Home
TeamSite
Web Service Authentication Problem
MattRazor
MediaBin's Web Service keeps giving me an error when try to have our custom ASP.NET application consume the Webservice to display Media Assets.
[WebException: The request failed with HTTP status 401: Unauthorized.]
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) +1302
System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) +218
TestMediaBin.MediaBinWebService.MediaBinServer.ValidateCurrentUser()
I have configured impersonation to work like this within a simple web app to test the connection:
MediaBinServer service = new MediaBinServer();
service.Url = ConfigurationSettings.AppSettings["mediawebservice"];
WindowsIdentity windowsIdentity = (WindowsIdentity) HttpContext.Current.User.Identity;
windowsIdentity.Impersonate();
service.Credentials = CredentialCache.DefaultCredentials;
service.PreAuthenticate = true;
service.ValidateCurrentUser()
impersonate is = true on the web.configs and all anonymous access is turned off with Windows Authenication enabled.
When I pass in the Credentials manually using Credential Cache, it works fine. However I need this impersonation to work for single sign on, I do nto want people to login in twice. Can anybody help me out on this or has anybody else had this problem. I have recreated it on many different environments, it seems to happen anytime you place a web application on one box and the web service on another, the credentials will not work.
-HELP WE ARE GETTING KILLED ON THIS ;(
Find more posts tagged with
Comments
msnider
Try this:
System.Security.Principal.WindowsIdentity windowsIdentity = (System.Security.Principal.WindowsIdentity) page.User.Identity ;
windowsIdentity.Impersonate();
service.Credentials = CredentialCache.DefaultCredentials;
MattRazor
Nope, Same problem.
MattRazor
This code will work using BASIC authenication, however we must NTLM, which will not work. Will the Webservice work with NTLM and Credentials that pass a token, not the password?
msnider
Is your web app hosted on the same machine as the MediaBin web service?
MattRazor
no
msnider
You are most likely running into the the double-hop issue of NTLM. You can only use NTLM impersonation if there is a single machine hop between your client and the IIS server hosting the MediaBin web service....otherwise, the impersonation cannot be delegated and thus the token is not valid (i.e. for impersonation to work it must be a primary token not a secondary token )
If you host your web app on the same IIS server as the MediaBin web service then you should be able to get around this problem. Otherwise, the only way to support more than a single hop with NTLM is to use something like Kerberos.
See the following MSDN article for more information:
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch03.asp?frame=true&_r=1
MattRazor
The MediaBIn webservice will not authenicate even under kerberos, is there a funky setup it needs in order to work? I will be opening a ticket on this.
msnider
Can you verify that Kerberos and ASP.NET impersonation are working outside of the MediaBin WebService.
I've attached a sample solution that has a sample webservice and sample web app. Place KerberosWebService on the same IIS machine as the MediaBinWebService and place KerberosWebApp on the same IIS machine that is hosting your client app. Now, try to access KerberosWebApp from the third client machine. You'll see from the source code that the output is to display the user accessing the web page and the user accessing the web service...they should be the same if Kerberos is setup correctly. If they are not or you get an access denied, then your Kerberos and IIS setup is not correct.
Note: when you set up the virtual directories make sure to change the directory security to disallow Anonymous and to allow NTLM Windows Integrated. Also, the web service's URL is configured in the KerberosWebApp's web.config file...you'll need to set this first.
Mark
