I have an intranet site which calls a POST method from another server, also on the intranet.
If I set the Authentication mode to Basic Authentication in IIS I can use the following:
HttpWebRequest oReq = (HttpWebRequest)WebRequest.Create(sURL);
oReq.ContentType = "application/x-www-form-urlencoded";
oReq.Method = "POST";
oReq.Timeout = 60000;
...
oReq.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;
...
try
{
HttpWebResponse oResp = (HttpWebResponse)oReq.GetResponse();
...
}
All of the above works as intended.
However I need to change the security to Windows Authentication in IIS, and once I do I keep getting error 401 unauthorized on this line:
try
{
HttpWebResponse oResp = (HttpWebResponse)oReq.GetResponse();
...
}
That can be fixed by changing the credentials like so:
NetworkCredential creds = new NetworkCredential("username","password","domain");
oReq.Credentials = creds;
But that's not the right way anyway. How can I get the default credentials to work for Windows Authentication also?
If you've got one web site calling out to another, you've got a 2nd hop. This is a kerberos 2nd hop problem.
The intranet site needs permission to call the 2nd site on behalf on the end user.
I'd suggest you use a tool call DelegConfig. I can't recommend it highly enough. Its a simple asp.net application that will tell you what is wrong with your kerberos setup and can tell you how to fix it (or do it itself if you want)
I've found I had to get the client to server authentication working first for it it work, but once thats there it makes working out what wrong with the next hop to UNC/http/sql etc very easy.
Related
I have run into a snag while building a web client that makes use of a RESTful web service using Integrated Windows Authentication.
When I run the client locally (as myself), it works fine, and I see my user id in the IIS logs. But, when I run it remotely, no credentials are passed (i.e. I do not see my user id in the IIS logs), and I get an error that
"The remote server returned an error: (401) Unauthorized."
Both the local and published client call the same service. Also note that the IIS logs show two entries (one without a username and one with a username) when I run it locally. When I run in from the published location, there are still two entries, but neither shows the username.
Below is the code I am using to make the call:
var request = (HttpWebRequest) WebRequest.Create(ConfigurationManager.AppSettings["positionServicePath"] + "?positionNumberSearch=" + searchString);
request.Method = "GET";
request.ContentType = "application/json";
request.UseDefaultCredentials = true;
request.PreAuthenticate = false;
CredentialCache cc = new CredentialCache();
cc.Add(
new Uri(ConfigurationManager.AppSettings["positionServicePath"]),
"Negotiate",
CredentialCache.DefaultNetworkCredentials);
request.Credentials = cc;
// Get the Response
using (var response = request.GetResponse()){
var reader = new StreamReader(response.GetResponseStream());
// Convert the response to objects from Json
var resultList = JsonConvert.DeserializeObject<IEnumerable<PositionModel>>(reader.ReadToEnd());
// Return an empty list, if no data was retrieved
return resultList != null ? resultList.ToList() : new List<PositionModel>();
}
Any help would be greatly appreciated.
I think you have to create IIS user permitted to your project.
Follow this Anonymous Access
Second Option:
Try to enabled anonymous access in Authentication Methods in Microsoft Internet Information Services (IIS).
Step:
1. Open your IIS.
2. In IIS Group:
3. open or select Authentication:
4. Select Anonymous Authentication:
5. On the Left Side select Enabled.
Good Luck!
I found the answer to this issue was the same for the answer to the following Stack Overflow post: Unable to authenticate to ASP.NET Web Api service with HttpClient.
Thank you to those who took the time to look this over!
When consuming a dynamics nav web service I get the following error :
The request failed with HTTP status 401: Unauthorized.
However when I try it in a browser it works . I tried the following but its still not working :
service.UseDefaultCredentials = true;
service.PreAuthenticate = true;
also :
service.Credentials = new System.Net.NetworkCredential("XXXXX", "XXXX","XXXX");
I even tried using dynamics nav acces key but also it didn't work.
Any new suggestions ?
I know this thread is more than 4 years old, but i thought if somone is currently searching for this problem he will come across this trhead, like me.
There is currently a problem with NTLM and Xamarin (at the moment i write this, the problem also exists in .net core on MacOS).
See the links:
iOS: https://github.com/xamarin/xamarin-macios/issues/7770
Android: https://developercommunity.visualstudio.com/content/problem/756697/last-visual-studio-update-brakes-ntlm-authenticati.html
The solution is to use the "MonoWebRequestHandler". For a combined Android and iOS Solution check my latest post here
I hope i could save somones time with this post!
Several things might be wrong.
Did you check what kind of authentication the Service Tier is setup to?
Is there a default company set (or are you selecting a company in the URL).
Is NTLM on or off; these are all possible reasons this error might popup.
I think you're code should be like that
service.UseDefaultCredentials = false;
service.Credentials = new System.Net.NetworkCredential("XXXXX", "XXXX","XXXX");
You must enabled NTLM setting properties authentification if you are using PHP or Java Or XAMARIN
Use NTLM Authentication
This piece of code below is working for me (I wasn't really adjusting the Service Tier - it has more or less the default settings):
service.ClientCredentials.Windows.ClientCredential.Domain = <domain>;
service.ClientCredentials.Windows.ClientCredential.UserName = <username>;
service.ClientCredentials.Windows.ClientCredential.Password = <password>;
service.ClientCredentials.Windows.AllowedImpersonationLevel =
System.Security.Principal.TokenImpersonationLevel.Delegation;
If that above doesn't work try to get rid of the domain from the NetworkCredential - just use your username and password (if the client and the server are in the same domain, obviously).
I have written a simple ASP.Net WebAPI that download a file from an on-prem tfs server using a rest call. The issue is when I connect to this site from my user account(corp domain), and set the credentials in webRequest to CredentialsCache.DefaultCredentials, it works fine since I am a vlid user on the tfs project.
Now someone else in my team wishes to use the same webAPI and when they hit the same url, I could see that its my credentials being used again to download the file.
I suspect this is because of using CredentialsCache.DefaultCredentials in my controller code, but I am not able to find a way using which I should be able to use the client's identity to be used for the download request.
My question is , is there a way to extract the windows identity or network credentials of the remote user(on the same domain) which I can use for Authentication. I am sorry if this is a DUP but I could not find a targetted answer to my question yet. Sample code is pasted below.
var request = (HttpWebRequest)WebRequest.Create(uri);
request.Credentials = CredentialCache.DefaultNetworkCredentials;
try
{
var webResponse = request.GetResponse();
var webStream = webResponse.GetResponseStream();
if (webStream != null)
{
var objReader = new StreamReader(webStream);
return objReader.ReadToEnd()
}
}
I dont know if I understand you correctly but I think impersonation is what you're looking for:
http://msdn.microsoft.com/en-us/library/xh507fc5.ASPX
I have a asp.net mvc 4.0 web application that attempts to use windows authentication to authenticate against some web services. its hosted in iis7
The web services are autodesk vault 2011 web services, I present the user with a login screen where they can use a vault user account or they can use their windows login. There is no issue with using a vault account it logs in via the vault web services and call the various vault web services such as pulling data out of the vault. no issues here
When trying to log in using windows authentication then I get a 401 error when accessing the web services
I think that it could be a double hop issue so the server admins are going to enable Kerberos so we can at least eliminate this as a possibility. In the live environment the site and web services are located on different servers.
However for testing I have a virtual machine setup and the site and web services are on the same machine and I still get a 401 issue so maybe it is an iis configuration issue and not a double hop issue as originally thought
I have tried the following but with no success
I have added the following code to the winauthservice (I have wrapped the web services so that I can override the invoke and I have created a factory class to instantiate the services)
this.UnsafeAuthenticatedConnectionSharing = true;
var credentialCache = new CredentialCache();
credentialCache.Add(new Uri(this.Url), "NTLM", new NetworkCredential(identity.Name, identity.Password.ConvertToUNSecureString(), identity.Name.Substring(0, identity.Name.IndexOf("\\", StringComparison.OrdinalIgnoreCase))));
this.Credentials = credentialCache;
I have also tried it with Negotiate instead of NTLM
I have disabled the loopback check in the registry and I have added the server name and localhost to the BackConnectionHostNames registry entry
I have disabled anonymous authentication for the web site in iis and enabled windows authentication. In the providers for windows authentication I have removed negotiate and just left NTLM as saw a post recommending to do this.
In the web.config I have set authentication mode = windows
I have the following in my IIS logs
2013-09-25 09:11:05 fe80::9565:6102:fe2d:8f41%10 POST /AutodeskDM/Services/WinAuth/WinAuthService.asmx - 80 - fe80::9565:6102:fe2d:8f41%10 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.296) 401 2 5 11572
2013-09-25 09:11:05 fe80::9565:6102:fe2d:8f41%10 POST /AutodeskDM/Services/WinAuth/WinAuthService.asmx - 80 - fe80::9565:6102:fe2d:8f41%10 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.296) 401 1 3221225581 10
I'm running out of ideas as to what the issue could now be, but my thought is if I can get this working in my test vm then I may have more luck in the live environment
I had problems with authentication surviving a redirect when using a HttpWebRequest object, but I'm not sure if this is your problem. I noticed the redirect and the missing authentication using Fiddler2.
What I had to do was to set PreAuthenticate = true on the HttpWebRequest object
HttpWebRequest request;
request = (HttpWebRequest)WebRequest.Create(uri);
request.PreAuthenticate = true;
request.Credentials = new CredentialCache {{uri, "Basic", credentials}};
But, like I said, I'm not sure if this applies in your situation though.
i want to download a ssrs report in Excel format in code.
So i first checked the url: it is correct
then i created a webrequest, with a NetworkCredential for the same user which can open the link in the browser.
I moved developing to the ssrs machine itself ( it has vs2008 on it)
so now i'm on the ssrs machine, logged on as user A, starting a webpage, create a webrequest with the same credentials as i'm currently logged on with to the ssrs machine (user A).... and get a 401.
What i don't know is what is giving me the 401. Is it the webserver denying me, or is it ssrs itself (i'm a newbee at ssrs so i don't know much about rights on reports in ssrs itself, but as i said: my logon credentials are the same as the webrequest credentials: user A).
i've googled a lot and tried 5 solutions, but no luck so far.
This won't work if NTLM credentials are required:
webrequest.Credential = new networkcredential ("","","");
You can try the following but it likely will not work:
webrequest.Credentials = CredentialCache.DefaultNetworkCredentials;
Chances are you will need to pass in the actual credentials like:
NetworkCredential networkCredential = new NetworkCredential(UserName, Password, Domain);
CredentialCache credCache = new CredentialCache();
credCache.Add(new Uri(url), "NTLM", networkCredential);
webrequest.Credentials = credCache;
SSRS will need to authentic the WebRequest and default/blank credentials cannot be passed in.
This reminded me of something I ran into a couple years ago:
http://support.microsoft.com/kb/896861
I'm not sure how likely this problem is, but I really think it's worth implementing "Method 2" from that support article (a simple registry addition) just to see if that resolves the problem. (Yes, the article lists a bunch of old OS versions, but I successfully used this on a bunch of SharePoint 2007 servers to resolve problems.)
Worth a try, I think...
I always set
WebRequest.UseDefaultCredentials = True
Then I run the app as the user accessing the SSRS server.
At first I suggest installing Fiddler Web Debugger on the machine where the calling application is run. This way you can see exactly the requests and responses that are made between your application and the SSRS. You might find something like an ISA proxy wanting you to additionally authenticate to it.
Assuming your caller is a console or WebForms application, the following code passes the credentials under which your application runs to the SSRS:
WebRequest webRequest = WebRequest.Create(url);
HttpWebRequest httpWebRequest = webRequest as HttpWebRequest;
// request authentication
httpWebRequest.UseDefaultCredentials = true;
// which is the same as
httpWebRequest.Credentials = CredentialCache.DefaultCredentials;
// optional proxy authentication
httpWebRequest.Proxy.Credentials = CredentialCache.DefaultCredentials;