1

We are working on an internal MVC3 app that purely uses Windows Authentication. There's a view that does an AJAX call to a controller action that does some processing before calling a web service. The problem we are running into is that if Anonymous access is turned off (as in Windows Authentication is on), calling the service from the controller actions results in a 401: Unauthorized error.

We have run into a problem of the double hop issue where credentials aren't passed correctly from server to server when calling a service within a service. I'm wondering if the AJAX call is somewhat mimicing the same behavior and not transmitting the correct Windows credentials to the controller which then doesn't pass the correct credentials to the web service.

I've seen some posts that shows how to pass a username and password along with the jQuery call but nothing mentions, an effective way, to bring along Windows Authentication with it.

Has anyone run into a similar issue? We would rather not leave Anonymous access on the web service as it is somewhat sensitive data that we would like to control access to.

Justin Chmura
  • 430
  • 1
  • 4
  • 11
  • I should have elaborated a bit. I'm talking about anonymous access be on or off on the virtual directory the web service resides in. Having Windows Authentication for the web app works fine in all cases. – Justin Chmura Aug 31 '12 at 18:31

2 Answers2

0

Do you have identity impersonation turned on as described in this question:

How to get Windows user name when identity impersonate="true" in asp.net?

Community
  • 1
  • 1
BNL
  • 7,085
  • 4
  • 27
  • 32
  • On the MVC3 app, we do have: in the web.config. We did actually think of that when we initially deployed the app, but nothing changed. Would this also have to be on for the web service? Or would that matter? – Justin Chmura Aug 31 '12 at 18:43
  • I'd guess you'd just need authentication = windows in the service, but I've never done this, so I'm not sure. – BNL Aug 31 '12 at 18:48
  • Can the users succesfully call the service directly? – BNL Aug 31 '12 at 20:18
  • They can, I do believe its something with the jQuery call credentials. – Justin Chmura Sep 04 '12 at 14:34
0

A colleague did some research over the weekend and determined it may have something to do with Kerberos authentication setup on the server as well as the jQuery call. In order to get around it, we just refactored the web service into a library that the application just references. We made it a web service initially as we thought in the future this data would need to be accessed from other applications. Running into this issue, we will most likely make it into a NuGet package.

Thanks for the comments.

Justin Chmura
  • 430
  • 1
  • 4
  • 11