Sharepoint 2007 NTLM issue with ASP.NET Web App hosted on Sharepoint server

Question

I'm hosting an ASP.NET web application on a Sharepoint 2007 box, which makes a web service call to Sharepoint to retrieve a document location (specifically, the GetListItems method).

The service is consumed with passed credentials of a valid Sharepoint account with appropriate permissions.

ListServiceWrapper listService = new ListServiceWrapper();

/*Pass credentials to service call object*/
listService.Credentials = new NetworkCredential(spUserName, spPassword, spDomain);

/*Set the Url property of the service for the path to a subsite.*/
listService.Url = ConfigurationManager.AppSettings.Get("rootSite") + "/_vti_bin/lists.asmx";

When the web app is run locally on my development box (I'm a Sharepoint user on the same domain), the service call works great. When deployed to the Sharepoint box, the application returns:

The request failed with HTTP status 401: Unauthorized.

We've tried to change the App Pool user of the web app on the Sharepoint box to an authorized Sharepoint user, but still haven't had any luck. I figure if we changed the Sharepoint authentication to Kerberos instead of NTLM, it would solve the issue. Unfortunately that isn't an option here. This possibly has something to do with the NLTM double-hop issue?

Answer 1

Yes, this is related to the double hop issue.
In NTLM, you are not allowed to authenticate to remote services. As you said, you'll need Kerberos to delegate credentials to other services.

Options you may try:

• Switch to Kerberos. This is the only correct solution, but it's not so easy as you'll have to create all SPN and be sure port 88 is open.
• Install you're ASP.Net application in the SharePoint box and activate DisableLoopbackCheck
• Use a service account to log in to SharePoint. In this case, SharePoint won't run under the user account, so you'll have to handle security yourself