Http Client Protocol Issues

If you use any of these solutions, Please let me know so I can track if any of this is useful to you! Thanks! This is an area to share observations I have made working with Http Client Protocols and the associated technologies. I currently work for the Microsoft team that supports the WinInet, WinHTTP and System.Net API's and classes associated with these technologies. This is not a replacement for Microsoft Support, but an area to discuss these technologies. These postings are provided "AS IS" with no warranties, and confer no rights. Use of included code samples are subject to the terms specified at Microsoft - Information on Terms of Use

Using HttpWebRequest with Credential Manager

A little know fact is that the .NET framework will use the stored credentials in the Credential Manager when accessing a network resource if the credentials exist for that particular resource (host).  I intend to clear up how this functionality works for the HttpWebRequests (you could extend this to WebService calls as well).

In Internet Explorer, you can access a website that challenges you for credentials by filling in a username and password when the dialog is presented and asks you for authentication.  If you check ‘Remember my password’ these credentials will be stored in protected storage (Credential Manager).  You can see the stored credentials by running this command: Control Keymgr.dll.  These credentials are stored in protected storage in each user’s My folder.  You can store these credentials by using control Keymgr.dll, by using the interface available in Internet Explorer or by using C++/C and the Credentials API’s (Such as CredWrite).  If you do not check ‘Remember my password’ then these credentials are not stored in Credential Manager and .NET will not be able to use these credentials.

The .NET framework can use the currently logged on user’s credentials to authenticate but if you have a web site that requires different credentials you can use store these credentials in Credential Manager and .NET will use these credentials instead of the currently logged on user credentials.  To illustrate this I put together a real simple sample.

The target web server in my sample is jpsandershv2003.  I only enabled Windows Integrated Authentication in IIS on that box.  I then created a User ID JPSGuest on that IIS machine.  Finally I wrote a real simple .NET console application to create an HttpWebRequest and get the response.

   HttpWebRequest aReq;

   HttpWebResponse aResp;

        

   aReq = WebRequest.Create("http://jpsandershv2003/") as HttpWebRequest;

   aReq.UseDefaultCredentials = true;

   aResp = aReq.GetResponse() as HttpWebResponse;

   aResp.Close();

When you run this code it will first look in the credential manager first for the credentials for attaching to jpsandershv2003 and if found use those, otherwise the Currently Logged on User credentials will be used.  In my example since I was logged on as jpsanders to my machine I expect that the credentials used should be my domain credentials jpsanders.  I turned on logging and ensured the IIS log was logging the username and sure enough, jpsanders was authenticated in IIS.

My next goal was to see if I could change this default behavior and make it log on using the jpsandershv2003\JPSGuest user credentials.  Using the command control keymgr.dll I was able to add the credential as a Windows logon credential:


 

 


Now when I ran the console application I saw success in the IIS log!  I was logging in now as JPSGuest.

Taking a fiddler (http://fiddlertool.com) trace of Internet Explorer also confirmed I was using the stored credentials and these were NTLM credentials. 

Domain: jpsandershv2003
User: JPSGuest
Host: JPSANDERS3

Can I store credentials and have it use Kerberos?  In theory yes, simply type domain based credentials in.  However I could not test this because I only have one logon to my domain and you cannot save your currently logged on credentials in the Credential Manager. 

What about basic and digest?  NO, this would be a huge security hole.  Can you tell me why (it should be obvious)?

Note that the credentials used are independent of the PORT used.  So if I change the server to bind HTTP traffic on port 8089 then change my code to access http://jpsandershv2003:8089 the code will still access the web site using the stored credentials.

To revert back to the interactive user, simply delete the credentials stored for jpsandershv2003.

Further observations

What is the second radio button for (A Web site or program credentials)?  This is for programs that are writing against the credentials API directly.  Some examples of this are Terminal Server (RDP) and Windows Live credentials.  Here are some great links about the APIs:
http://msdn.microsoft.com/en-us/library/aa374789(VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa480470.aspx

NOTE: Because the credentials are stored in the context of the logged on user, this technique will not work for non interactive user accounts such as the service accounts and ASP.NET applications.

 

Please send me a quick note if you found this Blog helpful!

 

 

Published Thursday, September 03, 2009 2:39 PM by jpsanders

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

mms said:

What about WCF service calls that use message security with the UserName clientCredentialType. It works fine if we use Windows credential type but not UserName. I have entries for all kinds of hosts, both the domain that is being connected to and the certificate identity used to validate the certificate, nothing works.

Is there a way to manually talk to the credential manager and extract password data or somehow tell WCF to use it?

September 6, 2009 9:09 PM
 

jpsanders said:

There are API's for CredMan.  They are listed here:

CredRead:

http://msdn.microsoft.com/en-us/library/aa374804(VS.85).aspx

Vista changes:

http://msdn.microsoft.com/en-us/library/cc540483.aspx

Pre Vista used Pstore but I am pretty sure after IE 8, everything will be stored in CredMan.

September 8, 2009 9:38 AM
 

Mike Elliott said:

I've been interested by this feature in Windows 7.  Is there a way to log queries to the Credential Manager by Windows.  e.g. I access a corporate resource or website when using a non-domain joined client.  I get prompted for some creds.  Is there a way i can check which creds need to be added to Cred Manager to prevent the prompt next time around?

There seem to be occasions where I tick a box to store the creds during authentication, but then I get propmted again next time.

September 8, 2009 9:53 AM
 

jpsanders said:

Mike,

I assume you are talking about Internet Explorer?  Is that true?  You should note what occasions this works and for which ones it does not to further troubleshoot this.

September 11, 2009 7:34 AM

Leave a Comment

(required) 
(optional)
(required) 

  
Enter Code Here: Required
Submit

This Blog

Syndication

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker