locked
ASP.NET Windows Authentication Impersonation connecting to webservice RRS feed

  • Question

  • User-1721726308 posted

    Hi

    Not sure exactly which group this belongs to. It's a question about ASP.NET and webservice authentication.

    I have a Dynamics NAV Webservice that I use in my intranet solution (web solution). I want to access this webservice as the logged-on-user.

    The website is using Windows authentication and when I enable impersonate it works fine on my computer both on IIS and IIS Express. I access the webservice as the logged on user (and not as the Application Pool Identity). Perfect!

    System.Security.Principal.WindowsIdentity.GetCurrent().Name shows my username as it should. If I change impersonate to false, the WindowsIdentity changes to the application pool. As I expect.

    Then I publish this site to another server on the same domain and the same setup gives me the error: "The remote server returned an error: (403) Forbidden." when connecting to the web service. So it seems this server is not passing on my credentials to the webservice for some reason. System.Security.Principal.WindowsIdentity.GetCurrent().Name still shows my username, as it should, so the impersonate is doing something at least.

    Why is my computer using impersonate as I expect and the server isn't?

    I have tried Kerberos and NTLM on the webservice, but both work on my computer and not on the server.

    The webserver is running Win 2012 R2 with IIS 8.5

    My local computer is running Win 10 1703 with IIS 10

    Tuesday, September 5, 2017 11:32 AM

Answers

All replies

  • User475983607 posted

    The following doc explains the issue.

    https://blogs.msdn.microsoft.com/knowledgecast/2007/01/31/the-double-hop-problem/

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, September 5, 2017 1:15 PM
  • User-1721726308 posted

    ok, I read about this

    The article you link to explains: "The reason the whole thing worked when I was testing it was because in my case only a single hop was involved because my web server and user agent were on the same machine.", which is why it was working on my machine.

    Thanks for the information. That means I have to use a specific user to connect to the webservice and change the webservice accordingly. Right now it logs who is accessing the service etc, but this doesn't work when using the same user for everything.

    Or alternatively set up the web server in question as trusted for delegation, which should allow this to work.

    Tuesday, September 5, 2017 3:43 PM
  • User1404573039 posted

    Hi Limbobski,

    Did your scenario meet the scenario which is described in the link from mgebhard? If it did, I think you are right and you may need to use specific user to connect the web service resource.

    If you have any issue about this, please feel free to keep following. If not, I would suggest you mark the helpful reply as answer to close this thread.

    Best Regards,

    Tony

    Thursday, September 7, 2017 5:36 AM
  • User-1721726308 posted

    Yes, I've marked it as the answer. I was confused that it worked on my computer and not on a server, but that document explains that you don't get the extra hop when using a local webserver.

    Thursday, September 7, 2017 7:50 AM
  • Thursday, September 7, 2017 7:55 AM