Trying to pass NetworkCredential to WebService

Discussion in 'ASP .Net Web Services' started by Marshall, Jul 13, 2005.

  1. Marshall

    Marshall Guest

    Hello,

    I am running W2k3, Visual Studio 2003, Framework version 1.1.4322. I have
    one simple asp.net web service and one simple asp.net web app. When I run
    the web service directly (http://localhost/mywebservice/Service.asmx)
    everything works fine. When I try to call the web service from my web app I
    always get the same error:
    System.Net.WebException: The request failed with HTTP status 401:
    Unauthorized

    I also see a new event in my System event log:
    Source: Kerberos

    Event Id: 4

    The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
    host/mbell2.<mydomain>. The target name used was HTTP/mbell2.<mydomain>.
    This indicates that the password used to encrypt the kerberos service ticket
    is different than that on the target server. Commonly, this is due to
    identically named machine accounts in the target realm (<mydomain>), and
    the client realm. Please contact your system administrator.


    I have searched Google Groups what seems like 100 times and I have tried
    (what seems like) everything.

    Here is my web method:
    // Security commented out.

    // Security works when running directly

    // from http://localhost/...

    //[PrincipalPermission(SecurityAction.Demand,
    Role=@"MyDomain\RoleMapWS_Admins")]

    [WebMethod]

    public bool EnableUser(int userId)

    {

    try

    {

    (new UserDAO()).EnableAccount(userId);



    return true;

    }

    catch (Exception ex)

    {

    throw;

    }

    }



    Here is my web app:

    // Private to class

    private Open.WebServices.RoleMap.Service ws = new
    Open.WebServices.RoleMap.Service();

    ...

    private void Button1_Click(object sender, System.EventArgs e)

    {

    ICredentials cred = new NetworkCredential(@"mbell", "open",
    "MyDomain");



    ws.PreAuthenticate = true;

    // I have tried

    // ws.Credentials = cred;

    ws.Credentials = cred.GetCredential(new Uri(ws.Url), "");



    try

    {

    ws.EnableUser(2);

    }

    catch (Exception ex)

    {

    throw;

    }

    }



    Thank you for your help,



    Marshall
     
    Marshall, Jul 13, 2005
    #1
    1. Advertising

  2. Marshall

    [MSFT] Guest

    Hello Marshall,

    Did your Web service use Windows integrated authentication and disable
    anonymous access? For such a web service, we need to pass a valid
    credential to it. for example:

    localhost.Service1 myProxy = new localhost.Service1();
    myProxy.Credentials = System.Net.CredentialCache.DefaultCredentials;

    or

    localhost.Service1 myProxy = new localhost.Service1();
    myProxy.Credentials = new System.Net.NetworkCredential("domain\username",
    "password", "");

    for details, you can refer to:

    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q813834

    Luke
     
    [MSFT], Jul 14, 2005
    #2
    1. Advertising

  3. Marshall

    Marshall Guest

    Thanks Luke,

    Yes, the web service is set to use Integrated authentication and anonymous
    access is disabled.

    My code was passing credientials like you illustrated. The link you
    attached guided me to another kb article which solved my problem.

    http://support.microsoft.com/kb/811318/EN-US/

    I changed my code to use the CredentialCache class and it worked like this:
    localhost.Service ws = new localhost.Service();

    System.Net.CredentialCache cache = new System.Net.CredentialCache();
    cache.Add( new Uri(ws.Url), "Negotiate", new
    System.Net.NetworkCredential("userName", "password", "domain"));
    ws.Credentials = cache;

    Response.Write(ws.HelloWorld());

    Thanks,

    Marshall
     
    Marshall, Jul 14, 2005
    #3
  4. Marshall

    Marshall Guest

    Actually, my statement was incorrect. The problem was that my web service
    was running in its own application pool with an identity of a domain
    account. So this still is a problem because my web service needs to run in
    its own pool because I tie Sql Server permissions to its identity.

    "Marshall" <> wrote in message
    news:%...
    > Thanks Luke,
    >
    > Yes, the web service is set to use Integrated authentication and anonymous
    > access is disabled.
    >
    > My code was passing credientials like you illustrated. The link you
    > attached guided me to another kb article which solved my problem.
    >
    > http://support.microsoft.com/kb/811318/EN-US/
    >
    > I changed my code to use the CredentialCache class and it worked like
    > this:
    > localhost.Service ws = new localhost.Service();
    >
    > System.Net.CredentialCache cache = new System.Net.CredentialCache();
    > cache.Add( new Uri(ws.Url), "Negotiate", new
    > System.Net.NetworkCredential("userName", "password", "domain"));
    > ws.Credentials = cache;
    >
    > Response.Write(ws.HelloWorld());
    >
    > Thanks,
    >
    > Marshall
    >
     
    Marshall, Jul 14, 2005
    #4
  5. Hi Marshall,

    When your webservice's virtual dir requires Authentication(disabled
    anomymous), the clientside need to provide a certain credential for
    authentication. For your scenario, that's the ASP.NET webapp. So in your
    ASP.NET's webservice calling code, we need to attach a NetworkCredential to
    the webservice proxy instance.

    As for the further problem you mentioned,
    ==================
    So this still is a problem because my web service needs to run in
    its own pool because I tie Sql Server permissions to its identity.
    ===================

    would you provide some further description on this? Based on my
    understanding, your ASP.NET webservice can surely to running in its own
    application pool (with its own identity) different from the ASP.NET
    webapp's.

    Looking forward to your response.

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    --------------------
    | From: "Marshall" <>
    | References: <>
    <>
    <#>
    | Subject: Re: Trying to pass NetworkCredential to WebService
    | Date: Thu, 14 Jul 2005 07:52:46 -0400
    | Lines: 34
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
    | X-RFC2646: Format=Flowed; Response
    | Message-ID: <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
    | NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.dotnet.framework.aspnet.webservices:7405
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
    |
    | Actually, my statement was incorrect. The problem was that my web
    service
    | was running in its own application pool with an identity of a domain
    | account. So this still is a problem because my web service needs to run
    in
    | its own pool because I tie Sql Server permissions to its identity.
    |
    | "Marshall" <> wrote in message
    | news:%...
    | > Thanks Luke,
    | >
    | > Yes, the web service is set to use Integrated authentication and
    anonymous
    | > access is disabled.
    | >
    | > My code was passing credientials like you illustrated. The link you
    | > attached guided me to another kb article which solved my problem.
    | >
    | > http://support.microsoft.com/kb/811318/EN-US/
    | >
    | > I changed my code to use the CredentialCache class and it worked like
    | > this:
    | > localhost.Service ws = new localhost.Service();
    | >
    | > System.Net.CredentialCache cache = new System.Net.CredentialCache();
    | > cache.Add( new Uri(ws.Url), "Negotiate", new
    | > System.Net.NetworkCredential("userName", "password", "domain"));
    | > ws.Credentials = cache;
    | >
    | > Response.Write(ws.HelloWorld());
    | >
    | > Thanks,
    | >
    | > Marshall
    | >
    |
    |
    |
     
    Steven Cheng[MSFT], Jul 15, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jay Douglas
    Replies:
    4
    Views:
    730
    Jay Douglas
    Mar 6, 2004
  2. IveCal

    NetworkCredential

    IveCal, Apr 17, 2006, in forum: Java
    Replies:
    6
    Views:
    4,311
    Oliver Wong
    Apr 20, 2006
  3. =?Utf-8?B?WUs=?=
    Replies:
    3
    Views:
    5,088
    *Busy*
    Mar 24, 2010
  4. Replies:
    3
    Views:
    1,723
  5. wgo
    Replies:
    0
    Views:
    192
Loading...

Share This Page