I'm using Visual Studio 2005, C#, and IIS 5.x on WinXP developement machine. In my VStudio solution I have these projects:
FileServiceDemo (a web application project) hosted at http://localhost/FileServiceDemo2005
default.aspx
- displays System.Security.Principal.WindowsIdentity.GetCurrent().Name and
System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType during Page_Load
TrimBrokerService (a web service project) hosted at http://localhost/TrimBrokerService
Everything works fine when both virtual directories above have "Anonymous Access" UNCHECKED and "Integrated Windows Authentication" CHECKED. In this case, default.aspx displays:
UserName: mydomain\myusername
AuthType: Kerberos
When I enable anonymous in my web client site above (FileServiceDemo2005), then default.aspx displays:
UserName: myPCname\IUSR_myPCname
AuthType: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Thus, when the webclient is anonymous and the webservice is entered I get:
System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
PLEASE NOTE: My webservice (hosted at localhost/TrimWebService) is still configured with Anonymous access UNCHECKED. My webservice has to call another WS ("WebService2") that requires proper Windows domain credentials and I am currently using this code to pass credentials to "WebService2":
engineWSE.Credentials = new System.Net.NetworkCredential("username", "password", "mydomainname");
In summary, is there something I can do in my webservice to "gain authentication" despite being called by an anonymous user? I want to consume a webservice with no credentials and have the webservice perform some things that require Windows authentication.
NOTE: As I write this, I suspect this will invoke dire warnings of how bad this is from a security standpoint. The production application will remain a Kerberos intranet app; this is an experiment for testing fileupload times across a T1 line. Thanks for your time.
///////////////////////////////////////////////////////
- EDIT: update 7-17-2009
Thanks for your suggestions. I did exactly what you said regarding permissions and I improved my code by adding a constructor (see below). I tested this on my localhost (trapping breakpoints in the constructor) and proved I could upload files with my fileservice WS having entered the WS with either Kerberos or anonymously:
namespace TRIMBrokerService
{
[WebService(Namespace = "http://cbmiweb.com/TrimBroker/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[ToolboxItem(false)]
public class FileService : System.Web.Services.WebService
{
EngineWse engineWSE = new EngineWse();
public FileService()
{
System.Security.Principal.WindowsIdentity UserIdentityInfo;
UserIdentityInfo = System.Security.Principal.WindowsIdentity.GetCurrent();
string AuthType = UserIdentityInfo.AuthenticationType;
if (AuthType == "Kerberos")
{ engineWSE.Credentials = System.Net.CredentialCache.DefaultCredentials; }
else
{ engineWSE.Credentials = new System.Net.NetworkCredential("u","p","d"); }
}
So with the above code in place, this works in both cases, BUT when I PUBLISH my webservice to http://trim/trimbroker (a test virtual directory on a different machine in our LAN) it fails with the HTTP: 401 Unauthorized problem again.
http://trim/trimbroker points to physical directory D:\WebServicesTesting\Deployed on the server named trim. I've given "Everyone" the following permissions to the "Deployed" folder: "Read & Execute" "List Folder Contents" "Read"
By publishing only the .config and .dll files, I've lost the ability to set breakpoints so I am wondering if you can suggest some way to monitor why this is failing.
Please NOTE that if I configure my webclient on my localhost to call my webservice at http://trim/trimbroker it does still work BUT only if my webclient site is disabled for ANONYMOUS and I enter the site with Kerberos.
I hope all the above is clear and you can suggest something. Thanks.