none
ASP.NET Windows Authentication Impersonation connecting to webservice

    Question

  • Hi

    I have a Dynamics NAV Webservice that I use in my intranet solution (web solution). I want to access this webservice as the logged-on-user.

    The website is using Windows authentication and when I enable impersonate it works fine on my computer both on IIS and IIS Express. I access the webservice as the logged on user (and not as the Application Pool Identity). Perfect!

    System.Security.Principal.WindowsIdentity.GetCurrent().Name shows my username as it should. If I change impersonate to false, the WindowsIdentity changes to the application pool. As I expect.

    Then I publish this site to another server on the same domain and the same setup gives me the error: "The remote server returned an error: (403) Forbidden." when connecting to the web service. So it seems this server is not passing on my credentials to the webservice for some reason. System.Security.Principal.WindowsIdentity.GetCurrent().Name still shows my username, as it should, so the impersonate is doing something at least.

    Why is my computer using impersonate as I expect and the server isn't?

    I have tried Kerberos and NTLM on the webservice, but both work on my computer and not on the server.

    The webserver is running Win 2012 R2 with IIS 8.5

    My local computer is running Win 10 1703 with IIS 10

    Tuesday, September 5, 2017 9:36 AM

Answers

  • Hi Limberg,

    >> Then I publish this site to another server on the same domain and the same setup gives me the error

    Did you only publish the site to another server which means site and service are in different servers? Is “GetCurrent().Name” in site or webservice to return username?

    I found you have posted your issue in ASP.NET Windows Authentication Impersonation connecting to webservice, did the suggestion from mgebhard clear your issue?

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, September 6, 2017 2:22 AM
    Moderator

All replies

  • This is a asp.net question 

    please post this question in the asp.net forum

    the https://forums.asp.net

    friendly regards

    Laurens

    Tuesday, September 5, 2017 11:11 AM
  • A 401 would be rejecting the credentials on the logon. The 403 means 'forbidden' which  means that a resource is being denied access based on credentials presented.

    ApplicationHost.config. file that has settings that control IIS access could be the culprit,  and IIS itself may not be configured correctly for resource access. 

    https://technet.microsoft.com/en-us/library/cc754617(v=ws.10).aspx

    Actually, you should post to the below forum.

    https://forums.iis.net/

    Tuesday, September 5, 2017 9:16 PM
  • Hi Limberg,

    >> Then I publish this site to another server on the same domain and the same setup gives me the error

    Did you only publish the site to another server which means site and service are in different servers? Is “GetCurrent().Name” in site or webservice to return username?

    I found you have posted your issue in ASP.NET Windows Authentication Impersonation connecting to webservice, did the suggestion from mgebhard clear your issue?

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, September 6, 2017 2:22 AM
    Moderator
  • Yes, this solved my problem with the understanding of the error:

    https://forums.asp.net/t/2128107.aspx

    I was confused that it worked on my computer and not on a server, but that document explains that you don't get the extra hop when using a local webserver. So it's the double hop authentication problem.


    Thursday, September 7, 2017 9:24 AM