18

Inside my corporate environment, I have IIS7.5 hosting both a Web API service and a separate website which makes calls into that service via the RestSharp library. Both are currently configured with Windows Authentication.

If I navigate to either one with a browser, I'm prompted to enter my windows credential, and everything works great... I get web pages that I want and the REST service spits out my data. The part I'm struggling to figure out is how to use a single credential to authentication both. I can't figure out how to either pass the Website's credential to the service (I tried impersonating but it didn't work), or to manually prompt the user for username/password and then authenticate them with "Windows".

Help a noob out?

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
Jim Last
  • 183
  • 1
  • 1
  • 5

2 Answers2

17

Settings for web API

  1. Enable Windows Authentication

Settings for web application

  1. Enable Windows Authentication
  2. Add <identity impersonate="true" /> in <system.web> of web.config

  3. Add the following in the web.config: 

     <system.webServer>
     <validation validateIntegratedModeConfiguration="false" />
 </system.webServer>

  4. Enable Windows Authentication and ASP.NET Impersonation within IIS

You can use the following code to POST data to web API (and GET as well obviously) 

using (var client = new WebClient { UseDefaultCredentials = true })
{
    client.Headers.Add(HttpRequestHeader.ContentType, "application/xml; charset=utf-8");
    byte[] responseArray = client.UploadData("URL of web API", "POST", Encoding.UTF8.GetBytes(XMLText));
    string response = Encoding.ASCII.GetString(responseArray);
}

NOTE: If you're still getting 401 errors you may need to use an IP address instead of a regular domain name for your URL (e.g.: 155.100.100.10 instead of mycompany.com)

Omar Himada
  • 2,540
  • 1
  • 14
  • 31
Hafiz Attaullah Khwaja
  • 179
  • 1
  • 2
9

If you use impersonation on your web site and the API is running on the same server it should work.

http://msdn.microsoft.com/en-us/library/aa292118(v=vs.71).aspx

However, if you would move the API to a different server from the site this will stop working. A two-server setup requires Kerberos delegation.

Anders Bornholm
  • 1,326
  • 7
  • 18
  • Thanks, @Anders. The site and API are running on different sites. I'll take a look at kerberos. – Jim Last Oct 24 '14 at 08:18
  • 6
    I'd like to warn you that Kerberos delegation is non-trivial. I've yet to find a single IT department that knows how to do it or are willing to try. A workaround is to use a service account that has access to everything that the site can use when calling the API server-to-server. It's not the prettiest solution and it requires that you check in code that the user logged in to the web site doesn't get more information from the API than he or she is supposed to. But at least it's a working option that doesn't require a lot of intrusive changes made to the IT environment. – Anders Bornholm Oct 24 '14 at 08:32