Illegal to mix Authentication methods ?

Discussion in 'ASP .Net Security' started by mklapp, Jan 30, 2004.

  1. mklapp

    mklapp Guest

    Hello,

    I have a Web Service, a Winform client and a web Application. The Web App and the WinForm Client use the same Web Service (or such is the plan).

    The WinForm Client and the Webservice work together using Integrated Windows Authentication and works well.

    The nature of the Web App, compels me to use Forms authentication. The default page redirects to the login page for the login. The login screen access the Web Service through the proxy generated by WSDL.exe.

    The intent is to only allow authenticated windows users to reach the Login screen in the first place. After the login screen, access to the App pages will be via cookie authentication. Each of the web pages access the Web Service (through the proxy). Anonymous access is turned off. Where authentication can be specified in the App path through IIS, it has been set to Integrated Windows.

    The code :

    Line 42: pss = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPss.Text, "sha1")
    Line 43:
    Line 44: If proxy.ValidateUser(txtUser.Text, pss) Then <-----------The bad line

    Line 45: FormsAuthentication.RedirectFromLoginPage(txtUser.Text, False)
    Line 46: Else


    The returned exception is below.


    WebException: The request failed with HTTP status 401: Access Denied.]
    System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
    System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
    MABillingService.ValidateUser(String UserId, String psswd)
    _3rdPartyWeb.login.btnLogin_Click(Object sender, EventArgs e) in c:\inetpub\wwwroot\3rdPartyWeb\login.aspx.vb:44
    System.Web.UI.WebControls.Button.OnClick(EventArgs e)
    System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
    System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
    System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
    System.Web.UI.Page.ProcessRequestMain()

    Must I set authentication to Anonymous if I am using Forms? Can one client use Integrated Windows with a web service while another uses Forms through the proxy for the same service?

    I have read a lot, but everything is spread all over the place and little of it is tied together.
    mklapp, Jan 30, 2004
    #1
    1. Advertising

  2. I think this article will shed some light on the subject.
    http://msdn.microsoft.com/asp.net/default.aspx?pull=/library/en-us/dnaspp/ht
    ml/mixedsecurity.asp


    "mklapp" <> escribió en el mensaje
    news:...
    > Hello,
    >
    > I have a Web Service, a Winform client and a web Application. The Web

    App and the WinForm Client use the same Web Service (or such is the plan).
    >
    > The WinForm Client and the Webservice work together using Integrated

    Windows Authentication and works well.
    >
    > The nature of the Web App, compels me to use Forms authentication. The

    default page redirects to the login page for the login. The login screen
    access the Web Service through the proxy generated by WSDL.exe.
    >
    > The intent is to only allow authenticated windows users to reach the

    Login screen in the first place. After the login screen, access to the App
    pages will be via cookie authentication. Each of the web pages access the
    Web Service (through the proxy). Anonymous access is turned off. Where
    authentication can be specified in the App path through IIS, it has been set
    to Integrated Windows.
    >
    > The code :
    >
    > Line 42: pss =

    FormsAuthentication.HashPasswordForStoringInConfigFile(txtPss.Text, "sha1")
    > Line 43:
    > Line 44: If proxy.ValidateUser(txtUser.Text, pss) Then

    <-----------The bad line
    >
    > Line 45:

    FormsAuthentication.RedirectFromLoginPage(txtUser.Text, False)
    > Line 46: Else
    >
    >
    > The returned exception is below.
    >
    >
    > WebException: The request failed with HTTP status 401: Access Denied.]
    >

    System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClient
    Message message, WebResponse response, Stream responseStream, Boolean
    asyncCall)
    > System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String

    methodName, Object[] parameters)
    > MABillingService.ValidateUser(String UserId, String psswd)
    > _3rdPartyWeb.login.btnLogin_Click(Object sender, EventArgs e) in

    c:\inetpub\wwwroot\3rdPartyWeb\login.aspx.vb:44
    > System.Web.UI.WebControls.Button.OnClick(EventArgs e)
    >

    System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePo
    stBackEvent(String eventArgument)
    > System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler

    sourceControl, String eventArgument)
    > System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
    > System.Web.UI.Page.ProcessRequestMain()
    >
    > Must I set authentication to Anonymous if I am using Forms? Can one

    client use Integrated Windows with a web service while another uses Forms
    through the proxy for the same service?
    >
    > I have read a lot, but everything is spread all over the place and

    little of it is tied together.
    >
    Hernan de Lahitte, Jan 31, 2004
    #2
    1. Advertising

  3. Hi Mklapp,

    Thank you for posting in community. I'm reviewing this issue and found that
    this thread seems a duplicated one with another one whose subject is:
    "what loads proxies?"
    in ASP.NET queue. I've replied you in that thread. Please check out my
    suggestions there to see whether they'll be helpful. Also, I think the tech
    article Hernan has provided is also very informative, you may have a look
    at it.
    If you feel anything unclear or if my suggestion there is not quite
    suitable for you, please feel free to let me know.


    Regards,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    Steven Cheng[MSFT], Jan 31, 2004
    #3
  4. mklapp

    David Qiu Guest

    When you access the Web service from the WinForm app, I expect you have set
    the credential property on the proxy.
    proxy.Credentials = myCache

    [C#]
    wReq.Credentials = CredentialCache.DefaultCredential;
    [Visual Basic]
    wReq.Credentials CredentialCache.DefaultCredential


    I don't see you have done the same thing in the ASP.NET Web app. How do you
    handle the authentication between ASPX and the Web service?
    Are they on the same machine?

    Thanks,
    David
    Microsoft Developer Support
    David Qiu, Feb 3, 2004
    #4
  5. mklapp

    mklapp Guest

    The authentication strategy here is an evolving thing. I am only configuring Authentication between the App and (I guess) IIS. The web service is for both internal use by a WinForm client and external use by a Web App. Authentication is implemented by both as a user login. This prevents unauthorized users from using the apps to access the Web Service. The nature of a web service, of course, let's any app negotiate the service through a published interface.

    It is my intent not to publish the interface. Granted my intent may be frustrated by the nature of the beast. The same high level of abstraction that makes it possible to do so much so quickly, also could set up functionality I do not know about. The directory holding the web service is planned to disallow anonymous access. Beyond that the strategy will be determined by what is possible and necessary.
    mklapp, Feb 3, 2004
    #5
  6. mklapp

    David Qiu Guest

    When you access the Web service from the WinForm app, I expect you have set
    the credential property on the proxy.
    proxy.Credentials = myCache

    [C#]
    wReq.Credentials = CredentialCache.DefaultCredential;
    [Visual Basic]
    wReq.Credentials CredentialCache.DefaultCredential

    I don't see you have done the same thing in the ASP.NET Web app. How do you
    handle the authentication between ASPX and the Web service?
    Are they on the same machine?

    Thanks,
    David
    Microsoft Developer Support
    David Qiu, Feb 3, 2004
    #6
  7. mklapp

    David Qiu Guest

    I am sorry I don't quite understand your problem. What is the
    authentication setting of the Web service in IIS? How do you invoke the Web
    service method from the aspx page? The 401 error comes from IIS. Can you
    use the same code to call the Web service from another aspx page that
    doesn't use Form auth?

    David
    Microsoft Developer Support
    Distributed Services
    David Qiu, Feb 4, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AFN
    Replies:
    5
    Views:
    401
    dilipdotnet at apdiya.com
    Feb 11, 2004
  2. Replies:
    8
    Views:
    330
  3. coconet

    ASP.NET Mix Authentication?

    coconet, Mar 18, 2008, in forum: ASP .Net
    Replies:
    1
    Views:
    2,250
    Steven Cheng
    Mar 18, 2008
  4. NH
    Replies:
    0
    Views:
    396
  5. Kenneth McDonald
    Replies:
    5
    Views:
    301
    Kenneth McDonald
    Sep 26, 2008
Loading...

Share This Page