locked
Facing some issues with windows authentication in Web-API Rest RRS feed

  • Question

  • User741428353 posted

    I have to implemet the Web api- Rest service with Windows authentication enabled.  How I can implement this so that I can track the Primary and Windows Identities of the user.  when Windows mode enabled. Not able to track the primary users identity  and also it seems the published service is working only when the Anonymous authentication is enabled.

    Is OAuth is the only solution to this issue..? 

    Tuesday, July 5, 2016 11:54 AM

Answers

  • User753101303 posted

    And which information are you trying to get from this? Never tried but I would say that ServiceSecurityContext is for WCF and not for Web API. Assuming it is working, at best it would return AFAIK the same name ?

    So IMO check first if you get the basic information you need. If it is ok just stick with what is exposed by the ApiController. If you need some additional information post about your exact need.

    Edit: if you want you could perhaps try to create a quick WCF service and see if ServiceContextSecurity is then non null. It would confirm this is for WCF rather than for Web API.

    Edit2: found https://sankarsan.wordpress.com/2010/07/25/identity-securitycallcontext-in-wcf/ which seems to confirm this is for WCF. It seems that with WCF you could know at least in some cases the Windows Identity even if the service is accessed with another identity (keep in mind it was not http only) but I doubt it makes sense for a web API.

    Double check what you need.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, July 7, 2016 2:51 PM

All replies

  • User753101303 posted

    Hi,

    Not sure to get what you call the "primary" user identity and now it differs from the "Windows Identity"?  Do you mean that User.Identity.Name doesn't return the expected user name? What does it return instead? Have you tried to return the AuthenticationType to see what it is?

    When something doesn't work try to tell what happens as directly as possible to leave less room to interpretation on both your side and our side. It should make easier to understand what happens on your side and then what could cause the particular situation you see.

    Ah or you try to get the "Windows identity" of external users coming to your own site? (which will never work).

    Tuesday, July 5, 2016 11:34 PM
  • User36583972 posted

    Hi Anjeleena,

    From your description, I found you want to track the Primary and Windows Identities of the user. The following tutorials may give you a clear idea.

    Windows Authentication in Asp.Net Web Application:

    http://geekswithblogs.net/manjunath.k/archive/2014/09/23/windows-authentication-in-asp.net-web-application.aspx

    Replacing forms authentication with WIF’s session authentication module (SAM) to enable claims aware identity:

    https://brockallen.com/2013/01/26/replacing-forms-authentication-with-wifs-session-authentication-module-sam-to-enable-claims-aware-identity/

    Best Regards,

    Yohann Lu

    Wednesday, July 6, 2016 2:34 AM
  • User741428353 posted

    Sorry for the inconvenience caused.

    I have configured application for Windows authentication enabled and I am getting  ServiceSecurityContext.Current.WindowsIdentity ,User.Identity.Name  all these properties as null.

    So everytime when I  cal these services from client application, I am getting unauthorized request error.

    Tried both the below methods.

    [HttpGet]
    public string WindowsIdentity()
    {

    string strUserName = string.Empty;
    try
    {
    if (strUserName == String.Empty)
    {
    if (ServiceSecurityContext.Current != null)
    {
    if (ServiceSecurityContext.Current.WindowsIdentity != null)
    {
    if (!String.IsNullOrEmpty(ServiceSecurityContext.Current.WindowsIdentity.Name))
    strUserName = ServiceSecurityContext.Current.WindowsIdentity.Name;
    }
    }
    }
    }
    catch (Exception ex)
    {
    }

    return strUserName;
    }

    [Authorize]
    [HttpGet]
    public string PrimaryIdentityUser()
    {

    string strUserName = String.Empty;

    try
    {

    strUserName = User.Identity.Name;

    }
    catch (Exception ex)
    {

    }

    return strUserName ;

    }

    The client side is like

    using (var client = new HttpClient())
    {

    // TODO - Send HTTP requests
    client.BaseAddress = new Uri("http://BasicUrl/");
    client.DefaultRequestHeaders.Accept.Clear();
    client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
    // HTTP GET method

    HttpResponseMessage response = await client.GetAsync("api/Controller/Method");
    if (response.IsSuccessStatusCode)
    {
    string result = await response.Content.ReadAsAsync<string>();
    Console.WriteLine(result);
    Console.ReadKey();
    }
    else
    {
    Console.WriteLine("Sorry! Method got an exception. " + response.ReasonPhrase);
    Console.ReadKey();
    }
    }

    Thursday, July 7, 2016 11:03 AM
  • User753101303 posted

    For Windows authentication, on the client side try:

    HttpClientHandler handler = new HttpClientHandler()
    {
        UseDefaultCredentials = true
    };
    
    HttpClient client = new HttpClient(handler);

    (taken from https://www.asp.net/web-api/overview/security/integrated-windows-authentication)

    If catch blocks are really empty, I would get rid of them (it does nothing else than hiding exceptions which is the last thing you want).

    Make sure having a console app calling your service, both being in the same domain is a good match for your final setup (for example a beginner could think it will work even if the console app runs in some other foreign domain and call its API over internet).

    Thursday, July 7, 2016 11:24 AM
  • User741428353 posted

    Thanks for your reply.

    But I  had tried this also, still it was not returning the Identity.. 

    using (var client = new HttpClient(new HttpClientHandler()
    {
    UseDefaultCredentials = true,
    PreAuthenticate=true,
    Credentials=CredentialCache.DefaultCredentials
    }))

    Catch blocks are not empty really, for now I havent added the code here.

    Thursday, July 7, 2016 11:56 AM
  • User753101303 posted

    And so to start on the right track what happens? For now it seems you are telling both that :

    - I'm getting unauthorized request error
    - all these properties as null (how do you know if your code can't run?  AH or could it be that you return yourself an unauthorized status if an exception happens ?)

    If it never worked what if you try first on localhost , just pointing your browser to your "PrimaryIdentityUser" API. Does it work ? If yes, proceed further (for example with your console app on your own machine until it fails again). If not what if you return User.Identity.IsAuthenticated instead ?

    Not sure but maybe before that I would check if the server is in the "intranet zone" in case it could be this kind of issue.

    For now it is still a bit unclear if you can't reach your api at all or what...

    Edit:

    it was not returning the Identity

    Instead always tell what happens. It will be easier to guide you. So first do you even reach your PrimaryIdentityUser Api method?

    Thursday, July 7, 2016 12:19 PM
  • User741428353 posted

    The priority issue is with WindowsIdentity() function. both from local and from published link, ServiceSecurityContext.Current !s getting as null. So ServiceSecurityContext.Current.WindowsIdentity.Name returns null as identity. it seems, that was the real issue behind the scene.

    Thursday, July 7, 2016 2:28 PM
  • User753101303 posted

    And which information are you trying to get from this? Never tried but I would say that ServiceSecurityContext is for WCF and not for Web API. Assuming it is working, at best it would return AFAIK the same name ?

    So IMO check first if you get the basic information you need. If it is ok just stick with what is exposed by the ApiController. If you need some additional information post about your exact need.

    Edit: if you want you could perhaps try to create a quick WCF service and see if ServiceContextSecurity is then non null. It would confirm this is for WCF rather than for Web API.

    Edit2: found https://sankarsan.wordpress.com/2010/07/25/identity-securitycallcontext-in-wcf/ which seems to confirm this is for WCF. It seems that with WCF you could know at least in some cases the Windows Identity even if the service is accessed with another identity (keep in mind it was not http only) but I doubt it makes sense for a web API.

    Double check what you need.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, July 7, 2016 2:51 PM
  • User741428353 posted

    Thanks PatriceSc.

    But the issue I am facing is not resolved yet.  'PrimaryIdentityUser' method is returning domain\userName, when trying fromlocal machine. but from published service its returning exception with Unauthorized. I am unable to get the Users identity in windows authentication mode. I st here anything wrong in my code or Do I need any extra IIS  settings otherthan Windows authentication enabled. 

    Please help me on this

    Friday, July 8, 2016 5:47 AM
  • User753101303 posted

    And you'll really use a console app? To start what if you try with a console app to localhost first. Does it work?

    For the remote machine, it is in the same domain, in the intranet zone and the account user itself is authorized? I would pojnt first a browser to this location. You could also try to create a web page or check the IIS log. For now I'm trying to make 100% sure if the issue is that credentials are correctly passed but that the domain user you are using is not authorized for some reason...

    (BTW it might be better to close this thread and open a new one).

    Friday, July 8, 2016 8:53 AM