Illegal to mix Authentication methods ?

[mklapp]

Hello,

I have a Web Service, a Winform client and a web Application. The Web App and the WinForm Client use the same Web Service (or such is the plan).

The WinForm Client and the Webservice work together using Integrated Windows Authentication and works well.

The nature of the Web App, compels me to use Forms authentication. The default page redirects to the login page for the login. The login screen access the Web Service through the proxy generated by WSDL.exe.

The intent is to only allow authenticated windows users to reach the Login screen in the first place. After the login screen, access to the App pages will be via cookie authentication. Each of the web pages access the Web Service (through the proxy). Anonymous access is turned off. Where authentication can be specified in the App path through IIS, it has been set to Integrated Windows.

The code :

Line 42: pss = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPss.Text, "sha1")
Line 43:
Line 44: If proxy.ValidateUser(txtUser.Text, pss) Then <-----------The bad line

Line 45: FormsAuthentication.RedirectFromLoginPage(txtUser.Text, False)
Line 46: Else


The returned exception is below.


WebException: The request failed with HTTP status 401: Access Denied.]
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
MABillingService.ValidateUser(String UserId, String psswd)
_3rdPartyWeb.login.btnLogin_Click(Object sender, EventArgs e) in c:\inetpub\wwwroot\3rdPartyWeb\login.aspx.vb:44
System.Web.UI.WebControls.Button.OnClick(EventArgs e)
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
System.Web.UI.Page.ProcessRequestMain()

Must I set authentication to Anonymous if I am using Forms? Can one client use Integrated Windows with a web service while another uses Forms through the proxy for the same service?

I have read a lot, but everything is spread all over the place and little of it is tied together.

 

[Hernan de Lahitte]

I think this article will shed some light on the subject.
http://msdn.microsoft.com/asp.net/default.aspx?pull=/library/en-us/dnaspp/ht
ml/mixedsecurity.asp

Hello,

I have a Web Service, a Winform client and a web Application. The Web

App and the WinForm Client use the same Web Service (or such is the plan).

The WinForm Client and the Webservice work together using Integrated

Windows Authentication and works well.

The nature of the Web App, compels me to use Forms authentication. The

default page redirects to the login page for the login. The login screen
access the Web Service through the proxy generated by WSDL.exe.

The intent is to only allow authenticated windows users to reach the

Login screen in the first place. After the login screen, access to the App
pages will be via cookie authentication. Each of the web pages access the
Web Service (through the proxy). Anonymous access is turned off. Where
authentication can be specified in the App path through IIS, it has been set
to Integrated Windows.

The code :

Line 42: pss =

FormsAuthentication.HashPasswordForStoringInConfigFile(txtPss.Text, "sha1")

Line 43:
Line 44: If proxy.ValidateUser(txtUser.Text, pss) Then <-----------The bad line

Line 45:

FormsAuthentication.RedirectFromLoginPage(txtUser.Text, False)

Line 46: Else


The returned exception is below.


WebException: The request failed with HTTP status 401: Access Denied.]

System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClient
Message message, WebResponse response, Stream responseStream, Boolean
asyncCall)

System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String

methodName, Object[] parameters)

MABillingService.ValidateUser(String UserId, String psswd)
_3rdPartyWeb.login.btnLogin_Click(Object sender, EventArgs e) in c:\inetpub\wwwroot\3rdPartyWeb\login.aspx.vb:44
System.Web.UI.WebControls.Button.OnClick(EventArgs e)

System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePo
stBackEvent(String eventArgument)

System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler

sourceControl, String eventArgument)

System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
System.Web.UI.Page.ProcessRequestMain()

Must I set authentication to Anonymous if I am using Forms? Can one

client use Integrated Windows with a web service while another uses Forms
through the proxy for the same service?

 

[Steven Cheng[MSFT]]

Hi Mklapp,

Thank you for posting in community. I'm reviewing this issue and found that
this thread seems a duplicated one with another one whose subject is:
"what loads proxies?"
in ASP.NET queue. I've replied you in that thread. Please check out my
suggestions there to see whether they'll be helpful. Also, I think the tech
article Hernan has provided is also very informative, you may have a look
at it.
If you feel anything unclear or if my suggestion there is not quite
suitable for you, please feel free to let me know.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[David Qiu]

When you access the Web service from the WinForm app, I expect you have set
the credential property on the proxy.
proxy.Credentials = myCache

[C#]
wReq.Credentials = CredentialCache.DefaultCredential;
[Visual Basic]
wReq.Credentials CredentialCache.DefaultCredential


I don't see you have done the same thing in the ASP.NET Web app. How do you
handle the authentication between ASPX and the Web service?
Are they on the same machine?

Thanks,
David
Microsoft Developer Support

 

[mklapp]

The authentication strategy here is an evolving thing. I am only configuring Authentication between the App and (I guess) IIS. The web service is for both internal use by a WinForm client and external use by a Web App. Authentication is implemented by both as a user login. This prevents unauthorized users from using the apps to access the Web Service. The nature of a web service, of course, let's any app negotiate the service through a published interface.

It is my intent not to publish the interface. Granted my intent may be frustrated by the nature of the beast. The same high level of abstraction that makes it possible to do so much so quickly, also could set up functionality I do not know about. The directory holding the web service is planned to disallow anonymous access. Beyond that the strategy will be determined by what is possible and necessary.

 

[David Qiu]

When you access the Web service from the WinForm app, I expect you have set
the credential property on the proxy.
proxy.Credentials = myCache

[C#]
wReq.Credentials = CredentialCache.DefaultCredential;
[Visual Basic]
wReq.Credentials CredentialCache.DefaultCredential

I don't see you have done the same thing in the ASP.NET Web app. How do you
handle the authentication between ASPX and the Web service?
Are they on the same machine?

Thanks,
David
Microsoft Developer Support

 

[David Qiu]

I am sorry I don't quite understand your problem. What is the
authentication setting of the Web service in IIS? How do you invoke the Web
service method from the aspx page? The 401 error comes from IIS. Can you
use the same code to call the Web service from another aspx page that
doesn't use Form auth?

David
Microsoft Developer Support
Distributed Services