Last post Sep 07, 2017 07:55 AM by TonyHelp
Sep 05, 2017 11:32 AM|Limbobski|LINK
Not sure exactly which group this belongs to. It's a question about ASP.NET and webservice authentication.
I have a Dynamics NAV Webservice that I use in my intranet solution (web solution). I want to access this webservice as the logged-on-user.
The website is using Windows authentication and when I enable impersonate it works fine on my computer both on IIS and IIS Express. I access the webservice as the logged on user (and not as the Application Pool Identity). Perfect!
System.Security.Principal.WindowsIdentity.GetCurrent().Name shows my username as it should. If I change impersonate to false, the WindowsIdentity changes to the application pool. As I expect.
Then I publish this site to another server on the same domain and the same setup gives me the error: "The remote server returned an error: (403) Forbidden." when connecting to the web service. So it seems this server is not passing on my credentials to the
webservice for some reason. System.Security.Principal.WindowsIdentity.GetCurrent().Name still shows my username, as it should, so the impersonate is doing something at least.
Why is my computer using impersonate as I expect and the server isn't?
I have tried Kerberos and NTLM on the webservice, but both work on my computer and not on the server.
The webserver is running Win 2012 R2 with IIS 8.5
My local computer is running Win 10 1703 with IIS 10
Sep 05, 2017 01:15 PM|mgebhard|LINK
The following doc explains the issue.
Sep 05, 2017 03:43 PM|Limbobski|LINK
ok, I read about this
The article you link to explains: "The reason the whole thing worked when I was testing it was because in my case only a single hop was involved because my web server and user agent were on the same machine.", which is why it was working on my machine.
Thanks for the information. That means I have to use a specific user to connect to the webservice and change the webservice accordingly. Right now it logs who is accessing the service etc, but this doesn't work when using the same user for everything.
Or alternatively set up the web server in question as trusted for delegation, which should allow this to work.
Sep 07, 2017 05:36 AM|TonyHelp|LINK
Did your scenario meet the scenario which is described in the link from mgebhard? If it did, I think you are right and you may need to use specific user to connect the web service resource.
If you have any issue about this, please feel free to keep following. If not, I would suggest you mark the helpful reply as answer to close this thread.
Sep 07, 2017 07:50 AM|Limbobski|LINK
Yes, I've marked it as the answer. I was confused that it worked on my computer and not on a server, but that document explains that you don't get the extra hop when using a local webserver.
Sep 07, 2017 07:55 AM|TonyHelp|LINK
It's great. Would you mind to close below thread too?