RE: The remote server returned an error: (401) Unauthorized. When using integrated security.

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Darwin Abustan[MSFT] (darwina_at_online.microsoft.com)
Date: 12/02/04

• Next message: SenthilVel: "Re: channel http not registered with remoting services"
• Previous message: ALI-R: "available port numbers for http call or TCP call"
• Messages sorted by: [ date ] [ thread ]

---

Date: Thu, 02 Dec 2004 00:31:28 GMT

--------------------
>I get the above 401 message when calling a remote server with
>integrated security. When I run locally or change the remote server
>to allow anonymous access, it runs fine. Any help would be
>appreciated.
>
>Option Strict On
>Option Explicit On
>
>Public Class RemoteType
> Public Function SomeDumbMethod() As String
> Return "Remoting Worked"
> End Function
>End Class
>
>Public Class TestRemote
> Public Sub ServerStart()
> Dim props As New Hashtable
> Dim dic As IDictionary = New Hashtable
> Dim channel As
>System.Runtime.Remoting.Channels.Http.HttpChannel
> props.Add("typeFilterLevel", "Full")
> Dim formatter As New
>System.Runtime.Remoting.Channels.BinaryServerFormatterSinkProvider(props,
>Nothing)
> channel = New
>System.Runtime.Remoting.Channels.http.HttpChannel(dic, Nothing,
>formatter)
> System.Runtime.Remoting.Channels.ChannelServices.RegisterChannel(channel)
>
> Dim scanType As System.Type = GetType(RemoteType)
> Dim uri As String = scanType.ToString & ".rem"
> System.Runtime.Remoting.RemotingConfiguration.RegisterWellKnownServiceType(scanType,
>uri, Runtime.Remoting.WellKnownObjectMode.SingleCall)
> End Sub
>
> Sub StartClient(ByVal Environment As Int32)
> Dim dic As IDictionary = New Hashtable
> Dim channel As System.Runtime.Remoting.Channels.IChannel
> dic.Add("port", 0)
> channel = New
>System.Runtime.Remoting.Channels.Http.HttpChannel(dic, New
>System.Runtime.Remoting.Channels.BinaryClientFormatterSinkProvider,
>Nothing)
> System.Runtime.Remoting.Channels.ChannelServices.RegisterChannel(channel)
> Dim sServer As String
> Dim scanType As System.Type = GetType(RemoteType)
> Dim uri As String = scanType.ToString & ".rem"
>
> Select Case Environment
> Case 1
> sServer = "http://localhost/xxx/"
> Case Else
> sServer = "https://application.company.com/xxx/"
> End Select
>
> System.Runtime.Remoting.RemotingConfiguration.RegisterWellKnownClientType(scanType,
>sServer & uri)
> Dim proxy As MarshalByRefObject =
>DirectCast(Activator.GetObject(scanType, sServer & uri),
>MarshalByRefObject)
> Dim channelProperties As IDictionary =
>System.Runtime.Remoting.Channels.ChannelServices.GetChannelSinkProperties(proxy)
> Dim credentials As System.Net.NetworkCredential
> credentials = New System.Net.NetworkCredential("username",
>"password", "domain")
> Dim objectReference As System.Runtime.Remoting.ObjRef =
>System.Runtime.Remoting.RemotingServices.Marshal(proxy)
> Dim objectUri As uri = New uri(objectReference.URI)
> Dim credCache As System.Net.CredentialCache = New
>System.Net.CredentialCache
> credCache.Add(objectUri, "NTLM", credentials)
> channelProperties("credentials") = credCache
> channelProperties("preauthenticate") = True
> End Sub
>
>End Class
>

It sounds like you are experiencing a kerberos delegation issue.
 
The following are the steps that I would follow to identify if it is a delegation issue:
 
1) As a further test to confirm a delegation issue, change the web application security from Integrated Security to Basic Authentication. If browsing from a client machine
works after supplying credentials, then we are very likely to be dealing with a delegation issue.
 
2) Use the checklists in the following article to verify that the configuration of elements in the environment (which includes the AD, the domain controller, the web server, and
the client machines) are setup for Kerberos delegation. It is quite a lengthy document but following the checklists closely is key to success - utilize the help of an
Infrastructure or network person.

Troubleshooting Kerberos Delegation
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx#XSLTsection127121120120

Darwin Abustan
Support Engineer

This posting is provided "AS IS" with no warranties, and confers no rights.

---

• Next message: SenthilVel: "Re: channel http not registered with remoting services"
• Previous message: ALI-R: "available port numbers for http call or TCP call"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages localhost vs. macinename in URL (access denied) ... applications that use integrated security. ... The proble is that I allways get access denied when I try ... to get access to an object that is on a remote server. ... I have the application working if I specify a username ... (microsoft.public.dotnet.security) Re: Sharing ServerVariables between ASP.NET and ASP ... > I have an asp.net page that needs to call an asp page on a remote server. ... You cannot delegate the credentials supplied using integrated security to ... (microsoft.public.dotnet.framework.aspnet.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > DotNet  > microsoft.public.dotnet.framework.remoting  > 2004-12