views:

64

answers:

4

I'm getting a 401 (access denied) calling a method on an internal web service. I'm calling it from an ASP.NET page on our company intranet. I've checked all the configuration and it should be using integrated security with an account that has access to that service, but I'm trying to figure out how to confirm which account it's connecting under. Unfortunately I can't debug the code on the production network. In our dev environment everything is working fine. I know there has to be a difference in the settings, but I'm at a loss with where to start. Any recommendations?

+1  A: 

Have you looked in the IIS logs?

John Saunders
The IIS log doesn't contain the account, only the url, client, and "401 2 2148074254".
Andrew Lewis
You can configure the fields you want, using IIS Manager. Turn on cs-username.
John Saunders
You'd have an easier time looking through the Application event log to find the unhandled (is it?) exception - it will give you all the information you need
Josh E
It won't be there. If a 401 is returned, then the application didn't see the request.
John Saunders
A: 

I would also recommend looking in the Security event log on the server for authentication failures. You should find a footprint of the failed authorisation attempt here. Be warned though - it is not unusual to get 10s of security events a second, so ideally you need to be able to access the event log as the requests are failing.

Rob Levine
A: 

If you do not specify which credentials to use in your ASP.NET page when you instantiate the web service then I believe it defaults to NT_Authority\Anonymous.

If you're using System.Net.CredentialCache then your web service needs to be in a trusted domain, accessed over HTTPS and using either NTLM, Kerberos or Digest Auth otherwise it does not pass the credentials from the cache.

http://msdn.microsoft.com/en-us/library/system.net.credentialcache.defaultcredentials.aspx http://msdn.microsoft.com/en-us/library/system.net.credentialcache.defaultnetworkcredentials.aspx http://msdn.microsoft.com/en-us/library/system.net.credentialcache.defaultcredentials.aspx

CptSkippy
A: 

Perhaps the production server uses a different user for its application pool than your dev environment? I once spent a day figuring that one out. Another option would be the (lack of) impersonation in the web.config

René