Impersonation and CredentialCache.DefaultCredentials provides HTTP 401 Unauthorized

Question

Impersonation and CredentialCache.DefaultCredentials provides HTTP 401 Unauthorized

I have an ASMX web service (on my localhost - WinXP IIS 5.1) that I am calling from a web client. My web service should consume another ASMX web service (on a Win 2003 IIS 6.0 server).

When I provide the credentials in my webservice code in a hard-coded way:

engineWSE.Credentials = new System.Net.NetworkCredential("myUser", "myPass", "myDomain");

... a subsequent call to the remote web service works fine .

Now I'm trying to impersonate myself during the initial testing. My initial reading about this tells me that this can be a big topic, but here is what I did to get started:

UNCHECKED "Anonymous Access" in my virtual directory for a webclient site on my localhost
in the web.config of my webclient site, I set: authentication mode = "Windows" and identification impersonate = "true"
in the web method of my web service that should call the remote service, I changed to:
```
engineWSE.Credentials = System.Net.CredentialCache.DefaultCredentials;
```
When a remote web service is called using these DefaultCredentials, I get the following error:
System.Web.Services System.Web.Services.Protocols.SoapException: the server could not process the request .--->
System.Net.WebException: Request failed with HTTP status 401: Unauthorized.
in System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse (SoapClientMessage message, WebResponse response, responseStream stream, Boolean asyncCall)
in System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke (parameters String methodName, Object [])

, "", - - , ( , , ).

+3

credentials asmx impersonation

John Adams 07 . '09 20:18

5

bkqc · Answer 1 · 2014-05-05T15:10:32+0000

, . , Kerberos (Negotiate), NTLM, , Windows, IIS, . A, - B, , C, .

-. B, C.

Kerberos - . -, , . , , . , Kerberos , . , , . Kerberos .

, , myApp.intranet URL-. AD SPN, , , myUser MyDomain (setspn -S MyDomain\myUser HTTP/myapp.intranet). KDN (. kerberos KDN), , myUser, IIS . SPN (HTTP/myapp.intranet), KRB.

, IIS 7+, ApplicationHost.config, ( ): useAppPoolCredentials= true. \system.webServer\security\authentication\windowsAuthentication. , auth , , .

... "" AD. , .

, SPN . , , , . DNS, , , , . :

DNS A, .
CName, A
, CName , , .

, SPN NetBIOS, HTTP/machine, HOST- ( ) HTTP, HOST/machine. .

, NTLM Kerberos, ApplicationHost, SetSPN. NTLM , , , , ( NTLM). . , , , NTLM.

, . Kerberos, WireShark . , Kerberos : - Kerberos - - AD Kerberos ( ) - Kerberos - Kerberos

andrewbadera · Answer 2 · 2009-04-07T22:47:09+0000

netmon wirehark, , ? ? , , web.config( .config) .

EDIT:

, HostingEnvironment.Impersonate(), , .

Michael Kniskern · Answer 3 · 2009-04-08T00:38:01+0000

MSDN HTTP FTP-. .

Winston · Answer 4 · 2009-04-17T17:29:14+0000

@Michael Kniskern - , , HTTP. ASP.Net IIS. Windows ASPNET ( , ) . , MSDN HTTP FTP DefaultNetworkCredentials.

Michal levý · Answer 5 · 2011-12-19T12:47:19+0000

This is a classic two-hop problem - you cannot use user credentials obtained through impersonation to access another server if Kerberos delegation is not configured correctly in your domain. Duplicate of this question

Impersonation and CredentialCache.DefaultCredentials provides HTTP 401 Unauthorized

More articles: