IIS Media Services 4.1:
I have a dedicated website setup on my win 7 dev box. I'm testing the REST service with Windows Auth turned on from both calls from a browser as well as a test C# winform app. Using the browser I try to hit http://iismediatestsite/services/smoothstreaming/publishingpoints.isml I get challeneged (good) but when I put in my domain creds I get into a loop where it keeps prompting for creds. My domain account is an admin on this box. If I use my test app I set UseDefaultCredentials to true but I get a 401 returned.
Using Basic Auth works fine with both clients.
Any ideas?
TIA
Okay apparently this is caused by an issue when authenticating by NTLM via a loopback address. It is better explained and a workaround provided here:
http://support.microsoft.com/kb/896861
Related
My goal is to create a HTTPS REST service that (in concept) allows a machine account to authenticate using the less- than documented machine$ account.
I have a REST endpoint for an AD connected intranet application. Right now IIS simply echoes the thread CurrentPrincipal when I navigate using Internet Explorer.
Now I'm using the HTTPClient , using default authentication, running a my username, and that also works.
My new goal is to send the AD Connected machineAccount (that ends in the dollar sign $) so that IIS responds with the kerberos name Domain\TestServer$
I attempted creating a Windows Desktop service, running as NetworkService or LocalSystem, and I'm not clear if HttpClientHandler.UseDefaultCredentials is sufficient for running in this (unusual) context or if a different approach is needed to authenticate using the machine account.
Is a PInvoke needed? Is there anything in logonuser32 that needs to be done?
For the past couple of years we've been developing a client/server application and it's been working well with us hosting the server and applications. I've recently started work on getting our mobile app to connect and have run into a snag.
The mobile app can login and obtain a token but when it presents that token for an API call Owin is failing to create a valid Principal.
The same API call from our desktop app (running on the same physical machine as the server) has an HttpRequestMessage "MS_OwinContext" property with the Authentication.User field populated. The same call from the mobile does not.
Yet both of them seem to be sending the same API request (different bearer token of course). Alternative can anyone tell me where I might at least start looking or how I could get information from OWIN as to what it's doing? It's also worth pointing out that the mobile app (Xamarin) shares most of its code with the desktop application.
Right now I'm staring at a black box and all I know is that 'it doesn't work'.
Okay the problem was that the server was setting Authority in the bearer options to be localhost. Audience is derived from this so when connecting using the host name validation fails.
The answer appears to therefore not use localhost as part of the authority.
We recently changed the IP-address on a server hosting one of our services based on .NET Web API 2.
The service is using OAuth2, providing external logins via Facebook/Google.
We're still using the same server and the same host name for our services, only the IP-address has changed. Now I'm getting back my login URL with "&error=access_denied" whenever I try to login using Facebook/Google.
I have checked every setting in both Facebook's and Google's developer consoles but nothing seems to apply. If I remove the OAuth redirect URI, I get an error that the URL is blocked, so the settings seems to take effect.
What have I missed?
Funny how asking a question makes you think even more outside of the box. The culprit was that wrong DNS-server was set on the web host.
I'll see myself out...
i have a weird thing going on. I have configured a website to use windows authentication. Now when i check on a client in a domain or on my domain controller i can access the website after entering my credentials. But on the webserver itself i can't login with these same credentials. Is this normal behaviour or what can cause this to happen ?
I have a self-hosted owin web api service on a test environment, and to give it a better name I use a domain alias, and ARR.
My web api runs on port 8888, and uses Windows Authentication. I have configured my arr to run under testserver:80 with anonymous authentication. I want to deploy a service on the box that will pool the webapi for data. When I try to visit testserver from my web browser on my desktop it works fine. However, when I remote into that box and try to hit testserver it prompts me for credentials. Even if I type them correctly it still will issue me a 401. If I go to localhost:8888 the site will work.
Since, I'd prefer to use the pretty name for the server in my service how do I correct this issue. How do I get it to pass credentials on the same box through ARR?
You might have have an issue with LSA loopback checking.
You get the 401 because ARR forwards your Windows Authentication to localhost, which is not allowed (default setting).
Try to disable LSA loopback checking (restart most probably required). If that works you can limit the disabling of loopback checking to specific websites (to prevent security holes).
See You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version for more information on the LSA loopback check and how to disable it completely or only for specific hostnames.