The remote server returned an error: (401) Unauthorized. Using CSOM in ASP.NET

Asked 3/4, 2014 at 14:43 Answered 4/1, 2016 at 23:58

Solved asp.net asp.net-mvc-4 sharepoint http-status-code-401 csom

I'm tried to pull some SharePoint 2013 list data I created which works fine when running locally on my machine and when run locally one the server. I'm user the same credentials when running both locally and locally on the server. The issue is when I publish and navigate to my ASP.NET app on the server I get the "The remote server returned an error: (401) Unauthorized." Error...

I've looked at a bunch of the posts on stackoverflow and some other articles on the web

This points out that the context seems to be using IUSR: http://blogs.msdn.com/b/sridhara/archive/2014/02/06/sharepoint-2013-csom-call-from-web-part-fails-with-401-for-all-users.aspx

This one mentions to try setting the default network credentials: https://sharepoint.stackexchange.com/questions/10364/http-401-unauthorized-using-the-managed-client-object-model

I've tried using the fixes mentioned in the article as well as trying to force the context to use DefaultNetworkCredentials but no luck. I would like for the app to use the credentials of the logged in user and not the machine...

Here is the code I'm using:

        SP.ClientContext context = new SP.ClientContext("MySPDevInstance");
        context.Credentials = CredentialCache.DefaultNetworkCredentials;

        Entity entity = context.Web.GetEntity(collectionNamespace, collectionName);
        LobSystem lobSystem = entity.GetLobSystem();
        LobSystemInstanceCollection lobSystemInstanceCollection = lobSystem.GetLobSystemInstances();

        context.Load(lobSystemInstanceCollection);
        context.ExecuteQuery();

        LobSystemInstance lobSystemInstance = lobSystemInstanceCollection[0];
        FilterCollection filterCollection = entity.GetFilters(filter);

        filterCollection.SetFilterValue("LimitFilter", 0, 1000);

        EntityInstanceCollection items = entity.FindFiltered(filterCollection, filter, lobSystemInstance);

The server is running IIS 6.0

Any advice would be much appreciated!

Thank you

Costar answered 3/4, 2014 at 14:43 Comment(1)

Do you know how to get all the entities from the LOB without applying a filter? sharepoint.stackexchange.com/questions/97155/… – Lumpkin 26/4, 2014 at 5:29

I presume your ASP.NET web site is using Windows Integrated (NTLM) authentication. A user authenticated this way cannot authenticate to a second location from the server side (the web server.) You are experiencing what is known as the "double-hop" (1) limitation of NTLM. You must use a dedicated account on the server side, or if you really do want to use the logged-in user's identity, you must use an authentication scheme that permits delegation, such as Kerberos.

If you really need the user's identity to access SharePoint data and you cannot change the authentication scheme, then the best way to do this is to use the JavaScript CSOM. This means the user is authenticating directly to the SharePoint server (a single hop, not double) and your ASP.NET site serves the page containing this script to the user.

(1) http://blogs.msdn.com/b/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx

Osmose answered 3/4, 2014 at 18:6 Comment(7)

Thanks for the response! So if I set up Kerberos and the SharePoint Server and Web Server trust each other should my code above work? – Costar 3/4, 2014 at 20:2

Yes, that's the idea @Costar – Osmose 8/4, 2014 at 1:9

Ok, finally got put back on this. I've setup the kerberos but am now getting "The target principal name is incorrect" error. I tried to search around to see what this means in relation to the technologies I'm working with but have been unsuccessful... Any ideas? – Costar 7/5, 2014 at 20:35

Forgot to also mention that when I run locally I now get "The remote server returned an error: (401) Unauthorized." As mentioned previously this was working until setting up the kerberos. – Costar 7/5, 2014 at 20:45

I just tried to force NTLM by adding it to the credential cache in my code and passing it to the SharePoint context and I get data back locally on my machine. But not on the server I get "Access denied. You do not have permission to perform this action or access this resource." error... So I though ok what if I try changing the NTLM type to kerberos instead, this unfortunately gave me the "The remote server returned an error: (401) Unauthorized." on my machine locally and on the server... – Costar 7/5, 2014 at 21:1

Finally got someone in to properly configure the Kerberos between our servers. SPNs weren't set up correctly... Everything works great now! Thank you for pointing me in the right direction :-) – Costar 17/6, 2014 at 13:50

Yeah... unfortunately Kerberos requires the cooperation of infrastructure people to set up SPNs and configure computers in AD to enable delegation (if required.) – Osmose 30/7, 2014 at 21:45

Use Default Credentials worked for me:

HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(url);
httpWebRequest.UseDefaultCredentials = true;

Radbourne answered 7/10, 2015 at 10:37 Comment(0)

Setup the crendentials by code:

SP.ClientContext context = new SP.ClientContext("MySPDevInstance");
context.Credentials = new NetworkCredential("username", "password");

You should put this at the configuration file to change it without publishing or recompiling the application.

Tele answered 3/4, 2014 at 17:57 Comment(3)

I can't hard code the credentials, I need to use windows authentication. The user will have a sharepoint account setup. – Costar 3/4, 2014 at 18:7

Then you should get the Logged User Credentials and pass it to the NetWorkCredential – Tele 3/4, 2014 at 18:8

@fals The logged in user's credentials are not available to him when using a challenge-response authentication scheme such as windows integrated (NTLM) – Osmose 3/4, 2014 at 18:14

Just to add one more setting that I encountered. If the account is restricted to access only certain servers than add the client machine to that account as well. For example if a web application is hosted on Server A and trying to connect to SharePoint 2010 on Server B with account ABC then make sure that account has access to Server A in Active Directory. Normally the AD account doesn't have restrictions to connect to machines but in my case the account was restricted to only certain machines. I added my web application hosted server to the account and it worked.

Adanadana answered 4/1, 2016 at 23:58 Comment(0)

Recommended topics

Hot tags