Problem with authentication using DefaultCredentials

Discussion in 'ASP .Net Web Services' started by elora_c@yahoo.com, Nov 14, 2005.

  1. Guest

    I have a webservice that needs to use the current user's credentials
    instead of the worker process. In my webservices web.config, I have
    <authentication mode="Windows"> and <identity impersonate="true"> In
    IIS, I have anonymous access turned off and Integrated Windows
    authorization turned on. I call the webservice from an ASP.NET page.
    I have the same web.config and IIS settings for that app. When I run
    the webpage from my machine calling to the webservice on machine A, it
    works just fine. It passes in my credentials and the webservice
    authenticates just fine. However, when I run the webpage on machine B,
    which also calls machine A to run the webservice, I get the dreaded
    "The request failed with HTTP status 401: Unauthorized" error. I am
    logging the value of WindowsIdentity.GetCurrent().Name in the app and
    can see that it is my own identity. I can't get the value of
    DefaultCredentials, but I would have assumed it would be the same as
    the WindowsIdentity. But when I look in the IIS log for the
    webservice, no username is being passed in. The IIS log entries from
    my machine do show my username.

    Is there anything else I need to be setting on machine A to correctly
    call the webservice with the user's credentials?

    Thanks,
    Carole
     
    , Nov 14, 2005
    #1
    1. Advertising

  2. In order for the 2 machine hop scenario to work, you must also enable and
    configure Kerberos delegation.

    Google searches in this newsgroup and on the MS website will yield lots of
    information.

    Joe K.

    <> wrote in message
    news:...
    >I have a webservice that needs to use the current user's credentials
    > instead of the worker process. In my webservices web.config, I have
    > <authentication mode="Windows"> and <identity impersonate="true"> In
    > IIS, I have anonymous access turned off and Integrated Windows
    > authorization turned on. I call the webservice from an ASP.NET page.
    > I have the same web.config and IIS settings for that app. When I run
    > the webpage from my machine calling to the webservice on machine A, it
    > works just fine. It passes in my credentials and the webservice
    > authenticates just fine. However, when I run the webpage on machine B,
    > which also calls machine A to run the webservice, I get the dreaded
    > "The request failed with HTTP status 401: Unauthorized" error. I am
    > logging the value of WindowsIdentity.GetCurrent().Name in the app and
    > can see that it is my own identity. I can't get the value of
    > DefaultCredentials, but I would have assumed it would be the same as
    > the WindowsIdentity. But when I look in the IIS log for the
    > webservice, no username is being passed in. The IIS log entries from
    > my machine do show my username.
    >
    > Is there anything else I need to be setting on machine A to correctly
    > call the webservice with the user's credentials?
    >
    > Thanks,
    > Carole
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 14, 2005
    #2
    1. Advertising

  3. Guest

    This shouldn't be a 2 machine hop. Machine A is calling Machine B, but
    isn't passing in the proper credentials. I thought the 2 machine hop
    was A -> B -> C. Otherwise, I'll check the Kerberos delegation.

    Thanks,
    Carole
     
    , Nov 14, 2005
    #3
  4. I think I may have misread your configuration. It sounds like it should not
    be a two machine hop, but you might consider trying Kerberos delegation
    anyway just to make sure.

    Joe K.

    <> wrote in message
    news:...
    > This shouldn't be a 2 machine hop. Machine A is calling Machine B, but
    > isn't passing in the proper credentials. I thought the 2 machine hop
    > was A -> B -> C. Otherwise, I'll check the Kerberos delegation.
    >
    > Thanks,
    > Carole
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 15, 2005
    #4
  5. Peter Kelcey Guest

    Carole,

    What I noticed first in your post is that you said you put the
    <identity impersonate="true"> in the web.config of the web services
    project. However, you do not actually need any impersonation within
    that project. Where you need the impersonation is in the web
    application project. By default ASP.NET web applications do not perform
    impersonations and as a result when you retrieve the DefaultCredentials
    you will be given the ASPNET proccess account instead of your account.
    If you put the impersonate identity in the web project, you should be
    able to pickup the proper credentials and your web service will be able
    to perform the authorization against those.

    The flow of events would be like the following:
    1) The user is authenticated against your web application
    2) The web application impersonates the windows account and causes all
    code to run within this security context
    3) You retrieve the defaultcredentials (which will now be your account)
    4) The credentials are forward as part of your web service call
    5) The web service authenticates, authorizes and runs (no ipersonation
    required)

    Also, you didn't make any mention of it, but I'm assuming you put the
    proper <allow> tags in the authorization section of your web service's
    web.config to give your user permission to access the service.

    Hope that helps

    Peter Kelcey
     
    Peter Kelcey, Nov 15, 2005
    #5
  6. Guest

    At least I haven't missed anything obvious. The web.config for the web
    application has the following:
    <system.web>
    <compilation defaultLanguage="c#" debug="false" />
    <customErrors mode="Off" />
    <authentication mode="Windows" />
    <authorization>
    <allow users="*" /> <!-- Allow all users -->
    </authorization>
    <trace enabled="false" requestLimit="10" pageOutput="false"
    traceMode="SortByTime" localOnly="true" />
    <sessionState mode="InProc"
    stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data
    source=127.0.0.1;Trusted_Connection=yes" cookieless="false"
    timeout="20" />
    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
    <identity impersonate="true" />
    </system.web>

    To call the webservice, I have:
    svc.Credentials = System.Net.CredentialCache.DefaultCredentials;

    And right before that, I log the value of
    WindowsIdentity.GetCurrent().Name, which shows my user's identity. So
    it seems like the impersonation is working on the webapplication side.
    But when I call the webservice, I get a 401. The same webapplication
    running on a different machine (but calling the same webservice) works
    just fine. Something is different about this one machine, and I can't
    figure it out.

    Thanks,
    Carole
     
    , Nov 15, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jamie
    Replies:
    1
    Views:
    1,175
    Kevin C
    Mar 2, 2004
  2. Rodrigo Estrada

    401 Unauthorized when using DefaultCredentials

    Rodrigo Estrada, May 11, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    233
    Paul Glavich [MVP - ASP.NET]
    May 11, 2004
  3. Replies:
    5
    Views:
    160
  4. SP
    Replies:
    0
    Views:
    163
  5. Bfranknyc

    401 Error on POST using DefaultCredentials

    Bfranknyc, Nov 21, 2008, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    902
    Bfranknyc
    Nov 21, 2008
Loading...

Share This Page