Is it possible to authenticate to a web service that is on the same network using Windows credentials provided by Active Directory

I currently have a situation where I am trying to authenticate to a web service using the currently logged in Windows user credentials. On the server side (which I also have control over), the web service is being authenticated with Active Directories. I want the web service authentication to be done "organically".  Both the client and the web service will be within the same network but will NOT be using the same machine.

Everything works fine if I set the credentials directly as follows:
 
            var credentials = new NetworkCredential("<username>", "<password>");
            var handler = new HttpClientHandler { Credentials = credentials };
            var client = new HttpClient(handler);
            string request = "<request string>";
            var obj = new { request = request };
            byte[] data;

            using (client)
            {
                client.BaseAddress = new Uri("<url>");
                var response = client.PostAsJsonAsync("<suburl>", obj).Result;
                data = response.Content.ReadAsByteArrayAsync().Result;
            }

Open in new window


However, if I try and use the DefaultNetworkCredentials as follows, I get a "401 - Unauthorized" from the server:
 
            var credentials = CredentialCache.DefaultNetworkCredentials;
            var handler = new HttpClientHandler { Credentials = credentials };
            var client = new HttpClient(handler);
            string request = "<request string>";
            var obj = new { request = request };
            byte[] data;

            using (client)
            {
                client.BaseAddress = new Uri("<url>");
                var response = client.PostAsJsonAsync("<suburl>", obj).Result;
                data = response.Content.ReadAsByteArrayAsync().Result;
            }

Open in new window


I am fairly certain I have everything set correctly on the server side to authenticate this way (ie. disable anonymous, enable Windows Authentication, use the [Authorize] decoration on the web service method, etc.)  I think the correct server setup is evidenced by the fact that I can authenticate correctly when hard coding the credentials.

I have seen elsewhere that this may be impossible for security reasons.  I am not so sure that is true.

Any suggestions?
JonTECAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JonTECAuthor Commented:
I have searched Experts Exchange and others for solutions but have not found a working scenario.

The project is written in ASP.Net C# (which is probably obvious). The main goal is inter-departmental communications to share information via a web service to any department within the network without requiring an additional login.  

All users (and rights) on that network are managed by Active Directories.  We don't want individual credentials stored anywhere outside of Active Directories because they do change frequently and we don't want the additional security risk.

We are moving toward a "single sign on" scenario.

Is there any other information I can provide that may help?
0
Aaron TomoskySD-WAN SimplifiedCommented:
I believe you have to use "passthrough authentication". This passes through the user credentials to the service instead of running as the app pool.
http://www.helpmasterpro.com/helpfile/Active%20Directory/HTML%20Files/Windows%20authenticated%20logon%20for%20Microsoft%20IIS%207.htm
0
JonTECAuthor Commented:
Thank you Aaron!  I reviewed the link you provided and double checked the "passthrough authentication" settings.  It appears I have things setup correctly already. Could there be something else missing? Server side or code side?
0
Aaron TomoskySD-WAN SimplifiedCommented:
for help with the code, you need to be added to the c# topic, I can't really help with that.

Here is an old article but it has some examples using ADObject oUser = new ADUser();
I don't know if that is currently the right way to do things or not.
http://www.c-sharpcorner.com/uploadfile/kevinrou/integrating-ldap-active-directory-into-your-net-web-portal-C-Sharp-or-VB-Net/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JonTECAuthor Commented:
Thanks Aaron!  I will open this question up in the C# and programming topic.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Services

From novice to tech pro — start learning today.