Solved

Is it possible to authenticate to a web service that is on the same network using Windows credentials provided by Active Directory

Posted on 2014-10-30
5
249 Views
Last Modified: 2014-10-31
I currently have a situation where I am trying to authenticate to a web service using the currently logged in Windows user credentials. On the server side (which I also have control over), the web service is being authenticated with Active Directories. I want the web service authentication to be done "organically".  Both the client and the web service will be within the same network but will NOT be using the same machine.

Everything works fine if I set the credentials directly as follows:
 
            var credentials = new NetworkCredential("<username>", "<password>");
            var handler = new HttpClientHandler { Credentials = credentials };
            var client = new HttpClient(handler);
            string request = "<request string>";
            var obj = new { request = request };
            byte[] data;

            using (client)
            {
                client.BaseAddress = new Uri("<url>");
                var response = client.PostAsJsonAsync("<suburl>", obj).Result;
                data = response.Content.ReadAsByteArrayAsync().Result;
            }

Open in new window


However, if I try and use the DefaultNetworkCredentials as follows, I get a "401 - Unauthorized" from the server:
 
            var credentials = CredentialCache.DefaultNetworkCredentials;
            var handler = new HttpClientHandler { Credentials = credentials };
            var client = new HttpClient(handler);
            string request = "<request string>";
            var obj = new { request = request };
            byte[] data;

            using (client)
            {
                client.BaseAddress = new Uri("<url>");
                var response = client.PostAsJsonAsync("<suburl>", obj).Result;
                data = response.Content.ReadAsByteArrayAsync().Result;
            }

Open in new window


I am fairly certain I have everything set correctly on the server side to authenticate this way (ie. disable anonymous, enable Windows Authentication, use the [Authorize] decoration on the web service method, etc.)  I think the correct server setup is evidenced by the fact that I can authenticate correctly when hard coding the credentials.

I have seen elsewhere that this may be impossible for security reasons.  I am not so sure that is true.

Any suggestions?
0
Comment
Question by:JonTEC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Author Comment

by:JonTEC
ID: 40415646
I have searched Experts Exchange and others for solutions but have not found a working scenario.

The project is written in ASP.Net C# (which is probably obvious). The main goal is inter-departmental communications to share information via a web service to any department within the network without requiring an additional login.  

All users (and rights) on that network are managed by Active Directories.  We don't want individual credentials stored anywhere outside of Active Directories because they do change frequently and we don't want the additional security risk.

We are moving toward a "single sign on" scenario.

Is there any other information I can provide that may help?
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40416451
I believe you have to use "passthrough authentication". This passes through the user credentials to the service instead of running as the app pool.
http://www.helpmasterpro.com/helpfile/Active%20Directory/HTML%20Files/Windows%20authenticated%20logon%20for%20Microsoft%20IIS%207.htm
0
 

Author Comment

by:JonTEC
ID: 40416495
Thank you Aaron!  I reviewed the link you provided and double checked the "passthrough authentication" settings.  It appears I have things setup correctly already. Could there be something else missing? Server side or code side?
0
 
LVL 39

Accepted Solution

by:
Aaron Tomosky earned 500 total points
ID: 40416518
for help with the code, you need to be added to the c# topic, I can't really help with that.

Here is an old article but it has some examples using ADObject oUser = new ADUser();
I don't know if that is currently the right way to do things or not.
http://www.c-sharpcorner.com/uploadfile/kevinrou/integrating-ldap-active-directory-into-your-net-web-portal-C-Sharp-or-VB-Net/
0
 

Author Closing Comment

by:JonTEC
ID: 40416544
Thanks Aaron!  I will open this question up in the C# and programming topic.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In order to have all security and back ups taken care of, WordPress users can sign up for services with WP Engine.
An article on effective troubleshooting
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question