Problem with authentication using DefaultCredentials

E

elora_c

I have a webservice that needs to use the current user's credentials
instead of the worker process. In my webservices web.config, I have
<authentication mode="Windows"> and <identity impersonate="true"> In
IIS, I have anonymous access turned off and Integrated Windows
authorization turned on. I call the webservice from an ASP.NET page.
I have the same web.config and IIS settings for that app. When I run
the webpage from my machine calling to the webservice on machine A, it
works just fine. It passes in my credentials and the webservice
authenticates just fine. However, when I run the webpage on machine B,
which also calls machine A to run the webservice, I get the dreaded
"The request failed with HTTP status 401: Unauthorized" error. I am
logging the value of WindowsIdentity.GetCurrent().Name in the app and
can see that it is my own identity. I can't get the value of
DefaultCredentials, but I would have assumed it would be the same as
the WindowsIdentity. But when I look in the IIS log for the
webservice, no username is being passed in. The IIS log entries from
my machine do show my username.

Is there anything else I need to be setting on machine A to correctly
call the webservice with the user's credentials?

Thanks,
Carole
 
J

Joe Kaplan \(MVP - ADSI\)

In order for the 2 machine hop scenario to work, you must also enable and
configure Kerberos delegation.

Google searches in this newsgroup and on the MS website will yield lots of
information.

Joe K.
 
E

elora_c

This shouldn't be a 2 machine hop. Machine A is calling Machine B, but
isn't passing in the proper credentials. I thought the 2 machine hop
was A -> B -> C. Otherwise, I'll check the Kerberos delegation.

Thanks,
Carole
 
J

Joe Kaplan \(MVP - ADSI\)

I think I may have misread your configuration. It sounds like it should not
be a two machine hop, but you might consider trying Kerberos delegation
anyway just to make sure.

Joe K.
 
P

Peter Kelcey

Carole,

What I noticed first in your post is that you said you put the
<identity impersonate="true"> in the web.config of the web services
project. However, you do not actually need any impersonation within
that project. Where you need the impersonation is in the web
application project. By default ASP.NET web applications do not perform
impersonations and as a result when you retrieve the DefaultCredentials
you will be given the ASPNET proccess account instead of your account.
If you put the impersonate identity in the web project, you should be
able to pickup the proper credentials and your web service will be able
to perform the authorization against those.

The flow of events would be like the following:
1) The user is authenticated against your web application
2) The web application impersonates the windows account and causes all
code to run within this security context
3) You retrieve the defaultcredentials (which will now be your account)
4) The credentials are forward as part of your web service call
5) The web service authenticates, authorizes and runs (no ipersonation
required)

Also, you didn't make any mention of it, but I'm assuming you put the
proper <allow> tags in the authorization section of your web service's
web.config to give your user permission to access the service.

Hope that helps

Peter Kelcey
 
E

elora_c

At least I haven't missed anything obvious. The web.config for the web
application has the following:
<system.web>
<compilation defaultLanguage="c#" debug="false" />
<customErrors mode="Off" />
<authentication mode="Windows" />
<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data
source=127.0.0.1;Trusted_Connection=yes" cookieless="false"
timeout="20" />
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
<identity impersonate="true" />
</system.web>

To call the webservice, I have:
svc.Credentials = System.Net.CredentialCache.DefaultCredentials;

And right before that, I log the value of
WindowsIdentity.GetCurrent().Name, which shows my user's identity. So
it seems like the impersonation is working on the webapplication side.
But when I call the webservice, I get a 401. The same webapplication
running on a different machine (but calling the same webservice) works
just fine. Something is different about this one machine, and I can't
figure it out.

Thanks,
Carole
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top