1

I have two applications.

  • Both on the same server
  • Both running as the same service account
  • Both require windows Auth

I'm trying to use HttpClient to get from one app to the other with a simple post request; however, the identity doesn't seem to get used.

What I'm using looks like this:

var testIdentity = System.Security.Principal.WindowsIdentity.GetCurrent();
var handler = new HttpClientHandler()
{
    UseDefaultCredentials = true
};

using (var client = new HttpClient(handler))
{ 
    //...
    HttpResponseMessage respose = client.PostAsJsonAsync("api/controller/Method", request);
    response.EnsureSuccessStatusCode(); // Exception here!
    //...
}

I've verified testIdentity is the service account I want to be running as, but it doesn't seem to make it. I always get a 401 response back.

I've also tested the application sending the request locally (but same domain), and the WebAPI on the server, but that doesn't work either (same 401 response).

If I have both applications local then it works as expected.

Any idea what I may be missing?

Charles
  • 640
  • 5
  • 21
  • I have seen problem with the way SPN is setup in this kind of use cases, check the below link ..http://stackoverflow.com/questions/14928350/how-can-i-fix-the-kerberos-double-hop-issue – Prashant Jul 18 '16 at 13:27
  • Yeah, I was thinking there might be this issue, but does it really still apply if its the same domain user for both applications? – Charles Jul 18 '16 at 13:32
  • this happens when you have to pass windows credentials from one server to another, nothing to do with same domain i believe. – Prashant Jul 18 '16 at 13:36
  • Gotcha, I was thinking that it happened when moving between physical machines for some reason – Charles Jul 18 '16 at 13:38
  • Okay, so this isn't the issue I'm having. The first server is the client, and it's going to the WebAPI (as the server's app pool user). I'm not actually making two hops. – Charles Jul 18 '16 at 14:33
  • Ok check this link...http://stackoverflow.com/questions/26430045/how-to-pass-windows-authentication-credential-from-client-to-web-api-service – Prashant Jul 18 '16 at 14:40
  • So, I figured out that `await response.Content.ReadStringAsAsync()` gave a lot more detailed information regarding the error. I'm actually getting a Logon Method of Negotiate, and the Logon User of the account I expect. That said, I'm getting a `401.2 Unauthorized` error. – Charles Jul 19 '16 at 17:06
  • @Prashant, if you have any insight as to why the answer I posted fixed the problem for me that'd be awesome. – Charles Jul 19 '16 at 21:00

1 Answers1

0

Little hesitant to accept this as the answer as I don't know the underlying cause yet; however, the issue I ran into was fixed by impersonating an account on a different domain.

Charles
  • 640
  • 5
  • 21