Cross domain webservice

[reddy]

Hi,

We have developed a webservice that retrieves Free/Busy information from the
Exchange Server and returns it to the client.

The webservice and webclient are installed on one domain. Exchange Server
is running in the other domain. Both the domains are in different forests.

Now when we try to call the webservice either directly or through webclient,
we are getting the following error
'401 Remote server denied access'.

The webservice and webclient are running under Anonylous access and the
credentials to log onto the Exchange Server are provided through an external
text file.

The web service works ok when both the service and Exchange server are in
the same domain or under the same parent domain. The cross domain trusts
are in place as is evident from
successful mapping of shares on either side.

What could be the problem? Any help is highly appreciated.

Thanks,

Reddy
I.S.Solutions P. Ltd.

 

[reddy]

Hi Frank,

Thanks for the info. But we are not able torun the webservice as an account
in the other domain. Where can we find more info on this and also on
creating mirrored account.

Reddy

 

[Frank Drebin]

Reddy,

Do you mean you don't know how or that you aren't allowed for some reason?
What I was saying below was almost the same thing - you would need to set
IIS to run as a different person, a person that BOTH machine know. So either
point both machines to an account (even if you create a new one called
"WebSvc Account") in Active Directory.

Or - create an account called "WebSvc Account" on the Exchange server, and
then create an account called "WebSvc Account" on the web server. Set the
Web Service IIS application to run as "WebSvc Account" - and on the Exchange
server, give that account whatever privileges the Web Service needs over
there. You need to make sure, that when the web service talks to the
Exchange server - they both see that that Web Service is a real, trusted
account... OR - you can have the web service run as this untrusted account
and talk to the Exchange server - and when it gets there, even if the
Exchange server doesn't know who you are or trust you - if the username and
password matches exactly to an account that is on that box, you will be let
it...

Another thing you may try, is authenticating programatically... not sure if
this will work though. Here is a working class:

-----------------------------

using System;
using System.Runtime.InteropServices;

[StructLayout(LayoutKind.Sequential)]
public struct NETRESOURCEA
{
public int dwScope;
public int dwType;
public int dwDisplayType;
public int dwUsage;
[ MarshalAs (UnmanagedType.LPStr)]
public string lpLocalName;
[ MarshalAs (UnmanagedType.LPStr)]
public string lpRemoteName;
[ MarshalAs (UnmanagedType.LPStr)]
public string lpComment;
[ MarshalAs (UnmanagedType.LPStr)]
public string lpProvider;
public override String ToString()
{
String str = "LocalName: " + lpLocalName + " RemoteName: " + lpRemoteName
+ " Comment: " + lpComment + " lpProvider: " + lpProvider;
return(str);
}
}

class Authentication
{
[DllImport("mpr.dll")]
private static extern int WNetAddConnection2A(
[MarshalAs(UnmanagedType.LPArray)] NETRESOURCEA[] lpNetResource,
[MarshalAs(UnmanagedType.LPStr)] string lpPassword,
[MarshalAs(UnmanagedType.LPStr)] string UserName,
int dwFlags);
[DllImport("mpr.dll")]
private static extern int WNetCancelConnection2(
[MarshalAs(UnmanagedType.LPStr)] string lpName,
int dwFlags,
bool fForce);

public static int ValidateUser(string Server,string User,string Password)
{
NETRESOURCEA [] n = new NETRESOURCEA[1];
n[0] = new NETRESOURCEA();
n[0].dwType = 0;
int dwFlags = 1;
n[0].lpLocalName = null;
n[0].lpRemoteName = @"\\" + Server + @"\IPC$";
n[0].lpProvider = null;

int res = WNetAddConnection2A( n, Password, User, dwFlags );
return res;
}
public static void CancelConnection(string Connection)
{
WNetCancelConnection2(Connection, 0, true);
}
}

-----------------------------

And to use this, you just do this:

int intRet =
Authentication.ValidateUser("MyServer","hsimpson","donuts");
if ( intRet == 0 )
{
// login was good
}
else
{
// login was bad - error number is intRet
}


hth