I have created a web api hosted in service fabric. When I hit the api from client it works fine on local but is giving 401 from remote machine. I have used IntegratedWindowsAuthentication and Negotiate authentication schemes in Web API.
Can someone help on this?
Your problem is that the remote machine doesn't know about the windows account on your client so it throws a 401. Try creating an account on the remote machine with the same username and password and try again.
Related
I have an on-premise hosted WCF service with REST endpoint which is configured for Anonymous authentication only in IIS. I installed and configured Azure App proxy connector on the server. I am able to contact the service fine with Pass-through authentication, but struggling to authenticate from a console app when Azure AD is chosen as security mechanism. I know I could have pass-through in Azure and turn on for example windows authentication in IIS, but this is unfortunately not an option in this case.
Using a browser, I am able to access the application fine, don't even need to enter credentials, our on-premise AD is connected and synchronized with Azure AD.
I followed this walk-through despite it is not regarding application proxy, and reusing parts of code I am able to get the Access Token for my application, but when I run the http request with Authorization header I don't get the result of service operation.
Using Fiddler I can note the following:
I get http 302 (Found). I can see my Authorization header in request, and in response I get a cookie AzureAppProxyAnalyticCookie
That is followed with http 200 to login.microsoftonline.com
Example I provided link for above works fine so it is clear that I am doing something wrong. Why is Authorization header not accepted and why am I being redirected to logon page?
Thanks in advance
This is working for another service, have no idea what was wrong with the first one, but suspecting something with DNS on local server. Won't be spending more time on this, point is that I shouldn't have experienced the redirect at all, although browser handled it and managed to get me authenticated.
I'm having this issue with my custom integration to Salesforce from an Azure function right now. For some reason when I test locally and use the local endpoint with Postman I can authenticate with Salesforce just fine but when I publish my Azure function to the cloud and I swap out the endpoint my authentication fails for Salesforce. The exact error message being authentication failure.
At first I thought there must be something wrong with my IP settings for the connected app in Salesforce but I've tested setting Relax IP Settings as well as not defining a Trusted IP Range for OAuth Web server flow and still no success. Here are a couple of screenshots of my settings.
Any ideas why I can authenticate locally but not once I publish to my cloud service in Azure? (I'm using SalesForceSharp to authenticate if that makes any difference)
Finally figured out what the disconnect between my cloud environment (Azure) and Salesforce was when I dug into my login history in Salesforce and found attempts to login from an insecure location.
Apparently different SSL/TLS defaults are setup for local versus cloud environments.
https://github.com/Azure/Azure-Functions/issues/482
Once I input this line at the top of my function and published everything got back to working again.
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
I've looked at a lot of questions addressing this issue and nothing seems to work. I'm trying to call a web api service from an mvc web application. This is my client code:
var client = new HttpClient(new HttpClientHandler { UseDefaultCredentials = true })
{
BaseAddress = baseAddress
};
var response = await client.GetAsync("items/5");
When I run it locally, it works. When I publish the project to the server the api always returns 401 Unauthorized. I have enabled windows authentication on the web api and mvc project in IIS. How do I get the correct windows credentials to the api from the mvc application? The web api and mvc app are running on the same IIS server.
If, by chance, the MVC app can make all requests to the WebAPI using the same Windows credentials, then I think you should be able to just configure IIS's application pool to run as a domain user. By default IIS's app pools run as some machine local account. So, if it tries to make a request over the network to a Windows Authenticated resource, the remote machine doesn't recognise the web server's machine local account. Hence the unauthorised error.
However, if you want to get the MVC app to call the WebAPI as the user who made the request to the MVC app, then you'll need to turn on impersonation in web.config. You'll probably also need to get your domain admin to turn on Kerberos delegation for your web server machine, due to the way that Kerberos/Active Directory works (look up kerberos double hop).
The problem was that apparently if you try to send a request to the same machine using a fully qualified domain name, the request will automatically fail to protect against a reflection attack.
I fixed this by changing baseAddress from
http://example.com/api
to
http://localhost/api
I just copied a Web API service from localhost to a server running Windows Server 2012 / IIS (exact same binaries as localhost).
Authentication modes are anonymous and basic.
Whenever I try to run an API call, I receive a Windows Authentication prompt?
How is this possible?
Fixed the issue by returning 200 with error message instead of 401. An HTTP 401 is supposed to return "WWW-Authenticate" header on response, which causes the authentication pop-up.
I have various bits of functionality implemented in WCF web services which are currently consumed by an Excel client via a local COM-visible library. I wish to implement some of the front-end functionality in a web client. I set up my client proxy using
dataChannel.Credentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Delegation;
ASP.NET impersonation is turned on as is windows authentication (no anonymous). When web services and web site are hosted on the same server there are no issues and the desktop user's credentials are passed from browser to web site to WCF perfectly. However, when web site and web services are hosted on different boxes (same domain, intranet only) I get 401 authentication errors. What am I doing wrong?
It sounds like you are suffering from the kerberos "double hop" problem. By default windows does not pass the kerberos authentication token onto another server so if you have user accesses webserver A and authenticates, webserver A accesses service on webserver B. WEbserver A does not pass the auithentication through to webserver B so you get a 401. I think this article should help you enable kerberos delegation between the web site server and the web service server