Client calling multiple asmx services - McMap

About

Client calling multiple asmx services

Asked 6/11, 2013 at 7:42 Answered 6/11, 2013 at 7:42

c#asmx windows-authentication http-status-code-401

R

0

1

I have a WPF client application which calls multiple ASMX webservices I keep on getting 401 authentication errors.

Sometimes for whatever reason one succeeds whereas the other one fails but then for some reason one works then the other one fails...Have no idea what the reason is.

One of the service needs to do a double hop and it was working earlier during the day and for some reason now has stopped working I do not believe I changed anything.

I Followed http://social.technet.microsoft.com/Forums/windowsserver/en-US/c9239a89-fbee-4adc-b72f-7a6a9648331f/401-unauthorized-access-is-denie d-due-to-invalid-credentials?forum=winserversecurity

following the suggestion

IIS 7 was difficult for figuring out why i was getting the 401 - Unauthorized: Access is denied due to invalid credentials... until i did this...

1.) Open iis and select the website that is causing the 401
2.) Open the "Authentication" property under the "IIS" header
3.) Click the "Windows Authentication" item and click "Providers"
4.) For me the issue was that Negotiate was above NTLM. I assume that there was some kind of handshake going on behind the scenes, but i was never really authenticated. I moved the NTLM to the top most spot, and BAM that fixed it.

and it initially worked, however once I closed down fiddler the problems came back

Ressieressler answered 6/11, 2013 at 7:42 Comment(12)

What do you mean by 'double hop'? Have you checked that #401? Do your services that throw #401 use ANY authorization (http-basic, ssl, AD, whatever)? Are those "many services" that your app uses provided by the same server, or many different servers? Have you tried calling those services manually i.e. by some Soap/Rest TestClient? Have you succeeded or did they thre #401 randomly too? If you have any data on any of those questions, please include in your post. They will probalby help others to think/imagine/diagnose what's up. – Orvah 11/11, 2013 at 10:50

They all authenticate fine when I use a browser...i am trying to do delegation is what I mean by double hop. That is my client calls the service and passes it the windows credentials. It service then calls SQL server and I pass to it the windows credentials.. – Ressieressler 11/11, 2013 at 10:57

You could use fiddler to see what headers are being sent and received. There currently isn't alot of information in the question and there is no known issue with "ASMX webservices randomly responding 401 every now and then". – Dressing 11/11, 2013 at 11:0

Thanks..does it matter that IIS service runs under a local account? The service in am calling runs in an application pool under a domain account but the IIS service runs under a local account it seems – Ressieressler 11/11, 2013 at 11:2

@Orvah he means SPNEGO Negotiate Kerberos. The issue is that 401 can occur from any leg of the Kerberos Auth scheme failing (of which there are many). – Alysaalyse 11/11, 2013 at 16:56

Ahhh...just remembered another thing...search Kernel mode security and IIS. Your IIS (authenticating) identity NEEDS to be the same as your SPN record. The setting I speak of pushes the Auth into the Kernel mode drivers, so that it is your system identity that authenticates as opposed to your app pool identity. Hope that little gem can help you.... – Alysaalyse 11/11, 2013 at 16:59

@Aron: ..but isn't quite well-defined path? why would it randomly fail/pass? Unless there's some really hard network error which would randomly lose packets or reset connections, I think it should constantly try with the same credentials/tokens, so shouldn't it always pass or always fail? I think the problem is not at this level, but I may be wrong, that's why I asked for "moar info" :) – Orvah 11/11, 2013 at 17:13

@Orvah you assume that Kerberos is a purely network tech. Its complicated, including a part requiring well sync'd system clocks, AD setup, various AD account etc... I had issues with double hop arising from only a SINGLE user once. Of all the problems I have faced in my years of coding, Kerberos remains the craziest. – Alysaalyse 11/11, 2013 at 17:29

@Aron: You're right.. now that you mentioned clocks, I remember that I had some issues with that too. Sadly, that was long time ago and I really don't remember the details. Many thanks for some explanations though! – Orvah 11/11, 2013 at 17:34

Problem is I am having problems understanding all this, all I have limited power in my workplace where I do haved to talk to the sysadmin to change something like SPN so we are going backwards and forwards...My understanding is he set SPN on the domain account under which the remote service is running under....However IIS is still running its local account on the remote PC...My concern is are there any rmaficiations if I go to the effort of having IIS run under a domain account as this PC is shared with other services. – Ressieressler 11/11, 2013 at 21:33

I made a WCF Client application to try and resolve this on the service that is currently not working...I am getting the error "System.ServiceModel.Security.MessageSecurityException Message=The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header .. Message=The target principal name is incorrect" Which suggests to me somehwere there is something wrong with SPNs??? Not sure why this would cause some services to randomly fail though... Could be hard to diagnose but if this is the reason at least I may have some direction now – Ressieressler 13/11, 2013 at 0:7

Im just reading this article now blogs.msdn.com/b/webtopics/archive/2009/01/19/… Just think maybe it has something to do with the way SPN is setup – Ressieressler 13/11, 2013 at 2:26

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.