I am not sure if this is a .NET bug/feature and IIS5 one or a combination of
the 2 so here goes
I have a situation where when I call an ASP.NET webservice running under
windows 2000 (I assume IIS5) with a webservice client also in .NET that the
webservice request loses the Authorization HTML header.
This DOES NOT happen under Windows 2003.
I am using the followng (patch/fix) to preauthenticate the web request (this
is from a KB article, or newsgroup article I think)
Protected Overrides Function GetWebRequest(ByVal uri As System.Uri) As
System.Net.WebRequest
Dim webReq As System.Net.WebRequest = MyBase.GetWebRequest(uri)
If Me.PreAuthenticate Then
Dim cred As System.Net.NetworkCredential =
Me.Credentials.GetCredential(uri, "Basic")
If Not cred Is Nothing Then
Dim buff As Byte() = New
System.Text.UTF8Encoding().GetBytes(cred.UserName & ":" & cred.Password)
webReq.Headers("Authorization") = "Basic " &
Convert.ToBase64String(buff)
End If
End If
Return webReq
End Function
Also webservice and client are running under the same process/application -
long story but it is to fake the fact that the server we are supposed to
talk to isn't available yet.
i.e. under my webservice I have 2 folders - in one folder I have the .asmx
files that our web application talks to and under the other folder I have a
..asmx that responds the way the 3rd party service is supposed to
with requests to the first folder causing a request to the second.
I hope someone can tell me what is going on.
Regards
Shaun 15 2990
Hi Shaun,
Thanks for your posting. From your description, you've an asp.net web
service which make use of the Http header to store some authentication
tokens. But you found this header will lose when you host the webservice on
win2k server (works ok on 2003 server) ,yes?
From the client code you provided, seems you're using the WebRequest class
to consume the webservie rather than use the wsdl.exe to generate the
client proxy ,yes? Since the using HttpHeader to store authentication info
will make the webservice reply on the underlying protocal, generally, we
recommend that we use th SOAP HEADER to store such info.
would you consider using the SoapHeader or if there is any certain concerns
on this, please feel free to post here. Thanks.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Hi Steven
No what happens is that when the client talks to the server hosted on the
same machine the Authorization header goes missing. However when the
client running on the windows 2000 talks to a different machine (Windows
2003)
then the Authorization header is there
I used the .NET tools (wsdl.exe) to generate my client and servers based on
the WSDL
(generated by the java syatem we need to talk to) and then used the
information from
the following newsgroup to override the web request to get preauthentication
to work
( http://groups.google.co.uk/groups?q=...on&hl=en&lr=&s
elm=%23euI3BFUCHA.2832%40tkmsftngp10&rnum=5)
Unfortunately using the SOAP Header isn't an option as it is not supported
by the specification we need to adhere to.
I can knock up a demo project(s) to emulate what we are doing if you wish.
Shaun
"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:kK**************@cpmsftngxa10.phx.gbl... Hi Shaun,
Thanks for your posting. From your description, you've an asp.net web service which make use of the Http header to store some authentication tokens. But you found this header will lose when you host the webservice
on win2k server (works ok on 2003 server) ,yes?
From the client code you provided, seems you're using the WebRequest class to consume the webservie rather than use the wsdl.exe to generate the client proxy ,yes? Since the using HttpHeader to store authentication
info will make the webservice reply on the underlying protocal, generally, we recommend that we use th SOAP HEADER to store such info. would you consider using the SoapHeader or if there is any certain
concerns on this, please feel free to post here. Thanks.
Regards,
Steven Cheng Microsoft Online Support
Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.)
Thanks for your response Shaun,
I'll have a look at your attached code and do some tests. And I'll update
you as soon as I got any further progress. Thanks.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Hi Shaun,
After some tests, It seems that the code you provided works correctly on my
side. I've tested on two machines. One is XP PRO with iis5 .net 1.1 and
another win2k3 server with iis6 .NET 1.1. ( the webservice's virtual dir
is set allow anonymous)
In both tests I put the client and server on the same machine(local test).
The HTTP header is sent correctly so I'm wondering the problem is due to
any enviormential issue? You may have a check, if there is any new
findings, please feel free to post here . Thanks.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Hi Steven
The problem is possibly then with windows 2000 and iis5 perhaps. I have
always stressed this point.
I have seen this issue so far with 4 windows 2000 machines. 2 developer
boxes, 1 test environment and my home test machine.
I used anonymous on all sites/folders.
I hope you will be able to replicate the environment.
Shaun
"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:Qc**************@cpmsftngxa10.phx.gbl... Hi Shaun,
After some tests, It seems that the code you provided works correctly on
my side. I've tested on two machines. One is XP PRO with iis5 .net 1.1 and another win2k3 server with iis6 .NET 1.1. ( the webservice's virtual dir is set allow anonymous)
In both tests I put the client and server on the same machine(local test). The HTTP header is sent correctly so I'm wondering the problem is due to any enviormential issue? You may have a check, if there is any new findings, please feel free to post here . Thanks.
Regards,
Steven Cheng Microsoft Online Support
Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.)
Hi Shaun,
Thanks for your response. Yes, I've just tested on a w2k server(iis5) with
framework1.1 ,but the behavior is the same as I tested on other enviorment,
the Authorization header is sent correctly.
Have you tried changing to use another custom Header Name such as
webReq.Headers.Add("myheaderitem", "myheadervalue")
to see whether it can be sent correctly?
In addition, I'm a bit confused that why you need to manually set the HTTP
authorization header? When we add the following code
Dim cache As New System.Net.CredentialCache
Dim cred As New System.Net.NetworkCredential("IWTeamMember1",
"Password01!", "sha-dng-chn")
cache.Add(New
Uri(System.Configuration.ConfigurationSettings.App Settings("Uri")),
"Basic", cred)
ws.Credentials = cache
the webrequest will automatically add the HTTP authorization header for us.
That means, even we don't override the GetWebRequest and manually add the
header, the webrequest will generate the header for use according to the
NewworkCrediential we add in the CredentialCache. I've tested this to
confirm this behavior. Have you also tried this?
Just turn on the IIS's BASIC authentication and run the following code at
client
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles Button1.Click
Try
Dim service As New AuthTestService.AuthTestService
Dim cache As New System.Net.CredentialCache
Dim cred As New System.Net.NetworkCredential("username",
"password!", "servername")
cache.Add(New
Uri(System.Configuration.ConfigurationSettings.App Settings("Uri")),
"Basic", cred)
service.Credentials = cache
MessageBox.Show(service.HelloWorld())
Catch ex As Exception
MessageBox.Show(ex.ToString())
End Try
this can return "HelloWorld" correctly.
Please have a check and let me know if there is anything unclear. Thanks.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
End Sub
Hi Steven
I did say the issue was with windows 2000, I never tried with XP Pro. but so
far 4 windows 2000 boxes all exhibit the same problem.
All have anonymous set, I am using preauthentication so the credentials
should always be snet - and they do appear to do so.
I hope you may be able to replicate, however one has to ask why does windows
2000 strip the header.
Could it be a filter? Can't imagine why though.
Shaun
"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:Qc**************@cpmsftngxa10.phx.gbl... Hi Shaun,
After some tests, It seems that the code you provided works correctly on
my side. I've tested on two machines. One is XP PRO with iis5 .net 1.1 and another win2k3 server with iis6 .NET 1.1. ( the webservice's virtual dir is set allow anonymous)
In both tests I put the client and server on the same machine(local test). The HTTP header is sent correctly so I'm wondering the problem is due to any enviormential issue? You may have a check, if there is any new findings, please feel free to post here . Thanks.
Regards,
Steven Cheng Microsoft Online Support
Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.)
Hi Steven
I'll give it a try
I've come across the following http://groups.google.co.uk/groups?q=...FTNGP09&rnum=1
and it seems to descibe the same symptoms. It also seems to be that it (the
Authorization header) will come through if we enable basic authentication.
Okay but whey the difference between 2000 and 2003.
Actually the problem occurs only if the server is 2000, the client is not a
factor.
Basic Authentication isn't turned on via IIS and there should be no need to
do so as I wish to use a HttpHandler to look after the credentials and send
back an Authorization error (403?) - this is because the application could
be hosted on a site where access to the IIS is minimal (3rd party hosting
environment).
Also I wish to authenticate against my own control list (database or
web.config) and not that controlled by a 3rd party.
Shaun
"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:D5*************@cpmsftngxa10.phx.gbl... Hi Shaun,
Yes, the problem is so strange. I'm sure this is a enviromential specific issue. Also, you've mentioned that the problem only occur when your client app and the webservice are on the same machine,(locally), so I've exclude the possibility of some firewall or proxy that may intercept the authorization header. In addition, I'm not sure whether you've tried sending a custom http
header as I mentioned in my last reply to see whether this can work?
Also, I've attached a ISAPI filter made by our IIS support guy which can help capture the raw data send to IIS. You may also try install it and capture the HTTP headers (when calling the webservice) on the problem machine to see whether the header has arrived the IIS. Here is the install steps for the isapi filter
============== Please open the server(computer icon)'s property->WWW Service global setting->ISAPI Filter tab, add the dll as a new ISAPI
filter(WriteRawData). Then please restart IIS service via iisreset command. Reproduce the problem. The filter will capture the incoming and outgoing rawdata in 2 files at c: - InRawData.log, OutRawData.log
=============
Hope helps. Thanks.
Regards,
Steven Cheng Microsoft Online Support
Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.)
Hi Steven
Sorry this skipped being read as my newsreader settings didn't read all
headers (fixed now)
I manually set it because the preauthentication flag doesn't work for
webservice - this is a known bug.
I also do not want to turn on basic authentication to make it work as I need
to handle the basic authentication using my own httphandler to check the
credentials.
(I also do not have the correct permission on the domain involved to add my
own users and thus I cannot use IIS basic authentication - unless you know
of another way of supplying username/password combinations)
Try turning off the basic authentication and looking for the authorization
field within the application (ps you will need to use my code to get
preauthentication to work) - see my original example.
Shaun
"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:ns**************@cpmsftngxa10.phx.gbl... Hi Shaun,
Thanks for your response. Yes, I've just tested on a w2k server(iis5) with framework1.1 ,but the behavior is the same as I tested on other
enviorment, the Authorization header is sent correctly. Have you tried changing to use another custom Header Name such as
webReq.Headers.Add("myheaderitem", "myheadervalue")
to see whether it can be sent correctly?
In addition, I'm a bit confused that why you need to manually set the
HTTP authorization header? When we add the following code
Dim cache As New System.Net.CredentialCache Dim cred As New System.Net.NetworkCredential("IWTeamMember1", "Password01!", "sha-dng-chn") cache.Add(New Uri(System.Configuration.ConfigurationSettings.App Settings("Uri")), "Basic", cred) ws.Credentials = cache
the webrequest will automatically add the HTTP authorization header for
us. That means, even we don't override the GetWebRequest and manually add
the header, the webrequest will generate the header for use according to the NewworkCrediential we add in the CredentialCache. I've tested this to confirm this behavior. Have you also tried this?
Just turn on the IIS's BASIC authentication and run the following code at client
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
Try Dim service As New AuthTestService.AuthTestService
Dim cache As New System.Net.CredentialCache Dim cred As New System.Net.NetworkCredential("username", "password!", "servername") cache.Add(New Uri(System.Configuration.ConfigurationSettings.App Settings("Uri")), "Basic", cred) service.Credentials = cache
MessageBox.Show(service.HelloWorld())
Catch ex As Exception
MessageBox.Show(ex.ToString()) End Try
this can return "HelloWorld" correctly.
Please have a check and let me know if there is anything unclear. Thanks.
Regards,
Steven Cheng Microsoft Online Support
Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) End Sub
Hi Shaun,
Thanks for your followup. En, yes, I did tried both BAsic Authentication
turn ON and OFF when testing on my local w2k box. That's why I think the
problem is due to a enviroment specific issue.
Also, if you can leave your service as anonymous turn on in IIS, I think
you can try use a custom httpheader to carry the username/password info ,
does this work? Anyway, please feel free to post here if you got any
further findings.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Hi Steven
I have 4 different boxes it happens to. 2 developer boxes, 1 deployment box
and my own home machine. And it doesn't work on either and yet you say it
works on your machines then there is a bug somewhere (maybe a patch). Also
other posters in the past have noted the same issue (Google groups).
If it is patch related there is no way to determine and or fix it so I can't
rely on it working elsewhere. I think I am going to have to insist that
they use IIS basic Authentication in win2k machine.
Unfortunately I can't use a custom HTTP header as other (3rd party) clients
(java based) need to connect and the standard I am following requires that
we
use the Authorization header and preauthentication.
Shaun
"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:RK**************@cpmsftngxa10.phx.gbl... Hi Shaun,
Thanks for your followup. En, yes, I did tried both BAsic Authentication turn ON and OFF when testing on my local w2k box. That's why I think the problem is due to a enviroment specific issue. Also, if you can leave your service as anonymous turn on in IIS, I think you can try use a custom httpheader to carry the username/password info , does this work? Anyway, please feel free to post here if you got any further findings.
Regards,
Steven Cheng Microsoft Online Support
Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.)
Thanks for your reply Shaun,
Currently I haven't any definite ideas on this. But I'll hold on and wait
for the testing result (by the isapi I attached in the former message) from
you. That'll help us dig some further. Thanks.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Hi Shuan,
Any further progress on this issue? If there're any updating or new
findings , please feel free to post here.
Thanks.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Hi
Nothing new as yet - got too much other things on that I haven't had time to
spend on this.
Its odd that on all windows sever 2000 machines I have test on with the
application runing on exhibits the problem and not platforms. As I said
since there does not seem a way to predict it then I'll have to assume worst
case scenario and treat all windows server 2000 machines as having the same
problem.
Shaun
"Steven Cheng[MSFT]" <v-******@online.microsoft.com> wrote in message
news:8Z**************@cpmsftngxa10.phx.gbl... Hi Shuan,
Any further progress on this issue? If there're any updating or new findings , please feel free to post here. Thanks.
Regards,
Steven Cheng Microsoft Online Support
Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.)
Ok Shaun, if you have time to do some further investigate and got any
findings on this, please feel free to post here. Thanks.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Fabrice |
last post by:
hi !
here is my problem ! I add a field to an html header using php
function header("field_name: value"). When the php page is on my local
machine (which act as a server) i can read the "value"...
|
by: Terry |
last post by:
Hi,
I built a website using the HMTL header:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html...
|
by: crs2003c |
last post by:
For some time now, other teachers have had this problem. Visual C++ 6.0 was
once installed on a WIN98 platform and apstring.h and graphic.h worked.
However, since moving to WIN2000 and WINXP,...
|
by: gerrod |
last post by:
When using a master page In .NET v2.0 Beta 1, you could attach additional
stylesheets to the master page from your content pages, with a call such as:
...
|
by: Simon Verona |
last post by:
I don't know if this is the correct group to ask the question, but I'll ask
it here anyways!
I have a solution, written in vb.net 2003 (using Visual Studio 2003
Professional) which has multiple...
|
by: dotcom |
last post by:
hello,
i am sending whole javascript code(it is for freezing html header)
it works fine eith IE but not firefox scroll bar does not come
var divContent = null;
var divHeaderRow = null;
var...
|
by: dabei |
last post by:
Hi, I am trying to use AS3 to make a URL request with authorization header. Using the code below:
var request:URLRequest = new URLRequest ( 'http://myserviceURL' );
var...
|
by: abhilash12 |
last post by:
how can resizing html header table
|
by: funkymonk |
last post by:
I have no idea if this or how this can be done. Basically Ive been given a website made in dreamweaver using asp and html. I use asp.net and so everything I make uses masterpages rather than header...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| |