http://ayende.comAyende @ RahienCopyright (C) Ayende Rahien 2004 - 2021 (c) 202660You need to run some code in the A1 domain to perform the protocol transition. It would work if you could interpose yourself between A2 and the callback into the standard Windows Auth ASMX service in A1 (or SWAASA1 for short). It could be a web service you control that could then call the SWAASA1 or a HttpModule installed in the SWAASA1's pipeline. http://ayende.com/2740/in-the-authentication-maze#comment8http://ayende.com/2740/in-the-authentication-maze#comment8Mon, 27 Aug 2007 04:53:28 GMTJames, I control the first and second services, but not the final one. That is a standard Windows Auth ASMX service. Would it still work? http://ayende.com/2740/in-the-authentication-maze#comment7http://ayende.com/2740/in-the-authentication-maze#comment7Mon, 27 Aug 2007 04:35:58 GMTYou could make this work using Kerberos and Protocol Transition. http://msdn2.microsoft.com/en-us/library/ms998355.aspx The website on A1 would need to pass some identifier to A2. When A2 called back, A1 could use any method to authenticate the incoming call and then use Protocol Transition to get a Kerberos ticket for the original user. @Morgan - Windows auth hides two different protocols - NTLM (older) and Kerberos v5 (newer). NTLM is point-to-point and cannot perform multi-server hops. Kerberos can perform multi-server hops. The default is Kerberos if you're in a Win2K or higher domain and all clients/servers understand Kerberos. http://ayende.com/2740/in-the-authentication-maze#comment6http://ayende.com/2740/in-the-authentication-maze#comment6Sun, 26 Aug 2007 22:51:08 GMTSince the user is identified with windows authentication on the website, I cant see how the website can pass the user credentials to the webservice on A2 in a usable way for A2 to call the webservice on A1. Windows authentication works from point-to-point only. http://ayende.com/2740/in-the-authentication-maze#comment5http://ayende.com/2740/in-the-authentication-maze#comment5Sun, 26 Aug 2007 19:44:30 GMTAssume that I am ignorant about this, can you point me to a code sample about this? http://ayende.com/2740/in-the-authentication-maze#comment4http://ayende.com/2740/in-the-authentication-maze#comment4Sun, 26 Aug 2007 19:41:56 GMTfair enough, but in that scenario, unless i'm missing something, you could simply convert your kerberos ticket into standard windows credentials and pass them along to the final servicepoint. http://ayende.com/2740/in-the-authentication-maze#comment3http://ayende.com/2740/in-the-authentication-maze#comment3Sun, 26 Aug 2007 19:16:57 GMTI don't control the final WS, that is Window Auth only. The control the first and second WS (ASMX and WCF, respectively) http://ayende.com/2740/in-the-authentication-maze#comment2http://ayende.com/2740/in-the-authentication-maze#comment2Sun, 26 Aug 2007 19:11:46 GMTI tend to use soapheaders that contain kerberos tickets for this sort of thing. A simple base class-esque piece of functionality and all of your web services can be smart enough to pass it along when it's present. http://ayende.com/2740/in-the-authentication-maze#comment1http://ayende.com/2740/in-the-authentication-maze#comment1Sun, 26 Aug 2007 18:05:45 GMT