I have an Intranet which publishes an RSS feed, I'm trying to consume that RSS feed from another intranet site hosted on the same IIS server within a Windows domain environment.
Both sites have
<authentication mode="Windows">
And anonymous authentication is disabled.
Developing locally (Windows Auth but not on a domain) the following works:
var request = HttpWebRequest.Create(feedUrl);
request.Credentials = CredentialCache.DefaultNetworkCredentials;
XElement f;
using (var response = request.GetResponse())
{
var reader = new XmlTextReader(response.GetResponseStream());
f = XElement.Load(reader);
}
return f;
However when I deploy this to production (Windows 2008) I get a 401 Unauthorised exception. I can view the RSS feed in the browser without issue when logged in as a domain user but when trying to access it through code it doesn't seem to authenticate.
I've also tried:
request.Credentials = New System.Net.NetworkCredential("myUser","myPass","myDomain");
But still the 401 Unauthorised. Can anyone offer thoughts as to what I'm overlooking?
When you are running locally in VS, CredentialCache.DefaultNetworkCredentials will get your username, whereas when you have this client running on a web server this will return the account used to execute your application under. This is usually a NetworkService account local to your web server. That's why when you attempt to use this client to authenticate against the remote service you are getting 401. So you could configure your ASP.NET MVC client application to execute under a domain account which has permissions to access the remote service. This could be done in the advance properties of the Application Pool in the IIS manager.
Related
I'm trying to set up an ASP.NET application to use Windows Authentication.
But the IIS server is not part of a domain, it is a sole server hosted in our Rackspace account.
I'd like to have the Windows Authentication module validate against the list of local Windows users on the IIS server. Is this possible?
Anonymous Authentication is off
Basic Authentication is off
Windows Authentication is on
But when I enter credentials for a local machine account as
machinename\user
password
it doesn't seem to work. It just prompts me again.
Is possible make a local machine validation, like this:
var bool valid = false;
using (var context = new PrincipalContext(ContextType.Machine))
{
valid = context.ValidateCredentials(username, password);
}
It appears that you can use local accounts, but I'm getting some kind of server error when the account tries to authenticate.
Once I found the error in the event logs, and got the status code, I was able to track it down, and find this answer, which worked exactly!
I have banged head lately on a Authentication issue on IIS/Windows Server 2016.
I have two websites, each running ASP.Net Core WEB API, let us call them A and B.
Both sites are running with Anonymous disabled, and Windows Authentication enabled, this is done to be able to get the name of Windows User calling the WEB API.
Each site works nicely, including getting the Username of the Windows user calling the WEB API.
My issue is that Site A want's to call Site B's WEB API methods, this is done by using a HttpClient:
var handler = new HttpClientHandler
{
UseDefaultCredentials = true,
PreAuthenticate = true
};
HttpClient = new HttpClient(handler);
HttpClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
I keep getting a Unauthorized Http 401 when site A Web API calls site B's WEB API. If I turn on Anonymous Authentication on Site B, it works fine.
If Site A is started outside IIS as an Console App, it also works very fine, because Site A is running in my user Context.
My theory is that it is IIS that throws the 401, and not site B itself.
Is there anything I need to do with the way that Site B is configured on the IIS to allow the API calls from site A?. My experience is that it doesn't matter what happens inside site B, the API call from site A is blocked before that point.
Thanks in advance :-)
I quitted - and jumped to CORS instead - and IIS CORS Module, and got it working very nicely.
IIS CORS Module has the abillity to handle CORS preflight request without colliding with Windows Authentication, and can easily be configured in web.config.
I have an ASP.NET 4.5 Web Application that is deployed in an Azure VM. I have configured the IIS Server and everything but there is no Authentication in place. Anyone can access to the Web Application.
I want to configure my Web Application so every time anyone who tries to go to my Web Application it redirects before to the Microsoft Azure Active Directory login. If the user name and password is part of the Azure Active Directory, I want them to go into the web app, otherwise it should fail.
I've seen lots of tutorials when you deploy an Azure App Service and looks super easy, however, how does it get done when you deploy your web application in an Azure Virtual Machine?
EDIT: I found a tutorial that does exactly what I need and it works fine
https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect
However, how can I redirect to ALWAYS ask for sign in before the Web App loads?
To guarantee that when an authentication request is sent, the user is always forced to enter credentials no matter what session cookies might already be in place , OpenID Connect will behave that way upon receiving a prompt=login parameter in the request :
Notifications = new OpenIdConnectAuthenticationNotifications()
{
//
// If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
//
AuthorizationCodeReceived = OnAuthorizationCodeReceived,
AuthenticationFailed = OnAuthenticationFailed,
RedirectToIdentityProvider = (context) =>
{
context.ProtocolMessage.Prompt = "login";
return Task.FromResult(0);
},
}
Even if you have login into azure ad before , with that parameter , user will be asked to enter credentials .
I have a web application (say app1) which is hosted in a IIS server virtual directory.
This web application needs Integrated Windows Authentication for its functioning.
I need to integrate this web application with another product which does not use supply me windows credentials.
This application sends me an http request in a specific format.
I need to validate the request and redirect it to app1 with valid windows credentials so that it logs in smoothly.
I have created another application for this purpose
This is hosted on a separate virtual directory.
It has IIS anonymous and asp.net anonymous authentication enabled.
the pseudo code is as follows :
app2
parse request
if request sucessful
get windows credentials
get identity using credentials
reponse.redirect(app1.aspx)
But app1 authentication fails, IE asks me for credentials again.
Ideally IE should not ask me for credentials.
What would be the security context sent in the request to app1.
How can I trace the authentication failure at iis and asp.net?
To do this you need a trust relationship between the domains.
The response.redirect just sends a response back to the browser which then makes a request for the page in the redirect. So the identity is the identity of the browser.
I made an application that access CRM's web service. The problem is, when I deployed the dll into Sharepoint server, it returned error 401 unauthorized. Apparently the System.Net.CredentialCache.DefaultCredentials didn't work (my suspicion). Here's the code.
CrmSdk.CrmAuthenticationToken token = new CrmSdk.CrmAuthenticationToken();
token.AuthenticationType = AuthenticationType.AD;
token.OrganizationName = ORGANIZATION_NAME;
CrmService service = new CrmService();
service.Url = "http://crmserver:5555/mscrmservices/2007/crmservice.asmx";
service.CrmAuthenticationTokenValue = token;
service.PreAuthenticate = true;
service.Credentials = System.Net.CredentialCache.DefaultCredentials;
It goes vice-versa.
When I made application that access Sharepoint's webservice (coding the plugin) and deployed it to CRM server. It couldn't access the Sharepoint's web service. Unauthorized error. Here is the code:
Lists listService = new Lists();
listService.PreAuthenticate = true;
listService.Credentials = System.Net.CredentialCache.DefaultCredentials;
listService.Url = "http://sharepointserver/webname/_vti_bin/Lists.asmx";
My CRM server and Sharepoint server are in the same domain.
For both code, if I changed the credentials part into something like this then deploy it on server, it can run.
service.Credentials = new NetworkCredential("username", "password", "domain");
Still, I don't want to do this because it reveals user's password in the code. May anyone help me?
The IIS in both server doesn't allow Anonymous Access and it uses Integrated Windows Authentication.
Thank you
From my local computer, I can access the CRM web services or Sharepoint web services. I guess I'm authorized because the DefaultCredentials sent my credentials that its password is saved in the "Stored Username and Password" (Control Panel > User Accounts > tab Advanced > Manage Passwords)
This way, I don't have to type:
service.Credentials = new NetworkCredential("username", "password", "domain");
and my DefaultCredentials from my local comp is authorized to access the web services.
I tried to implement this on the Sharepoint server that access CRM web services. and..tadaa..it won't work. hahaha..
can we inject credentials to DefaultCredentials in server?
the last thing I want to do is to hardcode the useraccount (like the code above)
Could be that you need to be running Kerberos for authentication, but cannot be sure and it is a pain to setup just to check.
Have you verified that the default credentials are the same as those when you explicitly state them? It could be that the default credentails are those of another account that you wouldn't expect.
EDIT #1: Per the remarks for the DefaultCredentials property on MSDN:
DefaultCredentials represents the
system credentials for the current
security context in which the
application is running. For a
client-side application, these are
usually the Windows credentials (user
name, password, and domain) of the
user running the application. For
ASP.NET applications, the default
credentials are the user credentials
of the logged-in user, or the user
being impersonated.
You'll also want to ensure that the user accessing the CRM page (making the call to the SharePoint web service) can access the web service with their credentials and vice versa. If they can then it would seem more likely that some kind of impersonation is happening.
Edit #2: Assuming that you have access to both the CRM and SharePoint server you might take a peak into both the application and system logs. One or both should likely indicate a failed login and indicate which account attempted to access the resource (in this case the web services).
By using DefaultCredentials means the ASP.NET worker process or IIS worker process will take the credential of the user who run the IIS Application Pool.
so if your Dynamics CRM Application Pool is run under a user account Custom-CRM-Domain\JohnDoe, that means it will take the privileges under user account Custom-CRM-Domain\JohnDoe.
Please check the user account who run the application pool of the CRM\Sharepoint Application IIS Web application.
These are the steps to check the Application Pool:
Open the website -> Right Click -> Choose Properties
Select the Home Directory tab
Notice the Application Pool name at the dropdownlist below
Now, go to the Application Pools folder
Try to find the Application Pool name which has been listed in the step 3 -> Right Click and choose Properties
Select the "Identity" tab and you will find the user account who run the application pool
Hope this helps.
service.Credentials = System.Net.CredentialsCache.DefaultNetworkCredentials;
Try that.
Not familiar with Sharepoint, but can't you just store the connection information in a configuration and use built in tools for securing your web.config? Thats what I do.
https://web.archive.org/web/20211029043331/https://aspnet.4guysfromrolla.com/articles/021506-1.aspx
to be able use defaultcredentials, the user in active directory must be defined both in SharePoint and CRM and have enough privileges to do what you are doing with code.
And try to use sdk (crm have helper classes) instead of service definitions.
For fixing this issue you need to know first which user is running the App pool as the others said and if you need to use CredentialCache.DefaultCredentials then you have to add the user lets say svcadmin or the like into "Secondary site collection administrator" by running SharePoint central administration application . By that SP allows to the user which the credential has been passed through to access the things it needs.