<identity> Issues w/Web Service

N

nobody101

I have a web service configured with Anonymous access disabled.
The calling client, prior to executing a method on the service,
sets its network credentials for the IIS to authenticate:

CredentialCache cacheVU = new CredentialCache();
cacheVU.Add( new Uri(<my url here>), "Negotiate",new
NetworkCredential( Username, Password, Domain) );

WebServiceProxy.Credentials = cacheVU;


My web service method works OK. However, I need to access a network
share, so I wanted to use the

<identity impersonate="true" />

setting in my web service's web.config file. However,
when I try to access the remote share, I get an access denied error:
Access to the path "..." is denied

However, if I change the <identity> element and add the "username"
and "password" attributes - which are the same username and password
that the web service authentication use, it works OK.

I thought the <identity> w/o the username/password should
inherit the user context.

I added some debug statements, and displayed:

- Thread.CurrentPrincipal.Identity
- WindowsIdentity.GetCurrent
- User.Identity

and in both cases ( with and without explicit username/password in the
<identity> element), the
dumped names are the same, so I am assuming the impersonation is
enabled. So, why are my access rights denied for the case w/o the
explicit username/password defined?
 
B

Bruce Barker

its because of the 1 hop rule with nt authentication. to tlak to another
server server, the process need a primary token. when you set the user name
password in the webconfig, the web service has a primary token and can talk
to other network services as that user. when impersonating the login from
the user, this is not a primary token (thats on the client box), and can not
be used to access resouces on another server.

you have 2 work arounds

1) use basic instead of ntlm (should use https in this case as the password
passes in clear text). this will give the webservice a primary token.
2) use Kerberos, and allow creditial forwarding.

-- bruce (sqlwork.com)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

application pool identity question 3
Web Service Credentials 2
Remote SSH and Configuring code help 0
Identity impersonate not working 6
ASP.NET Forms Authentication site calling web service 8
Web Service Authentication 1
Pass through Windows Identity to Web Service 2
401: Unauthorized. Problem calling web service from forms authenti 1

Members online

No members online now.
Total: 26 (members: 0, guests: 26)
Robots: 198

Forum statistics

Threads
473,766
Messages
2,569,569
Members
45,042
Latest member
icassiem

Latest Threads

Top