Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is Windows Authentication working from local to server, but not server to server?

I have two sites, A and B. A consumes an API that B exposes, and B requires Windows authentication. Both sites live in Domain D.

The API is consumed via HttpClient, and when site A is run locally, under my domain account (which is in Domain P), access is granted. In this case, HttpClient is instantiated like so:

using(var client = new HttpClient(new HttpClientHandler { UseDefaultCredentials: true }))

When A is deployed to a testing server, the above results in a 401 Unauthorized response. The application pool on the testing server is running under a service account in domain D.

When explicitly using that service account like this:

var credential = new NetworkCredential("service-account", "password", "D");
var cache = new CredentialCache
{
  {
    new Uri(apiServerUri), "NTLM", credential
  }
};
var handler = new HttpClientHandler
{
  Credentials = cache
};

using(var client = new HttpClient(handler))
...

And again running site A locally, access is still granted. Access is also granted when accessing the API directly via browser, and specifying the service account credentials. Logs indicate that it is definitely the service account being used to access the API.

Deploying the above back to the testing server still results in 401 Unauthorized.

Deploying site A to a local instance of IIS, also successfully consumes the API of B.

Running site B locally, and then accessing it via site A locally, results in a 401 Unauthorized.

Accessing the API through a browser on the testing server where A is deployed, and specifying the service account credentials, also gives a 401 Unauthorized.

I'm not sure where to go from here - am I missing something in the code to get this working? Or is it likely to be an IIS or AD issue?

like image 858
pala_ Avatar asked May 12 '15 01:05

pala_


People also ask

Why doesn't Windows Authentication work on a workgroup computer?

Show activity on this post. Windows Authentication is just that, authenticating with a Window's login. So if you are dealing with a workgroup computer where you are on a domain it will not work, because that server can only authenticate a local account.

Why is the Windows Authentication feature not turned on?

However, the Windows Authentication feature is not turned on. Or, the Integrated Windows authentication native module section of the ApplicationHost.config file or of the Web.config file is not valid. To resolve this problem, see Resolution 1.

Why is Windows Authentication not working on IIS?

If Anonymous Authentication is enabled, Windows authentication will not work. You can also read this Microsoft Support Article which describes IE and IIS requirements in details. Show activity on this post.

Why can't I access SQL Server with Windows authentication mode?

If it is this reason that lead to unsuccessful access to SQL Server with Windows Authentication mode, access SQL Server Management Studio and change SQL Server authentication mode to SQL Server Mixed Authentication mode. Because of no Windows identity permissions, we couldn't access SQL Server with Windows Authentication mode.


1 Answers

While I'm yet to determine exactly why this work around works, or if there is a better way of doing it (because this feels clunky), the following has allowed A to connect to B, when both are sitting on the same server.

Site B has had an additional host binding setup in IIS, to listen on localhost:12345. Site A has been configured to connect to that endpoint, rather than the domain name for Site B. Authentication is now working correctly.

I would be interested if anyone can explain why this is the case - I dislike 'magic' fixes.

edit It would seem that this kb article is a likely cause for this behavior. Specifically:

When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or a later version, you may receive an error message that resembles the following: HTTP 401.1 - Unauthorized: Logon Failed This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address

and

Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

Registry modifications aren't really an option on these servers, so looks like the work around is what we will be using.

like image 125
pala_ Avatar answered Oct 08 '22 11:10

pala_