401 error accessing web service using credentials

Hello Brad,

From your description, you're encountering some access/authentiation error
when calling an ASP.NET webservice which is secured through integraetd
windows authentication.

As for the code you used, I think it is quite correct, below is my local
test code that runs well.(on windows 2003 server IIS6/asp.net2.0)

==================
private void btnGetCollection_Click(object sender, EventArgs e)
{
SessionService.Service service = new
SessionServiceClient.SessionService.Service();

CredentialCache cc = new CredentialCache();

NetworkCredential nc = new NetworkCredential("WSEUser",
"Password", "machinename");

cc.Add(new Uri(service.Url), "Negotiate", nc);

service.Credentials = cc;
service.PreAuthenticate = true;
DataTable dt = service.GetTable();

StringWriter sw = new StringWriter();
dt.WriteXml(sw);
txtContent.Text += "\r\nnums: " + sw.ToString();

}
=====================

Also, as you said the program used to work well on another box, I think
this should be an environment specific(such as configuration) issue. You
can try testing through the following routine:

** since you've changed the server machine, check whether the client
application's code or server service's web.config's settings as refer to
the new machine name in username prefix (e.g newmachinename\username).
This is important when you use a local account on the server machine to
access the service.

** You can event firstly comment the authorization setting in web.config
(as below)

<!--
<authorization>
<allow users="machinename\WSEUser"/>
<deny users="*"></deny>
</authorization>
-->
to see whether it is this setting that cause the issue.

in addition, the IIS log is also what you can check. If the IIS log
indicate that there is 401 error from your webservice client, that means
the authentication at IIS layer failed (hasn't even reach ASP.NET layer)

Please feel free to let me know if you have any other finding or question.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

See link below. The kb article's workaround to disable the loopback check
resolved the problem.

http://support.microsoft.com/default...b;en-us;896861

"Steven Cheng[MSFT]" <st*****@online.microsoft.comwrote in message
news:FV**************@TK2MSFTNGHUB02.phx.gbl...

Hello Brad,

From your description, you're encountering some access/authentiation error
when calling an ASP.NET webservice which is secured through integraetd
windows authentication.

As for the code you used, I think it is quite correct, below is my local
test code that runs well.(on windows 2003 server IIS6/asp.net2.0)

==================
private void btnGetCollection_Click(object sender, EventArgs e)
{
SessionService.Service service = new
SessionServiceClient.SessionService.Service();

CredentialCache cc = new CredentialCache();

NetworkCredential nc = new NetworkCredential("WSEUser",
"Password", "machinename");

cc.Add(new Uri(service.Url), "Negotiate", nc);

service.Credentials = cc;
service.PreAuthenticate = true;
DataTable dt = service.GetTable();

StringWriter sw = new StringWriter();
dt.WriteXml(sw);
txtContent.Text += "\r\nnums: " + sw.ToString();

}
=====================

Also, as you said the program used to work well on another box, I think
this should be an environment specific(such as configuration) issue. You
can try testing through the following routine:

** since you've changed the server machine, check whether the client
application's code or server service's web.config's settings as refer to
the new machine name in username prefix (e.g newmachinename\username).
This is important when you use a local account on the server machine to
access the service.

** You can event firstly comment the authorization setting in web.config
(as below)

<!--
<authorization>
<allow users="machinename\WSEUser"/>
<deny users="*"></deny>
</authorization>
-->
to see whether it is this setting that cause the issue.

in addition, the IIS log is also what you can check. If the IIS log
indicate that there is 401 error from your webservice client, that means
the authentication at IIS layer failed (hasn't even reach ASP.NET layer)

Please feel free to let me know if you have any other finding or question.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.

Thanks for your followup Brad,

So the issue is due to the IIS site on the new server is not using the
default IP address setting (or use a custom host header), this does be an
known issue of IIS which may influence the integrated windows
authentication behavior. Anyway, glad that you've figured out the issue. If
you meet any new problems later, please feel free to post here.

Have a good day!

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.