Microsoft KB Archive/811318

= PRB: &quot;Access Denied&quot; Error Message When You Call a Web Service While Anonymous Authentication Is Turned Off =

Article ID: 811318

Article Last Modified on 4/19/2007

-

APPLIES TO


 * Microsoft Web Services Enhancements for Microsoft .NET 1.1
 * Microsoft ASP.NET 1.1
 * Microsoft ASP.NET 1.0
 * Microsoft Web Services Enhancements for Microsoft .NET 2.0

-



SYMPTOMS
When you try to call a Web service application and Anonymous access authentication is turned off, you may receive the following error message.

The request failed with HTTP status 401: Access Denied.

Description: An unhandled exception occurred during the execution of the current Web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Net.WebException: The request failed with HTTP status 401: Access Denied.



CAUSE
When Anonymous access authentication is turned off for the Web service application, all the caller applications must provide the credentials before making any request. By default, the Web service client proxy does not inherit the credentials of the security context where the Web service client application is running.



RESOLUTION
To resolve this problem, you must use the Credentials property of the Web service client proxy to set the security credentials for Web service client authentication.

To set the Credentials property, do one of the following:   First Method

Assign the DefaultCredentials to the Credentials property of the Web Service Proxy class to call the Web service while Anonymous access authentication is turned off. The DefaultCredentials property of the CredentialCache class provides system credentials of the security context where the application is running. To do this, use the following code:

Visual C# .NET Sample //Assigning DefaultCredentials to the Credentials property //of the Web service client proxy (myProxy). myProxy.Credentials= System.Net.CredentialCache.DefaultCredentials; Visual Basic .NET Sample 'Assigning DefaultCredentials to the Credentials property 'of the Web service client proxy (myProxy). myProxy.Credentials= System.Net.CredentialCache.DefaultCredentials   Second Method

You may also use the CredentialCache class to provide credentials for Web service client authentication. Create an instance of the CredentialCache class. Create an instance of NetworkCredential that uses the specified user name, password, and domain. Add the NetworkCredential to the CredentialCache class with the authentication type. To do this, use the following code:

Visual C# .NET Sample //Create an instance of the CredentialCache class. CredentialCache cache = new CredentialCache;

// Add a NetworkCredential instance to CredentialCache. // Negotiate for NTLM or Kerberos authentication. cache.Add( new Uri(myProxy.Url), &quot;Negotiate&quot;, new NetworkCredential(&quot;UserName&quot;, &quot;Password&quot;, &quot;Domain&quot;));

//Assign CredentialCache to the Web service Client Proxy(myProxy) Credetials property. myProxy.Credentials = cache;

Visual Basic .NET Sample 'Create an instance of the CredentialCache class. Dim cache As CredentialCache = New CredentialCache

'Add a NetworkCredential instance to CredentialCache. 'Negotiate for NTLM or Kerberos authentication. cache.Add(New Uri(myProxy.Url), &quot;Negotiate&quot;, New NetworkCredential(&quot;UserName&quot;, &quot;Password&quot;, &quot;Domain&quot;))

'Assign CredentialCache to the Web service Client Proxy(myProxy) Credetials property. myProxy.Credentials = cache 

Note The CredentialCache class and the NetworkCredential class belong to the System.Net namespace.

For more information about how to set the Credentials property, see the &quot;More Information&quot; section in this article.



STATUS
This behavior is by design.



MORE INFORMATION
DefaultCredentials represents the system credentials for the current security context where the application is running. For a client-side application, the default credentials are typically the Windows credentials such as user name, password, and domain of the user who is running the program. For ASP.NET programs, the default credentials are the user credentials of the identity for the ASP.NET worker process, or the user who is being impersonated. In the following sample ASP.NET program, DefaultCredentials represents the ASPNET user account (or NetworkService user account for applications run on Microsoft Internet Information Services [IIS] 6.0) because no impersonation is set to the caller.

Steps to Reproduce the Behavior
 Create a new ASP.NET Web Service by using Visual C# .NET or Visual Basic .NET. Name the project WebServiceTest. By default, Service1.asmx is created.</li> Uncomment the default WebMethod &quot;HelloWorld&quot;.</li> On Build menu, click Build Solution.</li> Turn off Anonymous access to WebServiceTest. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> In Control Panel, double-click Administrative Tools.</li> Double-click Internet Information Services.</li> Expand Internet Information Services, and then locate the WebServiceTest virtual directory.</li> Right-click WebServiceTest, and then click Properties.</li> Click the Directory Security tab.</li> Under Anonymous access and authentication control, click Edit.</li> In the Authentication Methods dialog box, click to clear the Anonymous access check box.</li> Click to select the Integrated Windows authentication check box.

Note Verify that only Integrated Windows authentication is selected.</li> Click OK to close the Authentication Methods dialog box.</li> Click OK to close Properties.</li></ol> </li> On the Build menu, click Build Solution.</li> Type the following address in the browser to view the Service1 Web service description:

http://localhost/WebServiceTest/Service1.asmx

</li> <li>Test the HelloWorld WebMethod. The WebMethod works as expected.</li> <li>Add a Web Reference to a test ASP.NET Web Application. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Create a new ASP.NET Web Application by using Visual C# .NET or Visual Basic .NET. Name the project WebServiceCaller.</li> <li>By default, WebForm1.aspx is created.</li> <li>In Solution Explorer, right-click References, and then click Add Web Reference.</li> <li>In the Address text box, type the URL for WebServiceTest as follows:

http://localhost/WebServiceTest/Service1.asmx

</li> <li>Click Go or press ENTER, and then click Add Reference.</li></ol> </li> <li>In Solution Explorer, right-click WebForm1.aspx, and then click View Code.</li> <li> Append the following code to the Page_Load event:

Visual C# .NET Sample: // Start an instance of the Web service client-side proxy. localhost.Service1 myProxy = new localhost.Service1; Response.Write( myProxy.HelloWorld); Visual Basic .NET Sample: 'Start an instance of the Web service client-side proxy. Dim myProxy As localhost.Service1 = New localhost.Service1 Response.Write(myProxy.HelloWorld) </li> <li>On the Debug menu, click Start, and then view the application in the browser.</li> <li>The error message that is discussed in the &quot;Symptoms&quot; section appears in the browser.</li> <li> To resolve this problem, assign DefaultCredentials to the Credentials property of the Web service client-side proxy. To do this, insert the following code before the line &quot;Response.Write( myProxy.HelloWorld)&quot;:

Visual C# .NET Sample: myProxy.Credentials= System.Net.CredentialCache.DefaultCredentials; Visual Basic .NET Sample: myProxy.Credentials = System.Net.CredentialCache.DefaultCredentials </li> <li>Repeat step 13.</li></ol>

<div class="references_section">