[quoted text, click to view] "Markus" <markusWERBUNG@awisto.de> wrote in message
news:CDD2539E-98AB-4410-A4B2-08898CEC996D@microsoft.com...
> Hi Nicole,
>
> thanks for you're fast reply.
>
> I understand you're issue but:
>
> - The control is fully trusted (!)
Even unmanaged code does not have access to this informaiton.
[quoted text, click to view] > - The control can propagate the credentials the ie process has been opened
> with (the network logon)
Those are the credentials under which the control is running, not
credentials cached under another process (IE). In addition, the control
doesn't actually have direct access to the credentials themselves. Don't
forget that the target site may use basic authentication, in which case the
user name and password will both be exposed.
[quoted text, click to view] > So why can't it propagate those credentials the site it is hosted by has
> been access with?
Presumably because Microsoft has deemed the risk to be too great.
[quoted text, click to view] > Is there a WIN 32 API allowing this behaviour?
> Is this possible with COM/ATL/ActiveX?
AFAIK, IE does not allow this information to be divulged to any hosted
control, regardless of the technologies used to build it. You might want to
try an IE programming group if you want to confirm this.
That said, there are other ways to work around the problem. See
http://groups-beta.google.com/group/microsoft.public.dotnet.security/browse_frm/thread/21ffb3fbbe4b1aa4/3805e0f0a2e45d7c
for some options.
[quoted text, click to view] >
> Thanks for you're help
>
>
> "Nicole Calinoiu" wrote:
>
>> No, it's not possible. If it were, it would represent a security hole in
>> IE
>> since hosted controls (.NET, ActiveX, applet, etc.) would be able to
>> potentially misuse those credentials, for example in traffic redirected
>> at
>> other sites.
>>
>>
>>
>> "Markus" <markusWERBUNG@awisto.de> wrote in message
>> news:E64C0595-C753-429C-8BAE-88DE59AB1F72@microsoft.com...
>> > Hi,
>> >
>> > I have a fully trusted .Net Control hosted by the Internet Explorer.
>> > The
>> > actual user is authenticated against domain x and the control comes
>> > from a
>> > website within domain y. Assume that the user authenticated itself by
>> > using
>> > any type of authentication, except Windows (NTLM) using credentials
>> > from
>> > domain y.
>> >
>> > The control must propagate the domain y credentials and not those from
>> > the
>> > logon domain x which are accessible via
>> > CredentialCache.DaultCredentials.
>> >
>> > Is this possible?
>> >
>> > Thanks for you're help.
>> >
>> > Markus
>>
>>
>>
