Re: Windows authentication for web service client??

If you are posting to WEBDAV it is my understanding that you cannot use Integrated authentication since you HAVE to pass it the username and the password in the network credentials. I was going to try to write some information to user's calendars and saw several articles on doing it via WEBDAV. However, you have to ask them for their password and pass it along. This makes it totally useless as far as I am concerned.

If someone knows a way to not have to pass the password through that would be great but I haven't seen anything on how to do it anywhere.

-Keith


solex wrote: 
Kevin,

I appreciate your response.

I guess what I am saying here is that it is not working as advertised. I must put together a sample example, but for some reason the users credentials are lost when making the WebDAV request. I get a 401 unauthorized error.

Thanks,
Dan




"Kevin Yu" <koo9@xxxxxxxxxxx> wrote in message news:eQY0VXERFHA.4028@xxxxxxxxxxxxxxxxxxxxxxx

Dan

The bottom line is when enable integrated windows authentication for a
service (web app, web service etc)
the client need to supply proper credential to the service. now as I
memtion, DefaultCredentials will always
return the credential that the client is running under. so by default, the
web service is running ASPNET account.
you can however config the web service(I assume that's the client) to run
under a different account.

I am not sure what you mean "users id" here, if you mean the login users,
then you can set the impersonate=true
in the web.config file. so that calls to the WebDAV will use the login
users' credentials.

HTH

Kevin



"solex" <solex@xxxxxxxxxxxxx> wrote in message
news:%2373WxyDRFHA.2736@xxxxxxxxxxxxxxxxxxxxxxx

Kevin,

My problem is that the DefaultCredentials is NOT working. If I hard code
the credentials using my uid/password and domain it works fine as shown in
my first example.

Ideally I want the web service and a subsequent call to Exchange (via
WebDAV) to run completely under the users id.

Thanks,
Dan


"Kevin Yu" <koo9@xxxxxxxxxxx> wrote in message
news:etWV4kCRFHA.508@xxxxxxxxxxxxxxxxxxxxxxx

"solex" <solex@xxxxxxxxxxxxx> wrote in message
news:%23wMk7BdQFHA.3076@xxxxxxxxxxxxxxxxxxxxxxx

Kevin,
Thanks for responding,  if you (or anyone) sees anything obviously


wrong

with the below summary please let me know.

Thanks,
Dan

I have the following settings
   Web config:
       <authentication mode="Windows" />
       <identity impersonate="true" />

   IIS:
       Anonymous access has been disabled and Integraged Security is


the

only access that is enabled.

   Client:
       When calling the web service I make sure that I am passing the
defaultCredentials from the CredentialCache.

I hardcoded a credential using the following code and it works

   Dim Response As System.Net.HttpWebResponse
   Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
HttpWebRequest)
   Dim MyCredentialCache = New System.Net.CredentialCache
   MyCredentialCache.Add(New System.Uri(URI), "NTLM", _
    New System.Net.NetworkCredential("myUserID", "myPassword",


"myDomain"))

   Request.Credentials = MyCredentialCache

   make my http WEBDAV request here ...

   Return (Response)

But this does not work:

   Dim Response As System.Net.HttpWebResponse
   Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
HttpWebRequest)

   Request.Credentials = CredentialCache.DefaultCredentials
   make my http WEBDAV request here ...

   Return (Response)


ok. CredentialCache.DefaultCredentials will return the credentials that
client is running under.
so it doens't matter what you set before the line:

Request.Credentials = CredentialCache.DefaultCredentials

it will always return the default credential for the request, but in the
working code, since you set
credentials in the credentialscache for that particular request URI, so
that
when the client making
calls to the destinated service, it will use that credential for the
request, that's why it works.



Nor does this:

   Dim impersonationContext As
System.Security.Principal.WindowsImpersonationContext
   Dim currentWindowsIdentity As


System.Security.Principal.WindowsIdentity

   currentWindowsIdentity = CType(mobjUser.Identity,
System.Security.Principal.WindowsIdentity)
   impersonationContext = currentWindowsIdentity.Impersonate()

   Request.Credentials = CredentialCache.DefaultCredentials
   Dim Response As System.Net.HttpWebResponse
   Dim Request As HttpWebRequest = CType(WebRequest.Create(URI),
HttpWebRequest)

   Request.Credentials = CredentialCache.DefaultCredentials

   make my http WEBDAV request here ...

   impersonationContext.Undo()

   Return (Response)


I have try the same approach using implicity impersonation, what you are
doing here
is the same as using this line: Request.Credentials =
CredentialCache.DefaultCredentials
since you use this call to get the current identity:
currentWindowsIdentity
= CType(mobjUser.Identity,

System.Security.Principal.WindowsIdentity), then you do this: 

Request.Credentials = CredentialCache.DefaultCredentials
thus in fact you are doing the same thing twice.

it seems that doing impersonation won't change the
defaultcredential, Request.Credentials =
CredentialCache.DefaultCredentials
will always return the credentials that the client is running under as I
mentioned
above.

I use this code from msdn to do impersonation:

#region Public Methods

public bool ImpersonateValidUser()

{

WindowsIdentity tempWindowsIdentity;

IntPtr token = IntPtr.Zero;

IntPtr tokenDuplicate = IntPtr.Zero;

if(RevertToSelf())

{

if(LogonUserA(_userName, _domain, _password, LOGON32_LOGON_INTERACTIVE,

LOGON32_PROVIDER_DEFAULT, ref token) != 0)

{

if(DuplicateToken(token, 2, ref tokenDuplicate) != 0)

{

tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);

impersonationContext = tempWindowsIdentity.Impersonate();

if (impersonationContext != null)

{

CloseHandle(token);

CloseHandle(tokenDuplicate);

return true;

}

}

}

}

if(token!= IntPtr.Zero)

CloseHandle(token);

if(tokenDuplicate!=IntPtr.Zero)

CloseHandle(tokenDuplicate);

return false;

}

//reverse the security context

public void UndoImpersonation()

{

if(impersonationContext!=null)

impersonationContext.Undo();

}

#endregion


#region Win32 calls

[DllImport("advapi32.dll")]

private static extern int LogonUserA(String lpszUserName,

String lpszDomain,

String lpszPassword,

int dwLogonType,

int dwLogonProvider,

ref IntPtr phToken);

[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]

private static extern int DuplicateToken(IntPtr hToken,

int impersonationLevel,

ref IntPtr hNewToken);

[DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]

private static extern bool RevertToSelf();

[DllImport("kernel32.dll", CharSet=CharSet.Auto)]

private static extern bool CloseHandle(IntPtr handle);

#endregion


}

in conclusion, only when the correct credential in the credentialsCache
for
that
request (that particular URI), it request have access permission.

thanks for your code. I will give it a try.






"Kevin Yu" <koo9@xxxxxxxxxxx> wrote in message
news:u0yUSScQFHA.580@xxxxxxxxxxxxxxxxxxxxxxx


"solex" <solex@xxxxxxxxxxxxx> wrote in message
news:%23sSDjOSQFHA.244@xxxxxxxxxxxxxxxxxxxxxxx

I'm having a similar problem

I have a web service that make a webDav request to Exchange.

I have impersonation on but when I use the defaultCredentials in the 

web

services to make the webdav reqeust I get an Unauthorized 401 error. 

My

credentials have rights to make this request and I'm at my wits end
trying
to figure it out.

The service works if I hard code my Network credentials in the 

service

but
does not otherwise.


Hardcoded into your code? create a credential instead of using the
defaultcredentials?

I thought one can only create credential for "basic" or "digest"
authentication mode.

I try implicit impersonation, it won't work, even if you are
impersonating,
the web service has to
put the credential on the soap message in order for it to be
authenticated,
because that's
all the hosting service see when interacting with each other. don't
want
to
do explicit impersonation.


in .net 2.0, there will be a better support or even WSE 2.0, but this
is
not
my options here.
since if we were to use WSE 2.0, there will be a long process of 

paper

work
and testing and questioning.....






Any help with this would also be appreciated.

Thanks,
Dan


"Kevin Yu" <koo9@xxxxxxxxxxx> wrote in message
news:eOariLKQFHA.1476@xxxxxxxxxxxxxxxxxxxxxxx

but the problem with impersonation in the code is after 

LogonUser()

win32

call, will the defaultcredentials be set to the new credentials
then?





"Kevin Yu" <koo9@xxxxxxxxxxx> wrote in message
news:OEbaAMIQFHA.2356@xxxxxxxxxxxxxxxxxxxxxxx

I think impersonation will do , enable impersonation but don't
specified
the user, use code call the web service with a different
username/password.



"Brock Allen" <ballen@xxxxxxxxxxxxxxxxx> wrote in message
news:453919632490103600068528@xxxxxxxxxxxxxxxxxxxxxxx

The ASPNET account is a local account, so the other machine or 

domain

wouldn't know about it. You can either run you web app under a 

different

account, but that affects the rest of the code in there too. The
other
approach is to have a dedicated account (instead of using the 

current

identity of ASPNET) that you can use to do the authentication 

and

then
use those credentials from the client.

-Brock
DevelopMentor
http://staff.develop.com/ballen




hi all

got a question here, a web service secure mode is set to 

"windows",

on

the client side

when supplying the credentials, it's like this:

somewebservice.Authentication ssoAuth = new
somewebservice.Authentication();

ssoAuth.PreAuthenticate = true;

ssoAuth.Credentials = 

System.Net.CredentialCache.DefaultCredentials;

from the info here



http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref

/html/frlrfSystemNetCredentialCacheClassDefaultCredentialsTopic.asp

the defaultcredential should supply the current security 

context

that
the client is running, but in my case the client is another web
service running

on another server, now by default the account that the 

client(the

calling web service) is running under ASPNET account,

so on the host(somewebservice), I should add the 

clientdomain\ASPNET

account into the windows account?














.

Relevant Pages

  • Re: Error calling web service
    ... It looks as if the web service requires credentials to authenticate ... the incoming request. ... From a client application you can pass ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Error calling web service
    ... It looks as if the web service requires credentials to authenticate ... the incoming request. ... From a client application you can pass ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Windows authentication for web service client??
    ... credentials are lost when making the WebDAV request. ... > the client need to supply proper credential to the service. ... > web service is running ASPNET account. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • RE: Unauthorized Error Calling Web Service
    ... and the IIS need to authenticated your client request again. ... Pass Current Credentials to an ASP.NET Web Service ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Windows authentication for web service client??
    ... I think you can try and get the login user's credential from teh current ... and pass it to the web service call. ... > If you are posting to WEBDAV it is my understanding that you cannot use ... >> credentials are lost when making the WebDAV request. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)