Ayende @ Rahien

My name is Oren Eini
Founder of Hibernating Rhinos LTD and RavenDB.
You can reach me by phone or email:


+972 52-548-6969

, @ Q c

Posts: 6,124 | Comments: 45,475

filter by tags archive

In the authentication maze

time to read 1 min | 180 words


Well, it looks like I have once again managed to put myself in a tricky spot. I have the following scenario:

  • Domains: A1 & A2 - no trust or any association between the two.
  • A user access a Website on A1, using windows authentication, which makes a web service call to a machine on domain A2 (anonymous security, at the moment).
  • As a result of the web service call, the machine on A2 needs to make another web service call to A1, and it needs to do it with windows authentication, with the credentials of the original user.

Now, I have control on the machine in A1 (.Net 1.1 ASMX WebServices) and I can do whatever I want to the machine in A2 (WCF). No trust between the domains, as I said, so I don't think that I can make Windows Authentication works between the two. Frankly, I don't care about authenticating users, I just need their credentials when I am going back to the machine in A1.

Any suggestions?



I tend to use soapheaders that contain kerberos tickets for this sort of thing. A simple base class-esque piece of functionality and all of your web services can be smart enough to pass it along when it's present.

Ayende Rahien

I don't control the final WS, that is Window Auth only.

The control the first and second WS (ASMX and WCF, respectively)


fair enough, but in that scenario, unless i'm missing something, you could simply convert your kerberos ticket into standard windows credentials and pass them along to the final servicepoint.

Ayende Rahien

Assume that I am ignorant about this, can you point me to a code sample about this?


Since the user is identified with windows authentication on the website, I cant see how the website can pass the user credentials to the webservice on A2 in a usable way for A2 to call the webservice on A1. Windows authentication works from point-to-point only.

James Kovacs

You could make this work using Kerberos and Protocol Transition.


The website on A1 would need to pass some identifier to A2. When A2 called back, A1 could use any method to authenticate the incoming call and then use Protocol Transition to get a Kerberos ticket for the original user.

@Morgan - Windows auth hides two different protocols - NTLM (older) and Kerberos v5 (newer). NTLM is point-to-point and cannot perform multi-server hops. Kerberos can perform multi-server hops. The default is Kerberos if you're in a Win2K or higher domain and all clients/servers understand Kerberos.

Ayende Rahien


I control the first and second services, but not the final one.

That is a standard Windows Auth ASMX service. Would it still work?

James Kovacs

You need to run some code in the A1 domain to perform the protocol transition. It would work if you could interpose yourself between A2 and the callback into the standard Windows Auth ASMX service in A1 (or SWAASA1 for short). It could be a web service you control that could then call the SWAASA1 or a HttpModule installed in the SWAASA1's pipeline.

Comment preview

Comments have been closed on this topic.


  1. The design of RavenDB 4.0: Making Lucene reliable - 14 hours from now
  2. RavenDB 3.5 whirl wind tour: I’ll find who is taking my I/O bandwidth and they SHALL pay - about one day from now
  3. The design of RavenDB 4.0: Physically segregating collections - 3 days from now
  4. RavenDB 3.5 Whirlwind tour: I need to be free to explore my data - 4 days from now
  5. RavenDB 3.5 whirl wind tour: I'll have the 3+1 goodies to go, please - 7 days from now

And 13 more posts are pending...

There are posts all the way to May 30, 2016


  1. RavenDB 3.5 whirl wind tour (14):
    02 May 2016 - You want all the data, you can’t handle all the data
  2. The design of RavenDB 4.0 (13):
    28 Apr 2016 - The implications of the blittable format
  3. Tasks for the new comer (2):
    15 Apr 2016 - Quartz.NET with RavenDB
  4. Code through the looking glass (5):
    18 Mar 2016 - And a linear search to rule them
  5. Find the bug (8):
    29 Feb 2016 - When you can't rely on your own identity
View all series



Main feed Feed Stats
Comments feed   Comments Feed Stats