Solved

Is it possible to authenticate to a web service that is on the same network using Windows credentials provided by Active Directory

Posted on 2014-10-30
5
233 Views
Last Modified: 2014-10-31
I currently have a situation where I am trying to authenticate to a web service using the currently logged in Windows user credentials. On the server side (which I also have control over), the web service is being authenticated with Active Directories. I want the web service authentication to be done "organically".  Both the client and the web service will be within the same network but will NOT be using the same machine.

Everything works fine if I set the credentials directly as follows:
 
            var credentials = new NetworkCredential("<username>", "<password>");
            var handler = new HttpClientHandler { Credentials = credentials };
            var client = new HttpClient(handler);
            string request = "<request string>";
            var obj = new { request = request };
            byte[] data;

            using (client)
            {
                client.BaseAddress = new Uri("<url>");
                var response = client.PostAsJsonAsync("<suburl>", obj).Result;
                data = response.Content.ReadAsByteArrayAsync().Result;
            }

Open in new window


However, if I try and use the DefaultNetworkCredentials as follows, I get a "401 - Unauthorized" from the server:
 
            var credentials = CredentialCache.DefaultNetworkCredentials;
            var handler = new HttpClientHandler { Credentials = credentials };
            var client = new HttpClient(handler);
            string request = "<request string>";
            var obj = new { request = request };
            byte[] data;

            using (client)
            {
                client.BaseAddress = new Uri("<url>");
                var response = client.PostAsJsonAsync("<suburl>", obj).Result;
                data = response.Content.ReadAsByteArrayAsync().Result;
            }

Open in new window


I am fairly certain I have everything set correctly on the server side to authenticate this way (ie. disable anonymous, enable Windows Authentication, use the [Authorize] decoration on the web service method, etc.)  I think the correct server setup is evidenced by the fact that I can authenticate correctly when hard coding the credentials.

I have seen elsewhere that this may be impossible for security reasons.  I am not so sure that is true.

Any suggestions?
0
Comment
Question by:JonTEC
  • 3
  • 2
5 Comments
 

Author Comment

by:JonTEC
ID: 40415646
I have searched Experts Exchange and others for solutions but have not found a working scenario.

The project is written in ASP.Net C# (which is probably obvious). The main goal is inter-departmental communications to share information via a web service to any department within the network without requiring an additional login.  

All users (and rights) on that network are managed by Active Directories.  We don't want individual credentials stored anywhere outside of Active Directories because they do change frequently and we don't want the additional security risk.

We are moving toward a "single sign on" scenario.

Is there any other information I can provide that may help?
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40416451
I believe you have to use "passthrough authentication". This passes through the user credentials to the service instead of running as the app pool.
http://www.helpmasterpro.com/helpfile/Active%20Directory/HTML%20Files/Windows%20authenticated%20logon%20for%20Microsoft%20IIS%207.htm
0
 

Author Comment

by:JonTEC
ID: 40416495
Thank you Aaron!  I reviewed the link you provided and double checked the "passthrough authentication" settings.  It appears I have things setup correctly already. Could there be something else missing? Server side or code side?
0
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 500 total points
ID: 40416518
for help with the code, you need to be added to the c# topic, I can't really help with that.

Here is an old article but it has some examples using ADObject oUser = new ADUser();
I don't know if that is currently the right way to do things or not.
http://www.c-sharpcorner.com/uploadfile/kevinrou/integrating-ldap-active-directory-into-your-net-web-portal-C-Sharp-or-VB-Net/
0
 

Author Closing Comment

by:JonTEC
ID: 40416544
Thanks Aaron!  I will open this question up in the C# and programming topic.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now