none
Using Impersonation for HttpWebRequest RRS feed

  • Question

  • I'm trying to call a web service using Impersonation. When I do the request with ImpersonationLevel set, I get a 401 Unauthorized exception thrown at GetResponse. When I do it without impersonation (thereby making the request using the server service account), I to get a response and no exceptions thrown.

    My goal is to use Impersonation so that I can make the web service call using the client's credentials via kerberos. The web service does authenticate the client when they make direct connections (to the service URI). But why this 401 is being thrown? Perhaps something is missing in the AD setup?

                    WindowsImpersonationContext context = identity.Impersonate();
                    HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
                    req.ImpersonationLevel = TokenImpersonationLevel.Delegation;
                    req.UseDefaultCredentials = true;
                    req.AllowAutoRedirect = false;
                    req.Timeout = 30000;
                    HttpWebResponse response = (HttpWebResponse) req.GetResponse();


    Software Engineer

    Friday, June 26, 2015 3:22 AM

All replies

  • Hello SolidFish,

    >>But why this 401 is being thrown? Perhaps something is missing in the AD setup?

    You could try a non AD account to check if you could still get the 401 exception. If not, then please check this thread: asp.net WindowsImpersonationContext function, for AD accounts, please try to ensure the appPool account has been set in AD as allowed to delegate on behalf of users.

    If above opinions do not help, please share some more code with us so that we can make a test with it.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, June 29, 2015 2:01 AM
    Moderator
  • Thank you for the response. That posting does seem relevant to my problem but I'm not sure where we might have missed a step. I dont have access to the web server, nor the server I'm trying to hop to, but is there a way I could put some tracing on my application end to see what is going on?

    ere is the exact code I'm running. Its a plain MVC project:

    public ActionResult Impersonate()
    {
        ViewBag.Message = "Impersonating";
    
        try
        {
            WindowsIdentity identity = HttpContext.User.Identity as WindowsIdentity;
            ViewBag.ID1 = WindowsIdentity.GetCurrent().Name;
            WindowsImpersonationContext context = identity.Impersonate();
            ViewBag.ID2 = WindowsIdentity.GetCurrent().Name;
            HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
            req.ImpersonationLevel = TokenImpersonationLevel.Delegation;
            req.UseDefaultCredentials = true;
            req.AllowAutoRedirect = false;
            req.Timeout = 30000;
            HttpWebResponse response = (HttpWebResponse) req.GetResponse();
                    
            if (response == null)
            {
                throw new Exception("No HTTP Response");
            }
    
            ViewBag.HttpResponse = response;
    
        }
        catch (Exception ex)
        {
            ViewBag.ErrorMessage = ex.Message;
            ViewBag.StackTrace = ex.StackTrace;
        }
    
        return View();
    }

    On the view, I just print out everything I can from the HttpWebResponse:

        <p><strong>URI:</strong> @response.ResponseUri.AbsoluteUri</p>
        <p><strong>Server:</strong> @response.Server</p>
        <p><strong>Content Length:</strong> @response.ContentLength</p>
        <p><strong>Content Type:</strong> @response.ContentType</p>
        <p><strong>Status Code:</strong> @response.StatusCode.ToString()</p>
        <p><strong>Status Description:</strong> @response.StatusDescription</p>
        <p><strong>Method:</strong> @response.Method</p>
        <p><strong>Cookies:</strong> @response.Cookies.Count</p>
        <div style="margin-left:10px;">
            @{
        foreach (System.Net.Cookie c in response.Cookies)
        {
            <p><strong>@c.Name</strong> @c.Value</p>
        }
            }
        </div>
        <p><strong>Headers:</strong> @response.Headers.Count</p>
        <div style="margin-left:10px;">
            @{
        foreach (string key in response.Headers.AllKeys)
        {
            <p><strong>@key</strong> @response.Headers[key];</p>
        }
            }
        </div>

    When I run this, it gets caught in the exception handler and prints the following:

    ERROR: The remote server returned an error: (401) Unauthorized.

    STACKTRACE: at System.Net.HttpWebRequest.GetResponse() at TestSapSso.Controllers.HomeController.Impersonate()

    Does this mean my account (that is being impersonated) is unauthorized? I'm certain it is not because I can connect to the server I'm hopping to directly without a problem. 


    Software Engineer

    Monday, June 29, 2015 9:42 PM
  • Hello SolidFish,

    >>but is there a way I could put some tracing on my application end to see what is going on?

    If you mean you want to see what happens in the WindowsIdentity class, check this blog:

    http://blogs.msdn.com/b/dotnet/archive/2014/02/24/a-new-look-for-net-reference-source.aspx which provides a chance to see how the source code is running.

    >>ere is the exact code I'm running. Its a plain MVC project:

    Considering you are working with a MVC project, here i also suggest you ask it on the MVC forum which there MVC expert may give you a professional support about MVC pattern.

    >>Does this mean my account (that is being impersonated) is unauthorized?From the exception, it should be while you said it is not, so check the source code when debugging it to see what the root caused resaon is.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Tuesday, June 30, 2015 5:57 AM
    Moderator