Don’t forget about the double hop

Posted: March 23, 2007 in Technical

       I have to admit, I was 100% embarrassed by this it happened. It led to a full week in hell for me and the sad part is it was not the first time that it happened. So, let me explain. I had coded a nice little ASP.Net app that took a users credentials (via integrated security) and contacted an Exchange 2007 Web Service to grab and display a real quick summary of the users inbox and calendar (after all we do not want to reinvent OWA). This was to be loaded into a SharePoint portal Server 2003 intranet portal on a small little web part running in the window. What’s more it was loaded via an AJAX call from the client. So now I hope and pray that someone reading this is not seeing it blatantly obvious as to what was wrong with this plan. To give you a hint, they did not have Kerberos set up on this network.
        So for those of you who like me forgot something which not too long ago was a huge issue for me that always stood in the front of my mind. It is all about NTLM and the tokens generated between the client and server and once upon a time a long time ago (well long in IT terms anyway) I ran into this issue head on. That was a while ago and i have had a long time since I needed to actually impersonate a user beyond the standard client/server setup.
         The "issue" with NTLM is I assume completely by design. When a client authenticates to the server a token is generated for that authentication which is valid only between those 2 physical computers. I mean imagine the havoc you could wreak if you were to slip an integrated auth web site onto a corporate web server (especially since you can install it easily with an msi) or if you quietly slipped some code into a base class. Once you had hat users auth, you could now be them for calls all across an enterprise. You could grab all their email, trash corporate resources, steal files, and everything you do you would do as them. A decent hacker could probably come up with a million other scenarios. I imagine admins everywhere would be forever afraid to log in.
        Anyways what kind of characteristics will you see when you are in this situation? Well for one you will be able to open the site on the server and log in as whoever just fine. Then someone hits it remotely and you web service call returns a 401.1 authentication error.
(While I have i tin my head, here is a good way to diagnose those 401 issues: http://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx)
        So what are the ways around it? Well first of all delegation using Kerberos auth there are some restrictions to it though and you will need to read up on it and see if it is a fit for your situation. In our case, we moved the ASP.Net app to a special port on the exchange server itself. That way out communication became between 2 physical machines and NTLM was just fine. So should you fall into this conundrum yourself here is an awesome links for you:
 
The "Double Hop" issue
 
 
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s