By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,046 Members | 2,105 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,046 IT Pros & Developers. It's quick & easy.

IIS Webservice unauthorised access

P: n/a
Hi all,

We have a web application that uses web services for data access and
retrieval. The web app and web services reside under IIS on the same
server(WIN2003). The virtual directories have been set for windows
authentication and both the ASP web application and the web services are
using windows authentication with impersonation of the logged on user. We
also set the web service credentials to CredentialCache.DefaultCredentials.

Web application access in general is fine, but, when the web app calls the
web service we get a 401. Unauthorised access. Add the web site to either
intranet zone or trusted sites and all access is OK. (which suggest zone
settings but I cant find the setting causing the security problem.)

There is also another odd thing... If you browse to the web service via the
IIS console, enter the credentials, the web service access is fine even if it
is not in trusted sites or intranet zone???? Therefore the issue seems to be
with the app passing credentials to the web service but why adding to trusted
or intranet zone should rectify the problem - I'm confused......

Anyone got any ideas why? Is there a security setting I should be setting
somewhere. Any info would be appreciated.
Nov 23 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Pete,

We have had some problems with authentication in the Intranet zone as well.
It may be worth checking the IE setting under the Security tab to ensure that
the User Authentication is set to 'Automatic logon only in Intranet zone'. It
may also be that the URL is not always being recognised as an Intranet
location, on advise from MS we have had to use Group Policy to distribute a
list of URL's to IE that it must recognise as Intranet locations which seems
to have solved our problems.

"TrinityPete" wrote:
Hi all,

We have a web application that uses web services for data access and
retrieval. The web app and web services reside under IIS on the same
server(WIN2003). The virtual directories have been set for windows
authentication and both the ASP web application and the web services are
using windows authentication with impersonation of the logged on user. We
also set the web service credentials to CredentialCache.DefaultCredentials.

Web application access in general is fine, but, when the web app calls the
web service we get a 401. Unauthorised access. Add the web site to either
intranet zone or trusted sites and all access is OK. (which suggest zone
settings but I cant find the setting causing the security problem.)

There is also another odd thing... If you browse to the web service via the
IIS console, enter the credentials, the web service access is fine even if it
is not in trusted sites or intranet zone???? Therefore the issue seems to be
with the app passing credentials to the web service but why adding to trusted
or intranet zone should rectify the problem - I'm confused......

Anyone got any ideas why? Is there a security setting I should be setting
somewhere. Any info would be appreciated.

Nov 23 '05 #2

P: n/a
Paul,

Thanks for the reply, we do have auto logon in intranet zone etc. but our
problem is the reverse - if not in intranet zone or trusted zone get
unauthorised, add the site to intranet or trusted and authentication works??

We have already had some issues with authentication specifically with
Windows authentication where host headers are used. If the host header doesnt
match machine netbios name, then windows authentication fails. Resolution in
this case is to use setspn from toolkit to add special names for Server in AD
that matches the host header.

Pete

"Paul Hasell" wrote:
Pete,

We have had some problems with authentication in the Intranet zone as well.
It may be worth checking the IE setting under the Security tab to ensure that
the User Authentication is set to 'Automatic logon only in Intranet zone'. It
may also be that the URL is not always being recognised as an Intranet
location, on advise from MS we have had to use Group Policy to distribute a
list of URL's to IE that it must recognise as Intranet locations which seems
to have solved our problems.

"TrinityPete" wrote:
Hi all,

We have a web application that uses web services for data access and
retrieval. The web app and web services reside under IIS on the same
server(WIN2003). The virtual directories have been set for windows
authentication and both the ASP web application and the web services are
using windows authentication with impersonation of the logged on user. We
also set the web service credentials to CredentialCache.DefaultCredentials.

Web application access in general is fine, but, when the web app calls the
web service we get a 401. Unauthorised access. Add the web site to either
intranet zone or trusted sites and all access is OK. (which suggest zone
settings but I cant find the setting causing the security problem.)

There is also another odd thing... If you browse to the web service via the
IIS console, enter the credentials, the web service access is fine even if it
is not in trusted sites or intranet zone???? Therefore the issue seems to be
with the app passing credentials to the web service but why adding to trusted
or intranet zone should rectify the problem - I'm confused......

Anyone got any ideas why? Is there a security setting I should be setting
somewhere. Any info would be appreciated.

Nov 23 '05 #3

P: n/a
Pete,

That's what I was trying to say, there seem to be some circumstances when IE
fails to correctly identify a location which should be in the intranet as
actually being in the intranet so you have to force the issue and tell it
explicity. Do you use a configuration script for your IE proxy settings?

"TrinityPete" wrote:
Paul,

Thanks for the reply, we do have auto logon in intranet zone etc. but our
problem is the reverse - if not in intranet zone or trusted zone get
unauthorised, add the site to intranet or trusted and authentication works??

We have already had some issues with authentication specifically with
Windows authentication where host headers are used. If the host header doesnt
match machine netbios name, then windows authentication fails. Resolution in
this case is to use setspn from toolkit to add special names for Server in AD
that matches the host header.

Pete

"Paul Hasell" wrote:
Pete,

We have had some problems with authentication in the Intranet zone as well.
It may be worth checking the IE setting under the Security tab to ensure that
the User Authentication is set to 'Automatic logon only in Intranet zone'. It
may also be that the URL is not always being recognised as an Intranet
location, on advise from MS we have had to use Group Policy to distribute a
list of URL's to IE that it must recognise as Intranet locations which seems
to have solved our problems.

"TrinityPete" wrote:
Hi all,

We have a web application that uses web services for data access and
retrieval. The web app and web services reside under IIS on the same
server(WIN2003). The virtual directories have been set for windows
authentication and both the ASP web application and the web services are
using windows authentication with impersonation of the logged on user. We
also set the web service credentials to CredentialCache.DefaultCredentials.

Web application access in general is fine, but, when the web app calls the
web service we get a 401. Unauthorised access. Add the web site to either
intranet zone or trusted sites and all access is OK. (which suggest zone
settings but I cant find the setting causing the security problem.)

There is also another odd thing... If you browse to the web service via the
IIS console, enter the credentials, the web service access is fine even if it
is not in trusted sites or intranet zone???? Therefore the issue seems to be
with the app passing credentials to the web service but why adding to trusted
or intranet zone should rectify the problem - I'm confused......

Anyone got any ideas why? Is there a security setting I should be setting
somewhere. Any info would be appreciated.

Nov 23 '05 #4

P: n/a
I see - I was missing your point.....

What you are saying, please correct me if I am wrong....

You shouldn't have to add to intranet zone, IE should automatically detect
that it is intranet, you shouldn't have to force the issue by adding to
intranet zone.

We dont use configuration scripts for IE, and we dont use a proxy......

Just a little 'aside' - if this wasn't an intranet site, but a live outward
facing site, but access to the site was using windows authentication, ie.
site designed for staff access from external clients, then IE wouldn't detect
that it is in the intranet zone as it isnt, but the scenario I have described
would still require adding to trusted site before web services authenticate
properly. Is it that credentials are only automatically sent (depending on
setting) if you are in intranet zone or trusted site and no credentials are
sent for internet zone (even with the automatic logon with current username
and password - setting set)

"Paul Hasell" wrote:
Pete,

That's what I was trying to say, there seem to be some circumstances when IE
fails to correctly identify a location which should be in the intranet as
actually being in the intranet so you have to force the issue and tell it
explicity. Do you use a configuration script for your IE proxy settings?

"TrinityPete" wrote:
Paul,

Thanks for the reply, we do have auto logon in intranet zone etc. but our
problem is the reverse - if not in intranet zone or trusted zone get
unauthorised, add the site to intranet or trusted and authentication works??

We have already had some issues with authentication specifically with
Windows authentication where host headers are used. If the host header doesnt
match machine netbios name, then windows authentication fails. Resolution in
this case is to use setspn from toolkit to add special names for Server in AD
that matches the host header.

Pete

"Paul Hasell" wrote:
Pete,

We have had some problems with authentication in the Intranet zone as well.
It may be worth checking the IE setting under the Security tab to ensure that
the User Authentication is set to 'Automatic logon only in Intranet zone'. It
may also be that the URL is not always being recognised as an Intranet
location, on advise from MS we have had to use Group Policy to distribute a
list of URL's to IE that it must recognise as Intranet locations which seems
to have solved our problems.

"TrinityPete" wrote:

> Hi all,
>
> We have a web application that uses web services for data access and
> retrieval. The web app and web services reside under IIS on the same
> server(WIN2003). The virtual directories have been set for windows
> authentication and both the ASP web application and the web services are
> using windows authentication with impersonation of the logged on user. We
> also set the web service credentials to CredentialCache.DefaultCredentials.
>
> Web application access in general is fine, but, when the web app calls the
> web service we get a 401. Unauthorised access. Add the web site to either
> intranet zone or trusted sites and all access is OK. (which suggest zone
> settings but I cant find the setting causing the security problem.)
>
> There is also another odd thing... If you browse to the web service via the
> IIS console, enter the credentials, the web service access is fine even if it
> is not in trusted sites or intranet zone???? Therefore the issue seems to be
> with the app passing credentials to the web service but why adding to trusted
> or intranet zone should rectify the problem - I'm confused......
>
> Anyone got any ideas why? Is there a security setting I should be setting
> somewhere. Any info would be appreciated.

Nov 23 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.