2

I would like to know how can I fix this issue wherein a WebApp running on IIS 7/8 with Windows Authentication is throwing 401 error while executing HttpWebRequest to another site. This WebApp works fine if I run it locally i.e debug mode.

Here is the code snippet

HttpWebRequest webReq;
webReq = (HttpWebRequest)WebRequest.Create("http://sharepoint_site/_vti_bin/listdata.svc/mylist);
webReq.Accept = "application/json";
webReq.UseDefaultCredentials = true;
webReq.Credentials = CredentialCache.DefaultNetworkCredentials;
//webReq.Credentials = new NetworkCredential("user","password","domain");

webReq.Method = "GET";
webReq.KeepAlive = true;
Stream objStream = webReq.GetResponse().GetResponseStream();
StreamReader objReader = new StreamReader(objStream);
HttpWebResponse response = (HttpWebResponse)webReq.GetResponse();

I was also able to make it work by adding BackConnectionHostNames entry in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

but I need to pass in the credentials (commented above) which I don't like because I don't want to use my account or any service account.

I want the WebApp to use DefaultNetworkCredentials or DefaultCredentials. I enabled Windows Authentication and NTLM provider on the IIS of the machine hosting this WebApp.

Any help will be greatly appreciated, thanks and more power to this community.

Joms
  • 21
  • 3

1 Answers1

2

CredentialCache.DefaultNetworkCredentials uses the network credentials that the process is running under. If it's running in IIS, it will be the application pool identity, which the web service won't accept.

You will either have to pass different credentials in code (what you said you didn't want to do) or update the application pool to run with network credentials (right-click the application pool in IIS -> Advanced Settings -> Identity)

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Ok I set the app pool identity as Network Service. I don't want to put custom account there either. Shouldn't that pass the credential of the currently logged user in the network all the way down to the HttpWebRequest call? – Joms Jan 19 '16 at 16:54
  • Are users authenticating to your website using their network credentials? You could turn on [Impersonation](https://msdn.microsoft.com/en-us/library/aa292118(v=vs.71).aspx) so that it uses the credentials of the person visiting the site. – Gabriel Luci Jan 19 '16 at 16:58
  • I enabled impersonation and then switched to classic pipeline mode but still getting 401 error unless I provide a custom identity on the app pool which I don't want. I've tried both Network Service and ApplicationPoolIdentity but still no go. Is this a limitation of NTLM not being able to pass credentials from parent site to another site? – Joms Jan 19 '16 at 18:35
  • You don't need to change to Classic pipeline. Use option 2 from [this blog](http://www.allenconway.net/2010/11/how-to-use-impersonation-in-aspnet.html). It's just a web.config update to make that error go away. Then check if DefaultNetworkCredentials is what you think it should be (either while debugging, or output CredentialCache.DefaultNetworkCredentials.UserName to the page). – Gabriel Luci Jan 19 '16 at 19:18
  • Ok that's interesting web.config setting and yes it suppresses the 501 error when setting impersonation=true while running on integrated mode pipeline but still didn't help with the 401 error. And yes I am displaying the login name of the user on the page and it displayed it as expected. – Joms Jan 20 '16 at 00:25
  • When you display the login name, is that being pulled from CredentialCache.DefaultNetworkCredentials.UserName? – Gabriel Luci Jan 20 '16 at 02:21
  • My bad, I am not able to display from CredentialCache.DefaultNetworkCredentials.UserName but from System.Security.Principal.WindowsIdentity.GetCurrent().Name. I discovered that the Windows Credential options was disabled when I view it from Control Panel -> Credential Manager. So I enabled it and added a credential for the IIS server. Still not working and I am still not able to display the CredentialCache user name. – Joms Jan 20 '16 at 15:02
  • From [here](https://msdn.microsoft.com/en-us/library/system.net.httpwebrequest.credentials(v=vs.110).aspx): "In most client scenarios, you should use the DefaultCredentials property, which contains the credentials of the currently logged on user. To do this, set the UseDefaultCredentials property to true instead of setting this property." – Gabriel Luci Jan 20 '16 at 17:43
  • So maybe just remove this line: webReq.Credentials = CredentialCache.DefaultNetworkCredentials; – Gabriel Luci Jan 20 '16 at 17:44