Solved

Is it possible to authenticate to a web service that is on the same network using Windows credentials provided by Active Directory

Posted on 2014-10-30
5
250 Views
Last Modified: 2014-10-31
I currently have a situation where I am trying to authenticate to a web service using the currently logged in Windows user credentials. On the server side (which I also have control over), the web service is being authenticated with Active Directories. I want the web service authentication to be done "organically".  Both the client and the web service will be within the same network but will NOT be using the same machine.

Everything works fine if I set the credentials directly as follows:
 
            var credentials = new NetworkCredential("<username>", "<password>");
            var handler = new HttpClientHandler { Credentials = credentials };
            var client = new HttpClient(handler);
            string request = "<request string>";
            var obj = new { request = request };
            byte[] data;

            using (client)
            {
                client.BaseAddress = new Uri("<url>");
                var response = client.PostAsJsonAsync("<suburl>", obj).Result;
                data = response.Content.ReadAsByteArrayAsync().Result;
            }

Open in new window


However, if I try and use the DefaultNetworkCredentials as follows, I get a "401 - Unauthorized" from the server:
 
            var credentials = CredentialCache.DefaultNetworkCredentials;
            var handler = new HttpClientHandler { Credentials = credentials };
            var client = new HttpClient(handler);
            string request = "<request string>";
            var obj = new { request = request };
            byte[] data;

            using (client)
            {
                client.BaseAddress = new Uri("<url>");
                var response = client.PostAsJsonAsync("<suburl>", obj).Result;
                data = response.Content.ReadAsByteArrayAsync().Result;
            }

Open in new window


I am fairly certain I have everything set correctly on the server side to authenticate this way (ie. disable anonymous, enable Windows Authentication, use the [Authorize] decoration on the web service method, etc.)  I think the correct server setup is evidenced by the fact that I can authenticate correctly when hard coding the credentials.

I have seen elsewhere that this may be impossible for security reasons.  I am not so sure that is true.

Any suggestions?
0
Comment
Question by:JonTEC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Author Comment

by:JonTEC
ID: 40415646
I have searched Experts Exchange and others for solutions but have not found a working scenario.

The project is written in ASP.Net C# (which is probably obvious). The main goal is inter-departmental communications to share information via a web service to any department within the network without requiring an additional login.  

All users (and rights) on that network are managed by Active Directories.  We don't want individual credentials stored anywhere outside of Active Directories because they do change frequently and we don't want the additional security risk.

We are moving toward a "single sign on" scenario.

Is there any other information I can provide that may help?
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40416451
I believe you have to use "passthrough authentication". This passes through the user credentials to the service instead of running as the app pool.
http://www.helpmasterpro.com/helpfile/Active%20Directory/HTML%20Files/Windows%20authenticated%20logon%20for%20Microsoft%20IIS%207.htm
0
 

Author Comment

by:JonTEC
ID: 40416495
Thank you Aaron!  I reviewed the link you provided and double checked the "passthrough authentication" settings.  It appears I have things setup correctly already. Could there be something else missing? Server side or code side?
0
 
LVL 39

Accepted Solution

by:
Aaron Tomosky earned 500 total points
ID: 40416518
for help with the code, you need to be added to the c# topic, I can't really help with that.

Here is an old article but it has some examples using ADObject oUser = new ADUser();
I don't know if that is currently the right way to do things or not.
http://www.c-sharpcorner.com/uploadfile/kevinrou/integrating-ldap-active-directory-into-your-net-web-portal-C-Sharp-or-VB-Net/
0
 

Author Closing Comment

by:JonTEC
ID: 40416544
Thanks Aaron!  I will open this question up in the C# and programming topic.
0

Featured Post

Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question