I am having difficulties authenticating a HttpWebRequest to a webserver. The response I am receiving is simply a 401. I've made sure I set the credentials correctly on the C# side, and IIS is correctly set to allow NTLM authentication. I don't know if this matters, but he computer is not on the same domain as the the web server.
I am sure the user/pass is correct but are there any other authorization settings needed to configure on the user?
If I enable Basic authentication, and disable Windows Authentication, the request works perfectly (with the correct C# code changes of course).
What am I missing?
webRequest.UseDefaultCredentials = false;
webRequest.PreAuthenticate = true;
var c = new NetworkCredential("User", "password", "domain");
CredentialCache credentialCache = new CredentialCache();
credentialCache.Add(new Uri(Url), "NTLM", c);
webRequest.Credentials = credentialCache;
Heres a snapshot of my settings in IIS.
Failed Request Tracing:
With the help of a colleague, we were able to determine something was wrong in the way Windows was dealing with the authentication. Looks like a setting in the Local Security was wrong. Changing Local Policies > Security Options > Network access: Sharing and security model for local accounts from Guest only - local users authenticate as Guest to Classic fixed the problem.
What is the value of the credential cache lines,
CredentialCache credentialCache = new CredentialCache();
credentialCache.Add(new Uri(Url), "NTLM", c);
why not simply set
webRequest.Credentials = c;
401.2 likely means that either that web server you are connecting to is not enabled to use NTLM (which it seems to be according to your screenshot), or that there is a proxy between your client and the web server
Related
I have run into a snag while building a web client that makes use of a RESTful web service using Integrated Windows Authentication.
When I run the client locally (as myself), it works fine, and I see my user id in the IIS logs. But, when I run it remotely, no credentials are passed (i.e. I do not see my user id in the IIS logs), and I get an error that
"The remote server returned an error: (401) Unauthorized."
Both the local and published client call the same service. Also note that the IIS logs show two entries (one without a username and one with a username) when I run it locally. When I run in from the published location, there are still two entries, but neither shows the username.
Below is the code I am using to make the call:
var request = (HttpWebRequest) WebRequest.Create(ConfigurationManager.AppSettings["positionServicePath"] + "?positionNumberSearch=" + searchString);
request.Method = "GET";
request.ContentType = "application/json";
request.UseDefaultCredentials = true;
request.PreAuthenticate = false;
CredentialCache cc = new CredentialCache();
cc.Add(
new Uri(ConfigurationManager.AppSettings["positionServicePath"]),
"Negotiate",
CredentialCache.DefaultNetworkCredentials);
request.Credentials = cc;
// Get the Response
using (var response = request.GetResponse()){
var reader = new StreamReader(response.GetResponseStream());
// Convert the response to objects from Json
var resultList = JsonConvert.DeserializeObject<IEnumerable<PositionModel>>(reader.ReadToEnd());
// Return an empty list, if no data was retrieved
return resultList != null ? resultList.ToList() : new List<PositionModel>();
}
Any help would be greatly appreciated.
I think you have to create IIS user permitted to your project.
Follow this Anonymous Access
Second Option:
Try to enabled anonymous access in Authentication Methods in Microsoft Internet Information Services (IIS).
Step:
1. Open your IIS.
2. In IIS Group:
3. open or select Authentication:
4. Select Anonymous Authentication:
5. On the Left Side select Enabled.
Good Luck!
I found the answer to this issue was the same for the answer to the following Stack Overflow post: Unable to authenticate to ASP.NET Web Api service with HttpClient.
Thank you to those who took the time to look this over!
I'm developing an Intranet application using C# and MVC. I have windows authenticated enabled to authenticate my users. One of the requirement is to enable users to download files from a SharePoint server on the same domain. From my local machine it's no problem but when I publish it on a live server again on the same domain I get error 401 unauthorized My original code was
byte[] fileBytes = await client.DownloadDataTaskAsync(fileUri);
var response = new FileContentResult(fileBytes, "application/octet-stream");
return response;
Now after reading up I've come across CredentialCache so I've changed my code accordingly
CredentialCache cc = new CredentialCache();
cc.Add(
new Uri(fileUri),
"NTLM",
new NetworkCredential("username", "pass", "domain")
);
client.Credentials = cc;
I can't figure out how to get the password and pass it to NetworkCredential. So my question is how do I get and pass the password to NetworkCredential as I don't store it anywhere because the users are windows authenticated.
I have an intranet site which calls a POST method from another server, also on the intranet.
If I set the Authentication mode to Basic Authentication in IIS I can use the following:
HttpWebRequest oReq = (HttpWebRequest)WebRequest.Create(sURL);
oReq.ContentType = "application/x-www-form-urlencoded";
oReq.Method = "POST";
oReq.Timeout = 60000;
...
oReq.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;
...
try
{
HttpWebResponse oResp = (HttpWebResponse)oReq.GetResponse();
...
}
All of the above works as intended.
However I need to change the security to Windows Authentication in IIS, and once I do I keep getting error 401 unauthorized on this line:
try
{
HttpWebResponse oResp = (HttpWebResponse)oReq.GetResponse();
...
}
That can be fixed by changing the credentials like so:
NetworkCredential creds = new NetworkCredential("username","password","domain");
oReq.Credentials = creds;
But that's not the right way anyway. How can I get the default credentials to work for Windows Authentication also?
If you've got one web site calling out to another, you've got a 2nd hop. This is a kerberos 2nd hop problem.
The intranet site needs permission to call the 2nd site on behalf on the end user.
I'd suggest you use a tool call DelegConfig. I can't recommend it highly enough. Its a simple asp.net application that will tell you what is wrong with your kerberos setup and can tell you how to fix it (or do it itself if you want)
I've found I had to get the client to server authentication working first for it it work, but once thats there it makes working out what wrong with the next hop to UNC/http/sql etc very easy.
i want to download a ssrs report in Excel format in code.
So i first checked the url: it is correct
then i created a webrequest, with a NetworkCredential for the same user which can open the link in the browser.
I moved developing to the ssrs machine itself ( it has vs2008 on it)
so now i'm on the ssrs machine, logged on as user A, starting a webpage, create a webrequest with the same credentials as i'm currently logged on with to the ssrs machine (user A).... and get a 401.
What i don't know is what is giving me the 401. Is it the webserver denying me, or is it ssrs itself (i'm a newbee at ssrs so i don't know much about rights on reports in ssrs itself, but as i said: my logon credentials are the same as the webrequest credentials: user A).
i've googled a lot and tried 5 solutions, but no luck so far.
This won't work if NTLM credentials are required:
webrequest.Credential = new networkcredential ("","","");
You can try the following but it likely will not work:
webrequest.Credentials = CredentialCache.DefaultNetworkCredentials;
Chances are you will need to pass in the actual credentials like:
NetworkCredential networkCredential = new NetworkCredential(UserName, Password, Domain);
CredentialCache credCache = new CredentialCache();
credCache.Add(new Uri(url), "NTLM", networkCredential);
webrequest.Credentials = credCache;
SSRS will need to authentic the WebRequest and default/blank credentials cannot be passed in.
This reminded me of something I ran into a couple years ago:
http://support.microsoft.com/kb/896861
I'm not sure how likely this problem is, but I really think it's worth implementing "Method 2" from that support article (a simple registry addition) just to see if that resolves the problem. (Yes, the article lists a bunch of old OS versions, but I successfully used this on a bunch of SharePoint 2007 servers to resolve problems.)
Worth a try, I think...
I always set
WebRequest.UseDefaultCredentials = True
Then I run the app as the user accessing the SSRS server.
At first I suggest installing Fiddler Web Debugger on the machine where the calling application is run. This way you can see exactly the requests and responses that are made between your application and the SSRS. You might find something like an ISA proxy wanting you to additionally authenticate to it.
Assuming your caller is a console or WebForms application, the following code passes the credentials under which your application runs to the SSRS:
WebRequest webRequest = WebRequest.Create(url);
HttpWebRequest httpWebRequest = webRequest as HttpWebRequest;
// request authentication
httpWebRequest.UseDefaultCredentials = true;
// which is the same as
httpWebRequest.Credentials = CredentialCache.DefaultCredentials;
// optional proxy authentication
httpWebRequest.Proxy.Credentials = CredentialCache.DefaultCredentials;
I recently asked a question concerning NetworkCredential and HttpWebRequest.Credentials when a server returns redirects. I determined that building a CredentialCache of NetworkCredential instances works for my scenario. Now I have a temporary method that builds a CredentialCache with all of the domain names hard coded in. It worked, which is great.
CredentialCache cache = new CredentialCache();
cache.Add(new Uri("http://example.com"), "Negotiate", loginCredentials);
cache.Add(new Uri("http://redirected.example.com"), "Negotiate", loginCredentials);
request.Credentials = cache;
Now, I need to make this more flexible. The whole idea of the redirects is for load balancing on the server. The client won't know exactly where it'll get redirected to until the call to HttpWebRequest.GetResponse(). What is the preferred method to building the CredentialCache to include each redirected server as they are encountered? Also, what is the rational behind making this so difficult? Why can't a single NetworkCredentials instance satisfy HttpWebRequest.Credentials for each redirect? Does it introduce security vulnerabilities to reuse credentials across redirects?
Thanks.
I used the code and got 401 error (SharePoint 2010 OOB Web Services). Then checked in some other site and tried "NTLM" instead of "Negotiate" in the below line. It's working fine now.
Not Working:
cache.Add(new Uri(myProxy.Url), "Negotiate", new NetworkCredential("UserName", "Password", "Domain"))
Working:
cache.Add(new Uri(myProxy.Url), "NTLM", new NetworkCredential("UserName", "Password", "Domain"))
Nate,
I see you are using "negotiate", so why don't you use
CredentialCache.DefaultNetworkCredentials or CredentialCache.DefaultCredentials
for all the redirects?
From MSDN:
The credentials returned by the
DefaultNetworkCredentials property is
applicable only for NTLM, negotiate,
and Kerberos-based authentication.
The credentials returned by
DefaultNetworkCredentials represents
the authentication credentials for the
current security context in which the
application is running. For a
client-side application, these are
usually the Windows credentials (user
name, password, and domain) of the
user running the application. For
ASP.NET applications, the default
network credentials are the user
credentials of the logged-in user, or
the user being impersonated.