0

I'm hoping someone can help me with this as I am at my wits' end.

I have a simple Web API web service that checks for the existence of a workspace on our document management system to determine security access.

When I run this service in the browser it works fine. However when I try to use the service in another Web API application it gives a 401.

I've tried pretty much everything I can think of and can find on here. It is using Windows Authentication and no matter what I try, NTLM, Negotiate or Negotiate:Kerberos, the credentials of the current user are not passed through. If I hard code my userid, password and domain however it works. The code is below

    [HttpGet]
    [Route("api/Session/CheckSecurity")]
    public HttpResponseMessage CheckSecurity(string id)
    {
        WebClient client;
        WindowsIdentity userId;
        string result;

        try
        {
            userId = (WindowsIdentity)User.Identity;

            using (WindowsImpersonationContext context = userId.Impersonate())
            {
                client = new System.Net.WebClient() { UseDefaultCredentials = true }; 
                client.Headers.Add("content-type", "application/json");
                result = client.DownloadString(new Uri(String.Format(ConfigurationManager.AppSettings["Url"], id)));
                return new HttpResponseMessage(HttpStatusCode.OK);
            }
        }
        catch (WebException webExcp)
        {
            HttpWebResponse resp = (HttpWebResponse)webExcp.Response;
            resp.Headers.Remove("WWW-Authenticate");
            // return 403 instead of 401 to prevent security pop up
            return new HttpResponseMessage(resp.StatusCode == HttpStatusCode.Unauthorized ? HttpStatusCode.Forbidden : resp.StatusCode);
        }
        catch (Exception ex)
        {
            return new HttpResponseMessage(HttpStatusCode.InternalServerError);
        }
    }
Improve this question
2
  • You create the context object but don't use it in the WebClient, is that intentional? Commented Oct 23, 2014 at 10:33
  • My understanding is that the context triggers the impersonation of the requesting user rather than the App Pool user and that UseDefaultCredentials would pick this up. If that's wrong then how would I go about using the context in the WebRequest call? Commented Oct 23, 2014 at 10:49

1 Answer 1

Reset to default
1

So after 2 days of trying everything I could think of and tearing my hair out a Google search led me to a completely unrelated issue where using a proxy can cause authentication problems.

This triggered an aha! moment and I turned off Fiddler. Lo and behold everything worked as it was supposed to!

I'm not sure why this happens but I'll have a play with Fiddler to see if I can stop this happening in the future.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.