Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Web Services > Problem with authentication using DefaultCredentials

Reply
Thread Tools

Problem with authentication using DefaultCredentials

 
 
elora_c@yahoo.com
Guest
Posts: n/a
 
      11-14-2005
I have a webservice that needs to use the current user's credentials
instead of the worker process. In my webservices web.config, I have
<authentication mode="Windows"> and <identity impersonate="true"> In
IIS, I have anonymous access turned off and Integrated Windows
authorization turned on. I call the webservice from an ASP.NET page.
I have the same web.config and IIS settings for that app. When I run
the webpage from my machine calling to the webservice on machine A, it
works just fine. It passes in my credentials and the webservice
authenticates just fine. However, when I run the webpage on machine B,
which also calls machine A to run the webservice, I get the dreaded
"The request failed with HTTP status 401: Unauthorized" error. I am
logging the value of WindowsIdentity.GetCurrent().Name in the app and
can see that it is my own identity. I can't get the value of
DefaultCredentials, but I would have assumed it would be the same as
the WindowsIdentity. But when I look in the IIS log for the
webservice, no username is being passed in. The IIS log entries from
my machine do show my username.

Is there anything else I need to be setting on machine A to correctly
call the webservice with the user's credentials?

Thanks,
Carole

 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      11-14-2005
In order for the 2 machine hop scenario to work, you must also enable and
configure Kerberos delegation.

Google searches in this newsgroup and on the MS website will yield lots of
information.

Joe K.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>I have a webservice that needs to use the current user's credentials
> instead of the worker process. In my webservices web.config, I have
> <authentication mode="Windows"> and <identity impersonate="true"> In
> IIS, I have anonymous access turned off and Integrated Windows
> authorization turned on. I call the webservice from an ASP.NET page.
> I have the same web.config and IIS settings for that app. When I run
> the webpage from my machine calling to the webservice on machine A, it
> works just fine. It passes in my credentials and the webservice
> authenticates just fine. However, when I run the webpage on machine B,
> which also calls machine A to run the webservice, I get the dreaded
> "The request failed with HTTP status 401: Unauthorized" error. I am
> logging the value of WindowsIdentity.GetCurrent().Name in the app and
> can see that it is my own identity. I can't get the value of
> DefaultCredentials, but I would have assumed it would be the same as
> the WindowsIdentity. But when I look in the IIS log for the
> webservice, no username is being passed in. The IIS log entries from
> my machine do show my username.
>
> Is there anything else I need to be setting on machine A to correctly
> call the webservice with the user's credentials?
>
> Thanks,
> Carole
>



 
Reply With Quote
 
 
 
 
elora_c@yahoo.com
Guest
Posts: n/a
 
      11-14-2005
This shouldn't be a 2 machine hop. Machine A is calling Machine B, but
isn't passing in the proper credentials. I thought the 2 machine hop
was A -> B -> C. Otherwise, I'll check the Kerberos delegation.

Thanks,
Carole

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      11-15-2005
I think I may have misread your configuration. It sounds like it should not
be a two machine hop, but you might consider trying Kerberos delegation
anyway just to make sure.

Joe K.

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> This shouldn't be a 2 machine hop. Machine A is calling Machine B, but
> isn't passing in the proper credentials. I thought the 2 machine hop
> was A -> B -> C. Otherwise, I'll check the Kerberos delegation.
>
> Thanks,
> Carole
>



 
Reply With Quote
 
Peter Kelcey
Guest
Posts: n/a
 
      11-15-2005
Carole,

What I noticed first in your post is that you said you put the
<identity impersonate="true"> in the web.config of the web services
project. However, you do not actually need any impersonation within
that project. Where you need the impersonation is in the web
application project. By default ASP.NET web applications do not perform
impersonations and as a result when you retrieve the DefaultCredentials
you will be given the ASPNET proccess account instead of your account.
If you put the impersonate identity in the web project, you should be
able to pickup the proper credentials and your web service will be able
to perform the authorization against those.

The flow of events would be like the following:
1) The user is authenticated against your web application
2) The web application impersonates the windows account and causes all
code to run within this security context
3) You retrieve the defaultcredentials (which will now be your account)
4) The credentials are forward as part of your web service call
5) The web service authenticates, authorizes and runs (no ipersonation
required)

Also, you didn't make any mention of it, but I'm assuming you put the
proper <allow> tags in the authorization section of your web service's
web.config to give your user permission to access the service.

Hope that helps

Peter Kelcey

 
Reply With Quote
 
elora_c@yahoo.com
Guest
Posts: n/a
 
      11-15-2005
At least I haven't missed anything obvious. The web.config for the web
application has the following:
<system.web>
<compilation defaultLanguage="c#" debug="false" />
<customErrors mode="Off" />
<authentication mode="Windows" />
<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data
source=127.0.0.1;Trusted_Connection=yes" cookieless="false"
timeout="20" />
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
<identity impersonate="true" />
</system.web>

To call the webservice, I have:
svc.Credentials = System.Net.CredentialCache.DefaultCredentials;

And right before that, I log the value of
WindowsIdentity.GetCurrent().Name, which shows my user's identity. So
it seems like the impersonation is working on the webapplication side.
But when I call the webservice, I get a 401. The same webapplication
running on a different machine (but calling the same webservice) works
just fine. Something is different about this one machine, and I can't
figure it out.

Thanks,
Carole

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
401 Error on POST using DefaultCredentials Bfranknyc ASP .Net Web Services 0 11-21-2008 07:29 PM
Web service, forms authentication and DefaultCredentials SP ASP .Net Security 0 06-27-2007 02:46 PM
Problem with authentication using DefaultCredentials elora_c@yahoo.com ASP .Net Security 5 11-15-2005 02:58 PM
401 Unauthorized when using DefaultCredentials Rodrigo Estrada ASP .Net Security 1 05-11-2004 12:15 PM
HttpWebRequest, impersonation and DefaultCredentials problem. Jamie ASP .Net Security 1 03-02-2004 09:06 PM



Advertisments