Last post Aug 05, 2010 04:57 AM by Deleo
Aug 04, 2010 03:22 PM|new Bie|LINK
we have 3 different domains and their active directory.
i have to made a web serivce that when user gets logged in any of the domain and call that web service it takes the user credential.
and then process the task and logged in the current user and domain of user.
my iis configuration is
1) anonymous user disabled
2)integrated authentication is enabled.
and sending the user credentials as : System.Net.CredentialCache.DefaultCredentials from calling application
our different servers are configured for any one of the 3 domains .when i use to call the web service (deployed on a server)from the same domain it
works as expected else it give Http :401 unauthorized .across domain (when webservice and calling application in different domain)
when i enable the anonymous user i am able to hit the web service but with iusrMachine so will not be getting the username and domain.
so is it possible that even the anonymous user is enabled ,we could get the user credential of passed from calling application
or any of the other method or configuration which will work in this case.
Forest authentication S.DS login ldap
active Directory credentials
AD C# LDAP user
ldap authentication active directory LDAP
Aug 05, 2010 02:47 AM|smirnov|LINK
When Anonymous access authentication is turned off for the Web service application, all the caller applications must provide the credentials before making any request. By default, the Web service client proxy does not inherit the credentials of the security
context where the Web service client application is running.
Hope this helps.
Aug 05, 2010 03:51 AM|Deleo|LINK
I believe you are sending the application pool ID to your domain, rather than the user.
You need each user to identify themselves before using your webservices, pherhaps you should consider using impersonation?
Aug 05, 2010 03:54 AM|new Bie|LINK
is it possible that using anonymous user enabled we will allow user to access the resources
but by any mean could get the actual called user (domain\username).
Aug 05, 2010 03:56 AM|new Bie|LINK
can u explain, deleo ,yes i have created apppool and using it for thre web service.
but how it is affecting ,i dont know.
Aug 05, 2010 04:57 AM|Deleo|LINK
Ahhh, i read your post more thoroughly this time :)
So your setup actually works when the webservice resides inside the same domain as the user calling it?
Example: User X from domain Ubersoft is calling webservice Y which is also inside the domain Ubersoft.
If that is the case, then you have authentication problems on your server side. It seems that the authentication can't cross domains, aka domain controllers can't authenticate with each other.
Now this is a problem which holds tons of possible answeres, first off: you need to use authentication protocol Kerberos. The system will automaticly use this as deafult, but you need to be sure that it is actually doing so. Check event viewer for authentication
requests, or use Kerberos tools to check tickets. You need to enable delegation between the three domains. This means that the webservice can call the domain controller which it belongs to perform authentication. That domain controller then passes the authentication
to another domain controller (delegates the authentication). What you need to do is go inside the domain controller and find the other domain controllers and the IIS, go inside their properties and check the "trust for delegation" attribute. This tells the
domain controller that any of these server are eligable for authentication delegates and can be trusted.
Topic on this matter is HUGE, and I strongly encourage you to read the manual for Windows server 2003 and kerberos delegation. Even search it on your favourite search engine, Bing or google. :p
But you also read about the DeafultCredential you are using:
It has some limitations, just be sure they do not apply in your solution :) :)
active Directory credentials