Re: Credentials across multiple web service boundaries

From: Derek Harmon (loresayer_at_msn.com)
Date: 09/04/04 

Date: Sat, 4 Sep 2004 02:21:03 -0400

"Bil Simser [MVP]" <bsimser@shaw.ca> wrote in message news:ueEbU0gkEHA.896@TK2MSFTNGP12.phx.gbl...
> web service gets invoked fine with the users credentials. However they need
> to call a second web service from the first one. When it hits the second web
> service, the web service (even though configured correctly) always reports
> as IUSR (or sometime IWAM, or whatever the anonymous accounts are).
>
> Is there a problem trying to do something like this?

Yes. NTLM authentication can only authenticate the client of the
first web service.

See, when the first web service calls another web service residing
on another machine, it can't pass along the original client's credentials.
It must pass along it's own credentials. It's the host running the first
web service that is the client of the server running the second web
service, and not the original user who made the request.

Essentially, NTLM authentication is limited to one-hop; it authenticates
the immediate client only. The example you've given requires the user
to be authenticated over more than one-hop.

> Is there something anyone can point me at to try out or a workaround?

Kerberos delegation is frequently prescribed for these web solutions,
see the following Microsoft knowledge base article for more info,

    http://support.microsoft.com/default.aspx?scid=kb;en-us;810572

There are alternative solutions that usually involve creating duplicate
or domain accounts and impersonating them going from hop-to-hop,
but these designs tend to be rigid and difficult to maintain.

Derek Harmon

Relevant Pages

  • Re: WSS Web Service Security
    ... I assume you guys are using basic authentication. ... I have a web service (a DIME receiver currently sitting outside WSS because ... I can't get it to work inside without breaking the WSS services). ... However without defining credentials in the web service I can't get ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: <identity impersonat=> problems.
    ... I have a web service configured with Anonymous access disabled. ... if I change the element and add the "username" ... that the web service authentication use, ... Probably because you cannot impersonate and delegate the encrypted credentials (authenticated via ...
    (microsoft.public.dotnet.security)
  • Re: Pass through credentials to web service
    ... It is the double-hop' limitation of NTLM authentication. ... application server, the server cannot then use those credentials to ... >I have a client application that calls a web service. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Anonymous and integrated authentication for Web service
    ... Can you tell me where to look for information on how to create a .net client ... I tried changing values in the UseDefaultCredentials and Credentials ... Given this are you saying they both can call the same web service? ... Integrated Windows authentication ...
    (microsoft.public.inetserver.iis.security)
  • Re: Windows authentication for web service client??
    ... If you are posting to WEBDAV it is my understanding that you cannot use Integrated authentication since you HAVE to pass it the username and the password in the network credentials. ... I must put together a sample example, but for some reason the users credentials are lost when making the WebDAV request. ... web service is running ASPNET account. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)