I have Silverlight web app. And it includes web client side (one assembly) and server side of ria services (other assembly).
Windows Authentication to webapp is provided by standart public class AuthenticationDomainService : AuthenticationBase<User> and it works fine. But on the server side i can get only user Name (login)
I need send WebRequest from the server side to asmx-service. I try to pass credentials of current user next way:
webRequest.UseDefaultCredentials = true;
or
webRequest.Credentials = new NetworkCredential("AD login", "AD password");
But in one case it doesn't work and in second i need to get also password.
ASMX-service is hosted on IIS with Windows authentication.
How can i pass current credentials from server side of ria services to WebRequest?
Related
I need to build some web services in a WebLogic application server. This server lies between a mobile app and Oracle ERP. Basically, after the mobile app "login" to the Oracle ERP via a web service call on the application server, a session should be maintained on the application server. One reason is this:
Every time a web service is called by the mobile app, it needs to return a random challenge token. This is a requirement by our internal security. Within the same session, when the same mobile app calls the same web service (or a different web service) on the application server, it needs to pass the challenge token that it received previously. The application server will then have to check that the token is the same one that it returned previously to the mobile client.
We have discussed about using JAX-RS for communication between mobile app and the web services. However, I have read that JAX-RS is supposed to be stateless. In this case, how can I maintain a session such that the application knows the challenge token that it returned to a client previously? There is no database for the application by the way. Normally for a web application, it can just save the challenge token to a session object, but how do you do so for a web service?
If JAX-RS cannot maintain session, then what about JAX-WS?
Thanks.
I have a problem about IIS configuration, so at least I think.
I have two different servers, in one of them are installed Microsoft Dynamics CRM 2011, on the second server I have ASP.NET application who talks with Microsoft Dynamics CRM 2011 web service. The problem is there, that I can't configure ASP.NET application.
Application has needed to work in the following:
I open ASP.NET Application who are enabled windows authorization
I login with Active Directory user, which at the same time, is user in Dynamics CRM 2011 system
When I am logged in, application start sending requests to Dynamics CRM web service with the same credentials that I am logged in
Now my configuration is that - enabled Windows authorization, enabled ASP.NET impersonation, application pool run as network service.
Problem is that when I open this application on ASP.NET server by adress localhost they automaticali get credentials with what I am logged in to this server, it's ok, but when I try to open application by address some-hostname.com they requre login, that is also ok, but when I logged in and application start send requests to Dynamics CRM web service. CRM web service response with 401 unauthorize,infer from this that there are problems with credentials who came from IIS.
I try to install and configure this ASP.NET application on the same server where hosts CRM server, there everything works fine.
What you're seeing is the double hoprestriction.
The credentials of the client cannot be forwarded from your ASP.NET application web server to CRM Server unless you configure delegation. For this your AD must already be set up for Kerberos authentication.
Your code will be attempting to connect to CRM using the Application Pool identity. You could configure this as a user within CRM and then use CRM impersonation (nothing to do with Kerberos or AD) by setting the CallerID on the proxy to the guid of the originating user (you'd have to make a call into CRM to get this). There's information about how to do this in the SDK docs.
For an ASP.NET app to impersonate a logged in user, especially from a fully-qualified domain name, you'll need to configure two things.
The App Pool identity for your ASP.NET application. Is this running as Network Service or as a specific user? The identity running the application must be "enabled for delegation." This is an option in Active Directory for that user account. If your application is running as Network Service, you'll want to enable delegation on the Computer account in AD instead of an user account.
The SPN (service principal name) for the application domain. A SPN is kind of like DNS for authentication, and is required for impersonation. If you are just using the machine name (e.g. http://server/app) AND you are using Network Service as the identity, you won't need to configure a SPN because one is set up by default for you when the server joins Active Directory. However, if you use a specific user account for the ASP.NET identity OR you want your users to use a fully qualified domain name (e.g. http://www.server.com), you'll need to tell Active Directory about this, and you do that using a SPN. Your Active Directory administrator should be familiar with SPNs and the setspn.exe command.
Please note that you may need to add a SPN for your CRM server as well, since it is just another ASP.NET application too. You should only need to do this if your internal CRM site is using a user account as the Identity OR you access the internal CRM using a fully-qualified domain name, just like your custom ASP.NET app.
Hope that helps!
We have developed a webservice that sits and runs in the context of a sharepoint site. This works fine using normal windows authentication.
We now have a client who wants to install this on a Kerberos enabled sharepoint site. What changes would we need to make to either the webserivce, the calling client (a windows service) or both to enable this...?
Is this in an intranet?
If so, and your client is already passing windows credentials to the web service, you shouldn't have to do any additional work.
If you aren't passing windows credentials, here is how to do it :
WebServiceProxy proxy = new WebServiceProxy(); // Derived from SoapHttpClientProtocol
proxy.Credentials = CredentialCache.DefaultCredentials;
This method works for both NTLM and Kerberos authentication. It will pass the credentials of the windows account under which the code is running.
Case 1. When I browse a little test site from my own PC called JOHNXP (e.g. http://localhost/WebClient ), my .aspx page invokes my ASMX webservice picks up my credentials and passes them across to another webservice on ANOTHER machine (SERVERTRIM) in the same domain. I can see my request resulting in a Security Log entry on the SERVERTRIM machine with my credentials.
Case 2. I move to another PC in the same domain and logon with the same credentials I used back at my personal desktop. When I browse the same test site above (this time as http://johnxp/WebClient ), I get this percolated back to my .aspx page:
System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Net.WebException: The request failed with HTTP status 401: Unauthorized
Looking at the Security Log on SERVERTRIM, I note that the access in case 2 resulted in an ANONYMOUS LOGON which seems to explain the 401 / Unauthorized.
I'm trying to get my webservice to use the credentials of the logged in DOMAIN user when my WS calls a vendor's webservice on a different server.
My ASMX webservice runs on my desktop (IIS 5.1 WinXP Pro - machine name is JOHNXP). I have Enable anonymous UNCHECKED in every server involved and I have this in every web.config involved in my scenario:
The vendor webservice runs on SERVERTRIM (Win 2003 Server) and it is also ASMX and uses WSE 3.0.
Wireshark and Netmon look too formidable as tools for me right now. I am figuring the different resulting LOGONs on the "remote" server (SERVERTRIM) are sufficient "evidence". All machines above are in the same domain but I want to keep the "remote" webservice on SERVERTRIM and my intermediate webservice on a different server in the same domain if possible. Does this scenario demand that I have to dig into "delegation"? What would be the easiest tool to monitor why the same credentials result in an ANONYMOUS LOGON when the web request is initiated on another machine in the domain?
My knowledge of authentication is a bit hazy, but if I understood your description correctly:
in the first case, you're browsing to localhost, which is impersonating the caller, then calling a web service on a different machine. The impersonation is being done on the same machine as the client. I believe in this case, the impersonating application doesn't need to be on a machine that is trusted for delegation (because it's already the same machine as the client).
in the second case, you're browsing to a different PC, which is attempting to impersonate the caller when calling a third PC. In this case, the PC in the middle would need to be trusted for delegation (which it presumably won't be if it's a development workstation).
I have a SOAP web service running on my sharepoint box under the _layouts directory, and a thick client which uses that SOAP service. We have one sharepoint box that uses basic auth and another which uses client certificates. I need that SOAP service to update some list items in a document library. The problem I'm having is nothing seems to work unless I run within an elevated privileges block. Here is a code snippet of what I'm trying to do.
using (SPSite site = new SPSite(fileUrl))
using (SPWeb web = site.OpenWeb()) {
// web.CurrentUser is always null unless in elevated privileges block.
// do something with document library...
web.Files.Add(...); // fails with access denied unless in elevated privileges block.
}
I also tried "SPContext.Current.Web" but it returns null for "web.CurrentUser" even if I'm in an elevated privileges block.
I really can't use an elevated privileges block because the users complain that anything my SOAP service touches has a modified by system.
From the thick client we are using code like the following...
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(requestString);
if(basicAuth) {
request.Credentials = System.Net.CredentialCache.DefaultCredentials;
}
else {
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
foreach (X509Certificate2 certificate in store.Certificates) {
request.ClientCertificates.Add(certificate);
}
request.GetResponse();
We are manually constructing the SOAP request for various reasons.
If you want your webservice to properly integrate within the sharepoint context (i.e. being able to query the "current sharepoint user"), you should really deploy it to _vti_bin (the ISAPI subfolder of the 12 hyve), not to _layouts.
Discovery is a bit of a pain and requires manual tweaking of files (see the MSDN article on custom webservices within SharePoint for more information), but as you are hand-building your request anyway discovery should not be an issue.
[Edit] As an alternative, you can try acquiring the SPUserToken of the windows authenticated user,
SPUserToken token = web.AllUsers[WindowsIdentity.GetCurrent().Name].UserToken;
and then use this token to open the site and web as this user.