none
WCF Rest Api gives 401 - Unauthorized: Access is denied due to invalid credentials RRS feed

  • Question

  • Hi,

    Need help in solving an weird  issue.

    I have a wcf rest api service, it has 2 methods exposed. But have same functionality and internally there is a common method which implements functionality.
    The reason for exposing as separate is, we have a consumer who passes the whole content in XElement type.

    SO first method accepts request as XElement and
    the second one accepts as object.

    In the first method (XElement) it works locally fine, it gets call from client and process the request.
    But when the same service is deployed in the server, only first method (XElement) gives me below error
    401 - Unauthorized: Access is denied due to invalid credentials 

    Where as the second method (object type) works fine without any error.

     [OperationContract]
            [WebInvoke(Method = "PUT", UriTemplate = "/Notify",
                BodyStyle=WebMessageBodyStyle.Bare,
                RequestFormat = WebMessageFormat.Xml,
                ResponseFormat = WebMessageFormat.Xml)]
            void NotifyMessages(XElement msg);

    CAn you please guide?


    Monday, August 18, 2014 5:22 PM

Answers

  • Found the solution....

    The server were we hosted the service was running on default app pool..

    We had to change it to take AppPool Identity... and have to explicitly grant access at the physical path for iis apppool\(pool name)....

    • Marked as answer by Venky_Ferrari Thursday, August 21, 2014 7:32 PM
    Thursday, August 21, 2014 7:32 PM

All replies

  •  I would say that this service is running under the context of the ASP.NET Worker Process Account, which doean't have the permissions to do what is needed. All ASP.NET applications run under the context of the ASP.NET Worker Proccess Account, unless it is told otherwise by setting user account permissions in the Application Pool the Web application is running under, or you use impersonate of a user account  through the Web.config file. Either way, the account must have the permissions to do what is needed.
    Monday, August 18, 2014 6:13 PM
  •  I would say that this service is running under the context of the ASP.NET Worker Process Account, which doean't have the permissions to do what is needed. All ASP.NET applications run under the context of the ASP.NET Worker Proccess Account, unless it is told otherwise by setting user account permissions in the Application Pool the Web application is running under, or you use impersonate of a user account  through the Web.config file. Either way, the account must have the permissions to do what is needed.

    but why does other method work?

    it should show same error for all the methods that are using same identity right

    Monday, August 18, 2014 8:09 PM
  • Hi,

    It seems that it is strange. If it throws error, then all the methods should throw the same error about "Access is denied due to invalid credentials".
    Could you please try to post all your config file here? Then I want to check that if you have used some authentication mode.


    Best Regards,
    Amy Peng

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, August 19, 2014 2:12 AM
    Moderator
  • but why does other method work?

    I don't know what your other methods are doing, but obviously what is happening, the credentials being used and its permissions are enough to satisfy the credentials needed or credentials are not be challenged at all by the O/S.

    it should show same error for all the methods that are using same identity right

    Nope, in this one instance, the credentials are being challenged  , and they are not sufficient to complete the task based on what the O/S wants.

    I would say that what ever the resource is that the O/S is challenging for credentials, that Windows authentication may be required by the service. 

    http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

    <copied> 

    10.4.2 401 Unauthorized

       The request requires user authentication. The response MUST include a   WWW-Authenticate header field (section 14.47) containing a challenge   applicable to the requested resource. The client MAY repeat the   request with a suitable Authorization header field (section 14.8). If   the request already included Authorization credentials, then the 401   response indicates that authorization has been refused for those   credentials. If the 401 response contains the same challenge as the   prior response, and the user agent has already attempted   authentication at least once, then the user SHOULD be presented the   entity that was given in the response, since that entity might   include relevant diagnostic information. HTTP access authentication   is explained in "HTTP Authentication: Basic and Digest Access   Authentication" [43].

    <end>

    You can enable auditing on the O/S for logon user credentials presented by the service, which will be logged in the O/S Event logs. It will show on failure the credentials being rejected by the O/S, because that's what's doing the rejection of the credentials is the O/S.

    http://technet.microsoft.com/en-us/library/dn319056.aspx

    Tuesday, August 19, 2014 3:22 AM
  • It has something to do with verb type : PUT...

    Looking in that direction... if anyone can provide how or what all needed for settuping a service with PUT verb..

    please share...

    Tuesday, August 19, 2014 1:18 PM
  • It has something to do with verb type : PUT...

    Looking in that direction... if anyone can provide how or what all needed for settuping a service with PUT verb..

    It has nothing to do with what credentials the Web service is running under when the O/S is challenging IIS and the Web service for credentials.

    http://windowsitpro.com/systems-management/understanding-iis-70-authentication

    You need to figure out what credentials that Web service is running under when the credentials are being challenened by the O/S.

    You you need to figure out what crededitals the Web service needs in order for it not to be challenged .

    I also suggest that you post to the below forum.

    http://forums.iis.net/default.aspx/41

    Tuesday, August 19, 2014 1:51 PM
  • Found the solution....

    The server were we hosted the service was running on default app pool..

    We had to change it to take AppPool Identity... and have to explicitly grant access at the physical path for iis apppool\(pool name)....

    • Marked as answer by Venky_Ferrari Thursday, August 21, 2014 7:32 PM
    Thursday, August 21, 2014 7:32 PM
  • Found the solution....

    The server were we hosted the service was running on default app pool..

    We had to change it to take AppPool Identity... and have to explicitly grant access at the physical path for iis apppool\(pool name)....

    I am glad you finally figured it out. You could have just made another App Pool for the service and given the App Pool the needed permissions.

    Thursday, August 21, 2014 7:49 PM