0

I have a MVC4 ASP.NET app that uses forms authentication. I have a view with an iframe that i want to show contents from a local intranet site that uses domain authentication. Users from the MVC website don't have access to the local server so i need to impersonate a domain user to show the local content. I tried making a webRequest first but it didn't save the credentials. I don't have admin privileges in either servers so can't change iis or other settings. Any ideas?

Fraposo
  • 107
  • 1
  • 3
  • 9

1 Answers1

0

In general, it is very bad security to impersonate a domain user when accessed via the internet. Chances are, if the intranet site was not made public it was made that way for a reason and you may be exposing company resources to attack by opening it up via a freely available website.

A more safe approach would be to duplicate the logic of the intranet site you are looking to expose and meticulously merging its functionality onto a page in your external MVC app. It's more work, but it could potentially not cause you to be the reason hackers or script kiddies were able to steal valuable data.

That being said, the way to impersonate a web request with authentication would be to make a series of HttpRequest objects, and storing the cookie information. This is how all of the authentication happens and as long as you pass cookies from request to request, you should have free reign. But don't do this unless you are absolutely sure that your company is aware of the potential disasters and hopefully the maintainers of the intranet application are aware that they are being exposed in this manner.

public function badIdea() {
  WebRequest request = WebRequest.Create (
    "intranet-login-url");
  request.Credentials = CredentialCache.DefaultCredentials;
  using( WebResponse response = request.GetResponse ()) {
    CookieCollection authCookies = response.Cookies;
  }

  // now pass authCookies' contents to each future WebRequest's cookie collection
  //  to allow all manner of unscrupulous individuals to access your valuable
  //  company sekrits!
}
welegan
  • 3,013
  • 3
  • 15
  • 20
  • Hi Welegan, I may not have explain my intentions right. The point here is to have a single login. The intranet site is a SQL reporting server. I want to avoid replicating the users on both sites or creating AD users to see the reports. I also tried to use a reportviewer control to process the report on remote mode but i couldnt make it work on the server (works well on localhost). Anyway, the ideia or workaround would be to use the reportviwer of the server on a iframe. Not how to do that with webrequest or how to pass cookie to iframe :S – Fraposo Jul 05 '13 at 10:32