views:

1255

answers:

1

I have a single server (Windows 2003/IIS 6). This server has a few different "Web Sites" setup in IIS. Each site is configured in IIS with a distinct host header (port 80). In addition, each site also is accessible over a specified port number (without host header).

For example:

MySite1: http://apps.mysite1.com or http://myserver:xxxx

MySite2: http://something.mysite2.com or http://myserver:yyyy

I've edited my hosts file (it's a development machine) to redirect each site's host header to the local machine (127.0.0.1).

I have an ASP.NET 2.0 web site in one IIS site (mysite1) and an ASP.NET 2.0 Web Service in another IIS site (mysite2). The web site communicates with the web service using code similar to the following:

MyWebService svc = new MyWebService();
//also have tried "http://myserver:yyyy/MyWebService.asmx" below
svc.Url = "http://something.mysite2.com/MyWebService.asmx"; 
svc.Credentials = System.Net.CredentialCache.DefaultCredentials;
svc.MyMethod();

All sites are configured for Windows Integrated Security and ASP.NET is configured for Windows authentication with <identity impersonate="true" />. The security model dictates that the user logged into the web application, should be authenticated all the way through to the web service (and subsequently down to the underlying database(s), but that's not necessarily relevant here).

I had this working fine, however I rebuilt my Web Service (new method) and now things are not working with the result to any Web Service call ending in a 401 Unauthorized message.

It does sound like a double-hop issue. I believe it has something to do with the the web service not accepting the credentials being passed and challenging for new ones to be passed. Just not sure how to confirm this. Not sure why it would challenge though - I am logged in as a machine/domain admin and IE is configured to pass credentials in Internet Options > Security tab > Custom Level > Automatic Logon in Intranet zone. Yes, the relevant sites are added to my "intranet zone".

What is the best way to troubleshoot this? Any ideas on what might be causing this now?

TIA!

A: 

This sounds like a double-hop issue. To confirm if is a double-hop issue I would change the line which reads svc.Credentials = and explictly put in credentials to test with, and see if it works. If it does work, then it is the double-hop issue, and you will need to resolve that.

dar
Yeah, this is what I suspect as well. I don't know how to resolve that I guess is my question.
Brian
This kb article should get you going on Kerberos Delegation. The delegation allows the second IIS to trust the first. You will probably also need to do this on your DB server if you are using the User creds for the connection. http://support.microsoft.com/kb/810572
dar