Solving NTLM multiple-hop authentication problem
I had developed a webservice that worked just fine when the webservice was on the same server with the .aspx page that called the webservice (let's call it SERVER1). From a web browser on another computer, I could connect to SERVER1 and the .aspx page would call the webservice without any problems.
I required NTLM authentication in my website so that users would automatically be authenticated with their credentials and the code that called up the webservice passed their credentials when calling the webservice:
proxy.Credentials = System.Net.CredentialCache.DefaultCredentials;
When I kept the webservice on SERVER1 and moved the .aspx pages to another IIS server (let's call it SERVER2) it would all still work as long as I was logged onto SERVER2 and calling up the .aspx pages locally. However, when I would view the .aspx pages on SERVER2 from another computer, I would get an authentication error:
Exception Details: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
Exception Details: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
If I hardcoded the credentials, it would work:
proxy.Credentials = new System.Net.NetworkCredential("username", "password", "");
It would also work if I changed the authentication for the website from NTLM to basic authentication. However, that would require the user to enter their username and password; a step that I didn't want them to take.
After looking in some forums, I saw that this is a multiple-hop, sometimes called a 2-hop, NTLM authentication issue. It's a "security feature" that is implemented in IIS that doesn't allow an IIS server to pass credentials along to another server. It's a good idea I guess but it created this problem for me. Finally after throwing my hands up and posting to an MSDN forum, I found this little link (thanks kbradl1):
That link talks about this issue and SharePoint (which is just IIS). However, this article talks about the steps to take with IIS6, mainly editing \system32\inetsrv\Metabase.xml. I was running Windows 2000 Server with IIS5 and IIS5 doesn't keep configuration information in Metabase.xml. I thought I was back at square one, but another step that is required is enabling a computer in Active Directory to be trusted for delegation. In my case I needed SERVER2 to be trusted for delegation.
To enable a computer for delegation, open up Active Directory Users and Computers and find the computer. Open up the Properties window for the comptuer and on the General tab, check the checkbox labeled "Trust computer for delegation".
That's all I needed to fix my problem. I hope this helps someone else out there.
posted by jason carwile at
7:12 AM
2 Comments:
I need to do all of this? I have my main web server (SERVER1) which is my intranet machine. It requests reports from our report sevrer (SERVER2). Both use authentication. Once logged into SERVER1, I want it to take that authentication and pass it on to SERVER2 when reports are requested. I just do not want to do all this and not have it work. Both machines are Win2003/IIS6. Sharepoint is not being used. And, SERVER2 is a DC.
By
CW, at 1:52 PM
Yep, it's really not that much work. I've gotten out of development since I posted this and mainly do sys admin work. I work for a different company now and the developers are always asking me to do the computer delegation task (since they don't have the rights to Active Directory). They use a lot of webservices and are creating new IIS webservers. Give it a shot and let us know if it worked for you.
By
jason carwile, at 9:23 PM
Post a Comment
<< Home