Trying to pass NetworkCredential to WebService

[Marshall]

Hello,

I am running W2k3, Visual Studio 2003, Framework version 1.1.4322. I have
one simple asp.net web service and one simple asp.net web app. When I run
the web service directly (http://localhost/mywebservice/Service.asmx)
everything works fine. When I try to call the web service from my web app I
always get the same error:
System.Net.WebException: The request failed with HTTP status 401:
Unauthorized

I also see a new event in my System event log:
Source: Kerberos

Event Id: 4

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
host/mbell2.<mydomain>. The target name used was HTTP/mbell2.<mydomain>.
This indicates that the password used to encrypt the kerberos service ticket
is different than that on the target server. Commonly, this is due to
identically named machine accounts in the target realm (<mydomain>), and
the client realm. Please contact your system administrator.


I have searched Google Groups what seems like 100 times and I have tried
(what seems like) everything.

Here is my web method:
// Security commented out.

// Security works when running directly

// from http://localhost/...

//[PrincipalPermission(SecurityAction.Demand,
Role=@"MyDomain\RoleMapWS_Admins")]

[WebMethod]

public bool EnableUser(int userId)

{

try

{

(new UserDAO()).EnableAccount(userId);



return true;

}

catch (Exception ex)

{

throw;

}

}



Here is my web app:

// Private to class

private Open.WebServices.RoleMap.Service ws = new
Open.WebServices.RoleMap.Service();

...

private void Button1_Click(object sender, System.EventArgs e)

{

ICredentials cred = new NetworkCredential(@"mbell", "open",
"MyDomain");



ws.PreAuthenticate = true;

// I have tried

// ws.Credentials = cred;

ws.Credentials = cred.GetCredential(new Uri(ws.Url), "");



try

{

ws.EnableUser(2);

}

catch (Exception ex)

{

throw;

}

}



Thank you for your help,



Marshall

 

[[MSFT]]

Hello Marshall,

Did your Web service use Windows integrated authentication and disable
anonymous access? For such a web service, we need to pass a valid
credential to it. for example:

localhost.Service1 myProxy = new localhost.Service1();
myProxy.Credentials = System.Net.CredentialCache.DefaultCredentials;

or

localhost.Service1 myProxy = new localhost.Service1();
myProxy.Credentials = new System.Net.NetworkCredential("domain\username",
"password", "");

for details, you can refer to:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q813834

Luke

 

[Marshall]

Thanks Luke,

Yes, the web service is set to use Integrated authentication and anonymous
access is disabled.

My code was passing credientials like you illustrated. The link you
attached guided me to another kb article which solved my problem.

http://support.microsoft.com/kb/811318/EN-US/

I changed my code to use the CredentialCache class and it worked like this:
localhost.Service ws = new localhost.Service();

System.Net.CredentialCache cache = new System.Net.CredentialCache();
cache.Add( new Uri(ws.Url), "Negotiate", new
System.Net.NetworkCredential("userName", "password", "domain"));
ws.Credentials = cache;

Response.Write(ws.HelloWorld());

Thanks,

Marshall

 

[Marshall]

Actually, my statement was incorrect. The problem was that my web service
was running in its own application pool with an identity of a domain
account. So this still is a problem because my web service needs to run in
its own pool because I tie Sql Server permissions to its identity.

 

[Steven Cheng[MSFT]]

Hi Marshall,

When your webservice's virtual dir requires Authentication(disabled
anomymous), the clientside need to provide a certain credential for
authentication. For your scenario, that's the ASP.NET webapp. So in your
ASP.NET's webservice calling code, we need to attach a NetworkCredential to
the webservice proxy instance.

As for the further problem you mentioned,
==================
So this still is a problem because my web service needs to run in
its own pool because I tie Sql Server permissions to its identity.
===================

would you provide some further description on this? Based on my
understanding, your ASP.NET webservice can surely to running in its own
application pool (with its own identity) different from the ASP.NET
webapp's.

Looking forward to your response.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| From: "Marshall" <[email protected]>
| References: <[email protected]>
<[email protected]>
<#[email protected]>
| Subject: Re: Trying to pass NetworkCredential to WebService
| Date: Thu, 14 Jul 2005 07:52:46 -0400
| Lines: 34
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| X-RFC2646: Format=Flowed; Response
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:7405
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
|
| Actually, my statement was incorrect. The problem was that my web
service
| was running in its own application pool with an identity of a domain
| account. So this still is a problem because my web service needs to run
in
| its own pool because I tie Sql Server permissions to its identity.
|
| | > Thanks Luke,
| >
| > Yes, the web service is set to use Integrated authentication and
anonymous
| > access is disabled.
| >
| > My code was passing credientials like you illustrated. The link you
| > attached guided me to another kb article which solved my problem.
| >
| > http://support.microsoft.com/kb/811318/EN-US/
| >
| > I changed my code to use the CredentialCache class and it worked like
| > this:
| > localhost.Service ws = new localhost.Service();
| >
| > System.Net.CredentialCache cache = new System.Net.CredentialCache();
| > cache.Add( new Uri(ws.Url), "Negotiate", new
| > System.Net.NetworkCredential("userName", "password", "domain"));
| > ws.Credentials = cache;
| >
| > Response.Write(ws.HelloWorld());
| >
| > Thanks,
| >
| > Marshall
| >
|
|
|