none
401 Unauthorized when calling web service

    Question

  • Folks,

     

    I have been beating my head against the wall for about three days now and I need some relief one way or another.  Here is my scenario.  I apologize up front for the length, but I want to give enough detail to help you help me.

     

    I have a MOSS single server running.  It is an intranet server and we are using Active Directory for authentication.  I have a Infopath 2007 form that I have developed that is using a data connection library (DCL).  The data connection library files are all using web services.  The web services are on a completely different server than the MOSS server. 

     

    When I open the form in InfoPath client on a client PC, the form open fine.  The DCL is accessed, the web services are invoked, and the form is populate with data just fine.  If I remote into the MOSS server and browse the form through a form library that has this form as a content type, the form is opened just fine in the browser.  The DCL is accessed, the web services are invoked, and the form is populated with data just fine.  However, if I’m on a client PC and browse the form, then I get following error.

     

    An error occurred accessing a data source.

    An entry has been added to the Windows event log of the server.

    Log ID:5566

     

    If I look at the MOSS logs, I see the following reported on the Forms Services Data Objects

     

    System.Net.WebException: The remote server returned an error: (401) Unauthorized.     at System.Net.HttpWebRequest.GetResponse()     at Microsoft.Office.InfoPath.Server.SolutionLifetime.WebServiceHelper.GetResponseHelper(WebRequest request, DataAdapterTimer dataAdapterTimer, DataAdapterCredentials credentials, Stopwatch timer, ExecWebRequestExceptionState state, String adapterName, Boolean isQuery)     at Microsoft.Office.InfoPath.Server.SolutionLifetime.WebServiceHelper.ExecWebRequestSync(XPathNavigator inputSubDOM, Boolean[] inputUseDataset, XPathNavigator resultsSubDOM, Boolean resultUseDataset, XPathNavigator errorsSubDOM, Uri serviceUrl, Uri soapAction, Int64 timeOutMillisec, Solution solution, Document document, String name, Boolean isQuery, DataAdapterTimer dataAdapterTimer, DataAd...           fa26b07e-664a-4c10-80e8-a500ded82386

     

    If I look at the IIS logs on the server that the web service is deployed to, I see an 401 error there as well.  The important part is that I do not see a user making the call.  It should be noted here the virtual directory for the web service on this server is configured to use Windows Authentication.

     

    So, my initial thoughts were that we have some type of delegation problem going on.  It would seem to me that Forms Services doesn’t know how to delegate the client PC user’s credentials onto the IIS server hosting the web service.  After a lot of Googling, I found several things that pointed to the concepts mentioned in the following posts.

     

    http://blogs.msdn.com/infopath/archive/2006/06/14/631088.aspx

     

    http://blogs.msdn.com/infopath/archive/2006/06/27/648582.aspx

     

    http://blogs.msdn.com/infopath/archive/2006/07/03/655611.aspx

     

    http://blogs.msdn.com/infopath/archive/2006/10/02/Data-Connections-in-Browser-Forms.aspx

     

    However, I have yet to get anything to work that seems reasonable.  I have tried to configure the SSO and I have tried turning on the Web Service Proxy.  None of this seems to matter.  Sometimes it even breaks the form more; such that I can’t use it on the server even.  The only way I can get this to work from a client is to specify the following section into the DCL files. 

     

    <udc:Authentication>

           <udc:UseExplicit CredentialType="NTLM">

                  <udc:UserId>myusername</udc:UserId>

                  <udcStick out tongueassword>mypassword</udcStick out tongueassword>

           </udc:UseExplicit>

    </udc:Authentication>

     

    Other than hard coding a domain username and password into each of my data connection library files (which I have 16 for this particular form), how do I get this to work?  Everything I read claims SSO and/proxies are the way to do this, but I have yet to see a GOOD explanation of each and every step and proof that it will work.

     

    Please help me if you can.  I would appreciate it so much and so would the wall my head has been hitting.

     

    Wednesday, May 28, 2008 12:59 PM

Answers

  • Thanks David for your reply.  I spoke to Microsoft yesterday concerning my problem.  We arrived at the same conclusions you talked about.  It is true that our MOSS server is setup as NTLM (which I thought the server was setup to use Kerberos).  Because of the nature of this project, we are actually doing both options.  We are going through the process of enabling and setting up Kerberos.  Because this is going to take a while, we are moving one of our web services to the MOSS server.  We are adding additional methods to it to make calls to the other servers on the secondary server.  The service we put on the MOSS server will run it is own App Pool with a specific AD account.  At the point Kerberos is working, then we will revert to going that route.  Microsoft's other suggestion was to use the Office SSO.
    Thursday, May 29, 2008 1:23 PM

All replies

  • It looks like you may be facing the dreaded "double-hop" scenario, where NTLM Windows credentials cannot be delegated across machine boundaries.

     

    It may be necessary to configure Kerberos delegation on the SharePoint server as well as on the web server hosting the web services. If the secondary web server accesses a SQL Server, delegation may need to be configured on that server as well.

     

    If you can add code to the web services running on the secondary web server, you can add a web method that just returns the current user login, then add a data connection to call this method. That will allow you to see how or whether you are being authenticated on that server.

     

    You can also try writing your own web service code and host it on the SharePoint server. Your custom web service would execute the remote web services, setting the credentials as necessary. In effect, you're writing your own proxy.

     

    BTW - Forms Services provides a way to perform "administrator" deployment of DCL files containing explicit credentials so that the userid/password is protected from prying eyes.

    Thursday, May 29, 2008 12:01 PM
  • Thanks David for your reply.  I spoke to Microsoft yesterday concerning my problem.  We arrived at the same conclusions you talked about.  It is true that our MOSS server is setup as NTLM (which I thought the server was setup to use Kerberos).  Because of the nature of this project, we are actually doing both options.  We are going through the process of enabling and setting up Kerberos.  Because this is going to take a while, we are moving one of our web services to the MOSS server.  We are adding additional methods to it to make calls to the other servers on the secondary server.  The service we put on the MOSS server will run it is own App Pool with a specific AD account.  At the point Kerberos is working, then we will revert to going that route.  Microsoft's other suggestion was to use the Office SSO.
    Thursday, May 29, 2008 1:23 PM
  • Helo,

    I had the same problem, and the solution was configure correctly Kerberos Delegation (are two Front servers in NLB), using setspn.exe to register Service Principal Names, modifing the IIS MetaBase, an enabling Kerberos Delegation in Application Pool account and computer accounts at Active Directory.

    I had detailed this trouble at: 

    Configurar MOSS 2007 para invocar un Web Service desde un Formulario InfoPath en NLB 

    Regards,

    GuilleSQL
    http://www.guillesql.es


    This posting is provided AS IS with no warranties, and confers no rights
    Tuesday, September 29, 2009 11:02 AM