PRB: "Access Denied" Error Message When You Call a Web Service While Anonymous Authentication Is Turned Off (811318)


The information in this article applies to:

  • Microsoft Web Services (included with the .NET Framework 1.1)
  • Microsoft ASP.NET (included with the .NET Framework 1.1)
  • Microsoft ASP.NET (included with the .NET Framework) 1.0
  • Microsoft Web Services (included with the .NET Framework) 1.0

SYMPTOMS

When you try to call a Web service application and Anonymous access authentication is turned off, you may receive the following error message.
The request failed with HTTP status 401: Access Denied.

Description: An unhandled exception occurred during the execution of the current Web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Net.WebException: The request failed with HTTP status 401: Access Denied.

CAUSE

When Anonymous access authentication is turned off for the Web service application, all the caller applications must provide the credentials before making any request. By default, the Web service client proxy does not inherit the credentials of the security context where the Web service client application is running.

RESOLUTION

To resolve this problem, you must use the Credentials property of the Web service client proxy to set the security credentials for Web service client authentication.

To set the Credentials property, do one of the following:
  • First Method
    Assign the DefaultCredentials to the Credentials property of the Web Service Proxy class to call the Web service while Anonymous access authentication is turned off. The DefaultCredentials property of the CredentialCache class provides system credentials of the security context where the application is running. To do this, use the following code:

    Visual C# .NET Sample
    //Assigning DefaultCredentials to the Credentials property
//of the Web service client proxy (myProxy).
myProxy.Credentials= System.Net.CredentialCache.DefaultCredentials;
    Visual Basic .NET Sample
    'Assigning DefaultCredentials to the Credentials property
'of the Web service client proxy (myProxy).
myProxy.Credentials= System.Net.CredentialCache.DefaultCredentials
  • Second Method
    You may also use the CredentialCache class to provide credentials for Web service client authentication. Create an instance of the CredentialCache class. Create an instance of NetworkCredential that uses the specified user name, password, and domain. Add the NetworkCredential to the CredentialCache class with the authentication type. To do this, use the following code:

    Visual C# .NET Sample
    //Create an instance of the CredentialCache class.
CredentialCache cache = new CredentialCache();

// Add a NetworkCredential instance to CredentialCache.
// Negotiate for NTLM or Kerberos authentication.
cache.Add( new Uri(myProxy.Url), "Negotiate", new NetworkCredential("UserName", "Password", "Domain")); 

//Assign CredentialCache to the Web service Client Proxy(myProxy) Credetials property.
myProxy.Credentials = cache;

    Visual Basic .NET Sample
    'Create an instance of the CredentialCache class.
Dim cache As CredentialCache = New CredentialCache()

'Add a NetworkCredential instance to CredentialCache.
'Negotiate for NTLM or Kerberos authentication.
cache.Add(New Uri(myProxy.Url), "Negotiate", New NetworkCredential("UserName", "Password", "Domain"))

'Assign CredentialCache to the Web service Client Proxy(myProxy) Credetials property.
myProxy.Credentials = cache
Note The CredentialCache class and the NetworkCredential class belong to the System.Net namespace.

For more information about how to set the Credentials property, see the "More Information" section in this article.

STATUS

This behavior is by design.

MORE INFORMATION

DefaultCredentials represents the system credentials for the current security context where the application is running. For a client-side application, the default credentials are typically the Windows credentials such as user name, password, and domain of the user who is running the program. For ASP.NET programs, the default credentials are the user credentials of the identity for the ASP.NET worker process, or the user who is being impersonated. In the following sample ASP.NET program, DefaultCredentials represents the ASPNET user account (or NetworkService user account for applications run on Microsoft Internet Information Services [IIS] 6.0) because no impersonation is set to the caller.

Steps to Reproduce the Behavior

  1. Create a new ASP.NET Web Service by using Visual C# .NET or Visual Basic .NET.
  2. Name the project WebServiceTest.
  3. By default, Service1.asmx is created.
  4. Uncomment the default WebMethod "HelloWorld()".
  5. On Build menu, click Build Solution.
  6. Turn off Anonymous access to WebServiceTest. To do this, follow these steps:
    1. In Control Panel, double-click Administrative Tools.
    2. Double-click Internet Information Services.
    3. Expand Internet Information Services, and then locate the WebServiceTest virtual directory.
    4. Right-click WebServiceTest, and then click Properties.
    5. Click the Directory Security tab.
    6. Under Anonymous access and authentication control, click Edit.
    7. In the Authentication Methods dialog box, click to clear the Anonymous access check box.
    8. Click to select the Integrated Windows authentication check box.

      Note Verify that only Integrated Windows authentication is selected.
    9. Click OK to close the Authentication Methods dialog box.
    10. Click OK to close Properties.
  7. On the Build menu, click Build Solution.
  8. Type the following address in the browser to view the Service1 Web service description:

    http://localhost/WebServiceTest/Service1.asmx

  9. Test the HelloWorld WebMethod. The WebMethod works as expected.
  10. Add a Web Reference to a test ASP.NET Web Application. To do this, follow these steps:
    1. Create a new ASP.NET Web Application by using Visual C# .NET or Visual Basic .NET. Name the project WebServiceCaller.
    2. By default, WebForm1.aspx is created.
    3. In Solution Explorer, right-click References, and then click Add Web Reference.
    4. In the Address text box, type the URL for WebServiceTest as follows:

      http://localhost/WebServiceTest/Service1.asmx

    5. Click Go or press ENTER, and then click Add Reference.
  11. In Solution Explorer, right-click WebForm1.aspx, and then click View Code.
  12. Append the following code to the Page_Load event:

    Visual C# .NET Sample:
    // Start an instance of the Web service client-side proxy.
localhost.Service1 myProxy = new localhost.Service1();
Response.Write( myProxy.HelloWorld());
    Visual Basic .NET Sample:
    'Start an instance of the Web service client-side proxy.
Dim myProxy As localhost.Service1 = New localhost.Service1()
Response.Write(myProxy.HelloWorld())
  13. On the Debug menu, click Start, and then view the application in the browser.
  14. The error message that is discussed in the "Symptoms" section appears in the browser.
  15. To resolve this problem, assign DefaultCredentials to the Credentials property of the Web service client-side proxy. To do this, insert the following code before the line "Response.Write( myProxy.HelloWorld())":

    Visual C# .NET Sample:
    myProxy.Credentials= System.Net.CredentialCache.DefaultCredentials;
    Visual Basic .NET Sample:
    myProxy.Credentials = System.Net.CredentialCache.DefaultCredentials
  16. Repeat step 13.

REFERENCES

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

301273 HOW TO: Write a Simple Web Service by Using Visual Basic .NET

308359 HOW TO: Write a Simple Web Service by Using Visual C# .NET



For more information, visit the following Microsoft Web sites:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconsecuringaspnetwebservices.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemNetCredentialCacheClassTopic.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemNetCredentialCacheClassDefaultCredentialsTopic.asp

Modification Type:MinorLast Reviewed:7/8/2005
Keywords:kbAuthentication kbSecurity kberrmsg kbWebForms kbprb KB811318 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.