri /mg/util/login took 0.340155ms
    17:11:35,631 User:username DEBUG [app.servlet.NTLMAuthenticationFilter] Received type1 [Type1:0xe20882b7,Domain:<NotSet>,Wks:<NotSet>]
    17:11:35,631 User:username DEBUG [app.servlet.NTLMAuthenticationFilter] Client domain null
    17:11:35,741 User:username DEBUG [app.servlet.NTLMAuthenticationFilter] Sending NTLM type2 to client - [Type2:0x80000283,Target:ComputerNameA,Ch:ab756bf7e8086bc5]
0 Kudos

dok
Champ in-the-making
Champ in-the-making

‎01-20-2011 10:35 AM

I've solved the problem!

You can read all about it here http://stackoverflow.com/questions/4627797/how-to-get-alfresco-login-ticket-without-user-password-bu....
0 Kudos

iblanco
Confirmed Champ
Confirmed Champ

‎01-20-2011 01:20 PM

Congratulations, that was a hard one…

I'm going to paste your solution here just for completeness:

I've solved the problem!

I believe that we had a double-hop problem (http://blogs.msdn.com/b/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx).

This is what had to be done to solve this problem:

   1. User that runs my DLL must be Windows Server 2003 domain user
   2. Service that uses my DLL must have registered Service Principal Name in Domain controller with user that runs it (user that runs my DLL)
   3. User that runs my DLL must not have Account is sensitive and cannot be delegated option selected in Domain controller
   4. User that runs my DLL must have Trust this user for delegation to any service (Kerberos only) or Trust this user for delegation to specified services only option selected in Domain controller (if the user is in Windows Server 2003 functional domain this option is available only when you register Service Principal Name with this user)
   5. Computer that runs service that uses my DLL must have Trust computer for delegation to any service (Kerberos only) or Trust computer for delegation to specified services only option selected in Domain Controller

This all (and more) is explained in Microsoft document Troubleshooting Kerberos Delegation. It contains:

    * checklist for Active Directory,
    * checklist for Client application,
    * checklist for Middle tier,
    * checklist for Back-end

plus

    * configuration examples for common scenarios.

You can read more about Windows Authentication in ASP.NET 2.0 (http://msdn.microsoft.com/en-us/library/ff647076.aspx).
0 Kudos

ganessan_p
Champ in-the-making
Champ in-the-making

‎03-06-2012 05:56 PM

I am just new to this forum… want to accompolish the same.
But for some reason , i could not open the url http://alfrecoserver/alfresco/wcservice/mg/util/login  in my IE. Any thoughts , i replaced the alfrescoserver with my alfresco ip address and :8080. Still it does not open.

I assume the web script is the out of the box from Alfresco and its not custom built. Correct ?
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC