C# Webservice Proxy Windows Authentication - authentication

I have a c# application which consumes a webservice through a client proxy. The webservice is setup to use windows authentication (HTTP 401 challange through Active Directory). My user account configured to be authorized to access the webservice.
When I call the webservice through the browser it worked well. The browser is able to do the 401 challange and does not ask for any user id password (as internally the server and client do it through AD controller).
The problem is that when I try to consume the service through the C# application, it throws HTTP request unauthorized error.
I have tried all the below options for the webservice proxy to do windows authentication.
ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation
ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultCredentials as System.Net.NetworkCredential
ClientCredentials.Windows.AllowedImpersonationLevel =System.Security.Principal.TokenImpersonationLevel.Impersonation
Can someone please help on how I can make the webservice call just like how the browser does. I cannot pass user id and password while calling the service.

I figured out myself a workaround.The service call works well (HTTP 401 challange) with HTTPWebRequest with Credentials = CredentialCache.DefaultCredentials. Browser seems to be using the same approach.The problem is while creating a client proxy which is unable to do this 401 challange.
I could not figureout the reason but may be the service does not have enough meta information to establish a proper handshake with a client proxy.

Related

"Invalid Authentication Headers" with IIS 10 and Windows Authentication

I have been struggling with getting Windows authentication to work on IIS10 for a .Net Core API. The error I am getting is 401.2:
You are not authorized to view this page due to invalid authentication headers.
I have made the following configurations:
Only windows authentication has been enabled on the site (Anonymous is disabled)
SPNs have been created for the site and the server has been enabled for delegation.
The application pool is configured to run under a domain account
Both cURL and Postman give me the same result. Interestingly, when I make use of the SwaggerUI on the API directly, I get the expected behavior, but when making external calls (from another server), I get the 401.2 error.
Some additional content from the error is that the Logon Method and Logon User is Not Yet Determined.
How do I resolve this issue?
I was under the assumption that Postman and cURL were sending the NTLM credentials/token as a part of the request by default, but was incorrect. I had to enable Failed Request Tracing on IIS and saw that they were trying to make use of anonymous authentication. Apparently Postman does not support NTLM authentication so I made use of cURL and appended the credentials. With this I could get the authentication to work with cURL.

Get 401 Unauthorized when call web api even if I enable Anonymous Authentication

I am developing a web api. When I ran web api in local workstation by Visual Studio and used Fiddler or IE to consume it, all things were fine.
But if I deployed it into a remote IIS server, I get 401 error code in IE, Fiddler or client application. Even I enable Anonymous Authentication in IIS, 401 still occurs.
Could anyone give me some suggestions?
Thanks.
You can right click in the Authentification the "Anonymous Authentification" and select Edit. From there, you can assign on which credential you run the Anonymous authentification. If you set your own account, it should work (or any account that can run the web api).

ADFS reply aborts

I am trying to setup ADFS for my MVC application.
my site is on https://mysites.domain:336/
When I login I am redirected to ADFS and can authenticate but when it returns me back to https://mysites.domain:336/
it send me to https://mysites.domain/ instead and the network traffic in the browser says that the request was aborted.
I have run out of ideas please help
I found the problem...It turns out that in the ADFS Relying Party properties The endpoint was configured without the portnumber

Cannot access backend WCF services via a web app using Kerberos Constrained Delegation through Safari

I have a scenario wherein my ASP.NET MVC 3 web application hosted in IIS 7/Windows 2008 is accessing a WCF web service from another server, also hosted in IIS/Windows 2008. KCD is setup between the two servers and I have the necessary SPNs set up as well.
I have confirmed this working in IE. Using NetMon, I have also confirmed that KCD is working at the backend. My web app is running under machine account (network service) and the SPNs are setup accordingly for this machine account. The issue is when I use Safari on both my Windows and Mac OS X (Lion) machine, I am getting a 401 Unauthorized error:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.
Looking at NetMon, it is failing because the request to the WCF web service is falling back to NTLM.
Note that both Windows and Mac machines are part of our domain, and I'm using my same Windows credentials on both machines.
I know that Safari supports Kerberos authentication, but there seems to be an issue when delegating from my web app to the WCF service. Is it an issue with Safari, or with WCF?
Thanks in advance!
Update:
In Safari on Mac, when I first access the web application, I can see in Wireshark and NetMon that there is a valid Kerberos token being passed along the HTTP request (i'm not getting a 401 Unauthorized error). But when my web application tries to access the backend web service, I can see in that particular HTTP request that the token being passed along is now an NTLM token.
I'm using basicHttpBinding with TransportCredentialOnly as the security mode - I also specified in web.config the SPN identity of the backend web service's endpoint (HTTP/FQDN of backend web service server). Windows Auth is of course enabled on both IIS sites with "use kernel mode" turned on, and with useAppPoolCredentials set to true on the appHost.config of both sites. Again this is just for Safari on Mac, Firefox and Chrome are both working fine.
Check in Wireshark whether Safari sends a delegable/forwardable ticket.
Are you able to access the backend service directly? Is credential delegation on, I guess the ticket is not delegable? Safari has to request this. Firefox and IE do. The NTLM token passed is a token from your server. There is no delegation support in NTLM. There is something wrong with the target host.
Looking at the Wireshark traces, it seems that Safari is requesting for a Kerberos ticket that is not forwardable. Due to this flag, the Kerberos ticket is not forwarded / delegated to the next hop, causing the authentication to fall back to NTLM and fail.
Comparing this to the TGS request requested by IE, Firefox and Chrome, they all have a forwardable flag set.
I also tried doing a klist -F in Mac OS X to retrieve tickets that are forwardable, but Safari will still request for a separate ticket that doesn't have the forwardable flag.
Which brings me to a conclusion that Safari on Mac DOES NOT support delegation.

Forms Authentication Error in WCF

We are connecting to a WCF web service which has Anonomous Access turned off, Windows Authentication turned on. The web.config file has a local user account for allow users and deny users="?".
I can download and generate the service proxy fine (being prompted for creds), however from my windows form project (even when passing in the credentials), I get the following error:
System.ServiceModel.Security.MessageSecurityException was unhandled
Message="The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Basic realm=\"SEIPART001\"'."
Message="The remote server returned an error: (401) Unauthorized."
Here is my sample code:
ip.eIPCShoppingCartWSSoapClient client = new iParts.ip.eIPCShoppingCartWSSoapClient();
System.Net.NetworkCredential creds = new System.Net.NetworkCredential("username", "password", "domain");
client.ClientCredentials.Windows.ClientCredential = creds;
iParts.ip.OrderListItem[] listItem = client.GetOrderList("1234"); //throws exception here
Looks like your service is asking for basic authentication; not windows integrated authentication.
In that case, I think you need to specify the credentials on the client proxy using in the ClientCredentials.UserName property and not ClientCredentials.Windows.
No change. The virtual directory is asking for Windows Auth and passing in a local user. It works fine in the browser but the service keeps erroring out.
Looks like you should switch to transport security.
Lookin the security section of your configuration.