c# - windows authentication working from local to server, but not server to server -


i have 2 sites, a , b. a consumes api b exposes, , b requires windows authentication. both sites live in domain d.

the api consumed via httpclient, , when site a run locally, under domain account (which in domain p), access granted. in case, httpclient instantiated so:

using(var client = new httpclient(new httpclienthandler { usedefaultcredentials: true })) 

when a deployed testing server, above results in 401 unauthorized response. application pool on testing server running under service account in domain d.

when explicitly using service account this:

var credential = new networkcredential("service-account", "password", "d"); var cache = new credentialcache {   {     new uri(apiserveruri), "ntlm", credential   } }; var handler = new httpclienthandler {   credentials = cache };  using(var client = new httpclient(handler)) ... 

and again running site a locally, access still granted. access granted when accessing api directly via browser, , specifying service account credentials. logs indicate service account being used access api.

deploying above testing server still results in 401 unauthorized.

deploying site a local instance of iis, consumes api of b.

running site b locally, , accessing via site a locally, results in 401 unauthorized.

accessing api through browser on testing server a deployed, , specifying service account credentials, gives 401 unauthorized.

i'm not sure go here - missing in code working? or iis or ad issue?

while i'm yet determine why work around works, or if there better way of doing (because feels clunky), following has allowed a connect b, when both sitting on same server.

site b has had additional host binding setup in iis, listen on localhost:12345. site a has been configured connect endpoint, rather domain name site b. authentication working correctly.

i interested if can explain why case - dislike 'magic' fixes.

edit seem this kb article cause behavior. specifically:

when use qualified domain name (fqdn) or custom host header browse local web site hosted on computer running microsoft internet information services (iis) 5.1 or later version, may receive error message resembles following: http 401.1 - unauthorized: logon failed issue occurs when web site uses integrated authentication , has name mapped local loopback address

and

therefore, authentication fails if fqdn or custom host header use not match local computer name.

registry modifications aren't option on these servers, looks work around using.


Comments

Popular posts from this blog

android - MPAndroidChart - How to add Annotations or images to the chart -

javascript - Add class to another page attribute using URL id - Jquery -

firefox - Where is 'webgl.osmesalib' parameter? -