7

I am experiencing an authorization error for an asmx web service that I developed. The web service itself does not require any user credentials, but it seems like the web service is configured to enforce that, although I tried to set the configuration such as to allow for anonymous access:

I have set the corresponding web site in IIS to allow for anonymous access:

Screenshot of IIS setting

Further I have included the following lines in the web.config:

<configuration>
    ...
    <system.web>
        ...
        <authorization>
            <allow users="*"/>
        </authorization>
        ...
    </system.web>
    ...
</configuration>

When trying to call the web service from a test client, I get this error message:

The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'NTLM'.

The line of code calling the web service looks like this:

string message = new ServiceReference1.Service1SoapClient().HelloWorld();

And the code of the web service:

[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[System.ComponentModel.ToolboxItem(false)]
public class Service1 : System.Web.Services.WebService
{
    [WebMethod]
    public string HelloWorld()
    {
        return "Hello World";
    }
}

Some important points:

  • If I try and set the client to authenticate using NTLM, it works fine.
  • If I try and set the client not to authenticate, it fails with the message above.
  • If I try and access the web service using a web browser, I also get a FORBIDDEN error message instead of the expected web service documentation page.
  • If I run the web service from within Visual Studio and configure the client to access that service (localhost...), it works fine.
  • See below for even more details

I also tried and put the authorization tag within a location tag pointing to the web service:

<location path="Service1.asmx">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>

This is how the client configuration (app.config) looks like (please note that as mentioned above, I can't even access the service using a web browser, so I dont' consider the client configuration relevant):

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="Service1Soap" closeTimeout="00:01:00" openTimeout="00:01:00"
                    receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
                    bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                    useDefaultWebProxy="true">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <security mode="None">
                        <transport clientCredentialType="None" proxyCredentialType="None"
                            realm="" />
                        <message clientCredentialType="UserName" algorithmSuite="Default" />
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
        <client>
            <endpoint address="http://name.of.the.server.example.org/Service1.asmx"
                binding="basicHttpBinding" bindingConfiguration="Service1Soap"
                contract="ServiceReference1.Service1Soap" name="Service1Soap" />
        </client>
    </system.serviceModel>
</configuration>

Any Ideas?

Update: I found the following file:

C:\WINNT\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\web.config

Does it have any relevance to a custom web application, and if yes, don't the settings of my own web.config override the settings of that file?

Contents of that file:

<configuration>
    <system.web>
        <membership>
            <providers>
                <add name="WebAdminMembershipProvider" type="System.Web.Administration.WebAdminMembershipProvider" />
            </providers>
        </membership>
        <httpModules>
            <add name="WebAdminModule" type="System.Web.Administration.WebAdminModule"/>
        </httpModules>
        <authentication mode="Windows"/>
        <authorization>
            <deny users="?"/>
        </authorization>
        <identity impersonate="true"/>
       <trust level="Full"/>
       <pages validateRequest="true"/>
       <globalization uiCulture="auto:en-US" />
    </system.web>
</configuration>

Though there is another file:

C:\WINNT\Microsoft.NET\Framework\v2.0.50727\config\web.config

And I think that rather this one is the system-wide web.config file. This file in fact allows access to all users:

<system.web>
    <authorization>
        <allow users="*"/>
    </authorization>
chiccodoro
  • 14,407
  • 19
  • 87
  • 130
  • A couple things... Could you post the web.config section from the test client that concerns the client-side service configuration? Also, have you tried making the method static on the service side? I know in some other contexts (such as regular aspx pages), WebMethods are required to be static, but I don't remember for asmx. – Andrew Jan 28 '11 at 08:02
  • @Andrew: Thanks for your comment. I have added some more details to my questions. I also tried accessing via web browser, so the app.config might not be too relevant. I still added it for reference. You never know... – chiccodoro Jan 28 '11 at 08:50
  • Does the user you're using for anonymous access have reading rights on your folder? – Martin Buberl Feb 01 '11 at 17:24

5 Answers5

8

* means authenticated users, you need to use ? instead.

Try disabling authentication for the whole web site:

<system.web>
  <authentication mode="None" />
  <authorization>
    <allow users="?" />
  </authorization>
</system.web>

Do this check: create test.txt file and try accessing it from web browser. Do you get 'Access Denied' error?

Next, try opening non-existing aspx page, e.g. blah.aspx. You should get 404 error, not Access Denied.

Pavel Chuchuva
  • 22,633
  • 10
  • 99
  • 115
  • Unfortunately this did not change anything. However I found out that it was a problem with the account configured for anonymous access. – chiccodoro Feb 02 '11 at 10:14
  • Or stick a web.config in the folder containing the service which will overwrite the authorization setting – CRice Feb 03 '11 at 07:11
1

Have you checked for a higher level web.config and/or machine.config that are contributing configuration settings to your app?

Les
  • 3,150
  • 4
  • 29
  • 41
0

Yes, the server need to be configured to allow anonymous access to your site.
The <allow users="*" /> is all you need to do (from the .net part).

SWeko
  • 30,434
  • 10
  • 71
  • 106
0

From .Net you must allow all users as you have already done. You also must have IIS configured to allow anonymous access. How do you authenticate with the rest of the pages?

smelch
  • 2,483
  • 1
  • 18
  • 19
0

There seems to be a problem with the internet guest account configured to use for anonymous access. If I set that account to different one, it works fine.

chiccodoro
  • 14,407
  • 19
  • 87
  • 130