2

I'm having some difficulty authenticating a request from a .Net MVC web app to a .Net Core service layer.

The two applications are running on the same IIS server under the same web site. The web application is configured for Windows authentication, but the intention is for it to authenticate to the service layer using the App Pool identity, or another arbitrary AD account. I do not want to pass basic auth credentials with each request to the service layer, nor to I want authenticated users to be able to access service layer controllers directly.

No matter what I do, the web app always seems to be want to call the service layer as an anonymous user. The question is how do I make the request as an authenticated windows user?

I am using HttpClient. It also might be significant that I'm only using HttpClient's async methods - as I've read that async spawns a new thread under a different security context.

Code from the web app is below.

    public class SvcClient
    {
        public SvcClient()
        {

            string path = System.Configuration.ConfigurationManager.AppSettings["SvcPath"];

            Path = path;

        }

        private string Path { get; set; }

        public HttpClient client = new HttpClient(new HttpClientHandler() { AllowAutoRedirect = true, UseDefaultCredentials = true });

        public async Task<List<Stuff>> GetStuffAsync()
        {
            string route = "Stuff/List";

            List<Stuff> stuff = null;

            HttpResponseMessage response = await client.GetAsync(Path + route);
            if (response.IsSuccessStatusCode)
            {
                stuff = await response.Content.ReadAsAsync<List<Stuff>>();
            }
            return stuff;
        }

    }
christok
  • 1,087
  • 2
  • 12
  • 29
  • What makes you think HttpClient spawns a new process under a different security context when using async? How did you configure the service layer? You haven't described what you did to make it use Windows authentication. – mason Jan 30 '18 at 03:54
  • Sorry, I meant a new thread, not a new process. There seems to be some debate over this. (https://stackoverflow.com/questions/19316172/httpclient-windows-auth-pass-logged-in-user-of-consumer-to-service). – christok Jan 30 '18 at 15:53
  • From what I understand, it should be sufficient to UseDefaultCredentials if you want it to use the credentials of the application pool. So if that's not working, I'm not the right person to give you any further guidance. Except to make sure that the service you're talking to properly has Windows Authentication set up. – mason Jan 30 '18 at 15:55
  • Thank you I'll keep looking into it. – christok Jan 30 '18 at 17:34

0 Answers0