2

I would like to know how can I fix this issue wherein a WebApp running on IIS 7/8 with Windows Authentication is throwing 401 error while executing HttpWebRequest to another site. This WebApp works fine if I run it locally i.e debug mode.

Here is the code snippet

HttpWebRequest webReq;
webReq = (HttpWebRequest)WebRequest.Create("http://sharepoint_site/_vti_bin/listdata.svc/mylist);
webReq.Accept = "application/json";
webReq.UseDefaultCredentials = true;
webReq.Credentials = CredentialCache.DefaultNetworkCredentials;
//webReq.Credentials = new NetworkCredential("user","password","domain");

webReq.Method = "GET";
webReq.KeepAlive = true;
Stream objStream = webReq.GetResponse().GetResponseStream();
StreamReader objReader = new StreamReader(objStream);
HttpWebResponse response = (HttpWebResponse)webReq.GetResponse();

I was also able to make it work by adding BackConnectionHostNames entry in the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

but I need to pass in the credentials (commented above) which I don't like because I don't want to use my account or any service account.

I want the WebApp to use DefaultNetworkCredentials or DefaultCredentials. I enabled Windows Authentication and NTLM provider on the IIS of the machine hosting this WebApp.

Any help will be greatly appreciated, thanks and more power to this community.

Improve this question

1 Answer 1

Reset to default
2

CredentialCache.DefaultNetworkCredentials uses the network credentials that the process is running under. If it's running in IIS, it will be the application pool identity, which the web service won't accept.

You will either have to pass different credentials in code (what you said you didn't want to do) or update the application pool to run with network credentials (right-click the application pool in IIS -> Advanced Settings -> Identity)

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Ok I set the app pool identity as Network Service. I don't want to put custom account there either. Shouldn't that pass the credential of the currently logged user in the network all the way down to the HttpWebRequest call?
Are users authenticating to your website using their network credentials? You could turn on Impersonation so that it uses the credentials of the person visiting the site.
I enabled impersonation and then switched to classic pipeline mode but still getting 401 error unless I provide a custom identity on the app pool which I don't want. I've tried both Network Service and ApplicationPoolIdentity but still no go. Is this a limitation of NTLM not being able to pass credentials from parent site to another site?
You don't need to change to Classic pipeline. Use option 2 from this blog. It's just a web.config update to make that error go away. Then check if DefaultNetworkCredentials is what you think it should be (either while debugging, or output CredentialCache.DefaultNetworkCredentials.UserName to the page).
Ok that's interesting web.config setting and yes it suppresses the 501 error when setting impersonation=true while running on integrated mode pipeline but still didn't help with the 401 error. And yes I am displaying the login name of the user on the page and it displayed it as expected.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.