the scenario
i have 2 applications running on separate servers, within same internal network.
server 1 contains webapi mvc project.
server 2 contains mvc web application calls api on server 1.
both applications work using windows authentication.
the code works fine when i'm running them locally, both through iis , running through visual studio.
when running on server following error:
the remote server returned error: (401) unauthorized.
below request fiddler.
get http://server1/..../..../gettest http/1.1 host: server 1 connection: keep-alive cache-control: max-age=0 authorization: negotiate yiihigygkwybbqucoiihfjccbxk..... upgrade-insecure-requests: 1 user-agent: mozilla/5.0 (windows nt 10.0; wow64) applewebkit/537.36 (khtml, gecko) chrome/52.0.2743.116 safari/537.36 accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 accept-encoding: gzip, deflate, sdch accept-language: en-gb,en-us;q=0.8,en;q=0.6 cookie: asp.net_sessionid=gffyzdgub41op0diygy5lyv2 below api request code
public string gettest() { string surl = "http://server2/.../api/test?value=jeronimo"; webrequest wrgeturl = webrequest.create(surl); wrgeturl.credentials = credentialcache.defaultcredentials; var result = ""; using (stream objstream = wrgeturl.getresponse().getresponsestream()) { using(streamreader objreader = new streamreader(objstream)) { string sline = ""; int = 0; while (sline != null) { i++; sline = objreader.readline(); if (sline != null) result += sline; } } } return result; } thanks help.
this known problem when using windows authentication called double hop.
2 solutions such problem:
change application pool identity on
server2applicationpoolidentity service account, allowed make callsserver1. solution not propagate context user calling api onserver2(you can still sending parameterized infoserver1methods make calls filter out data).implement constrained delegation allow
server2forward user identityserver1; unless have strong security requirement that, take first approach.
Comments
Post a Comment