0

When I attempt to connect to an intranet web service from a web application running on IIS Express that web service returns a 403 Forbidden. The service works correctly when I access via unit tests or from the same site running on Cassini or on under IIS 7.5 on my server. My gut tells me this is a configuration issue, but I'm not sure where to begin looking.

What would cause a remote web service to return a 403 Forbidden when that service is accessed from a site running on IIS Express?

To clarify the service I am accessing is not SOAP based. I am setting up a specific network credential and passing it along with my request which the below code illustrates.

protected XDocument Search(Uri requestUri)
{
    var nc = new NetworkCredential(this.config.ServiceUserName,
        this.config.ServicePassword);
    var cCache = new CredentialCache();
    cCache.Add(requestUri, "Basic", nc);

    var request = (HttpWebRequest)HttpWebRequest.Create(requestUri);
    request.Credentials = cCache;
    request.PreAuthenticate = true;
    request.Method = WebRequestMethods.Http.Get;

    var response = (HttpWebResponse)request.GetResponse();
    return XDocument.Load(new StreamReader(response.GetResponseStream()));
}
Community
  • 1
  • 1
ahsteele
  • 26,243
  • 28
  • 134
  • 248
  • Where to begin: Your cassini app is probably running under your user id. On the other hand IIS Express is probably running with a different Windows identity. Possibly IUSR (I don't know IIS Express). The remote service probably uses Windows authentication - and does not allow anonymous access. So you would need to grant permissions to the identity of IIS Express (likely machine\IUSR, where machine is the name of the computer that runs IIS Express) on the IIS vdir on the remote server. – Cheeso Jun 16 '12 at 02:52
  • @Cheeso I should have posted code with my question. I am providing authentication, hence my confusion. – ahsteele Jun 16 '12 at 07:08

2 Answers2

0

List of issues you are/will be running into in case of Windows Auth on the Web services' side:

  • as Cheeso pointed out your reqest could be simply running under anonymous (or local) account. This could be either due to running without impersonation of calling user and process itself runs under wrong account or user is considered to be anonymous and request is switched to that special local "anonymous" account.
  • when you fix above by turning on impersonation of incoming user you'll run into "NTLM one hop hell" issues - incoming credentials can't be used on other servers (Kerberos is a solution, but unlikely to be available in most cases).
  • when you fix first issue by disabling impersonation (or running code under process' account instead of incoming user's account) and making process to run under domain account (or other account that actually have permissions to the web service) you'll run into the fact that you may be opening possibilities for users to obtain data that thay should not have access too.

Essentially you need to figure out what account can/should access the web service and run code that acceesses the web service under that account. The account must log in locally (can't use identity of incoming user).

Alexei Levenkov
  • 98,904
  • 14
  • 127
  • 179
  • The service I am attempting to access is running on a different server. I've added code to my question showing how I access it. This code provides a NetworkCredential for the user I wish to authenticate with. I didn't think impersonation came into play when making a request (but I could be misunderstanding something from your answer). – ahsteele Jun 16 '12 at 07:14
  • My answer is not relevant to your case now: it is assuming Windows auth, but your service uses basic auth based on your sample code. No, I'm not sure why it does not work. – Alexei Levenkov Jun 16 '12 at 21:55
0

I do not have time to dig into the why right now, but I can say that it had something to do with my proxy settings. Switching to a different proxy provider for my box alleviated the issue. This internal transaction should have been bypassing the proxy all together and why IIS would behave differently than other mechanisms is beyond me. Begrudgingly I am going to mark this as the answer and hope the small notice to check your proxy settings helps someone. Sorry this isn't more specific.

ahsteele
  • 26,243
  • 28
  • 134
  • 248