"401: Access Denied" when you call webservice in your webpart.
2005-08-03 19:54
441 查看
I recently ran into a big problem when I work on my ListAggregation webpart, the webpart need to pull some lists data from remote Wss site into my local Wss site, these two servers are not in the same domain, and all use the NTLM credential. So I desided to use the lists.asmx webservice to finish this task. In my webpart, I used System.Net.CredentialCache.DefaultCredentials to get the webservice credential, but when I deployed my webpart to my site, I got "The request failed with HTTP status 401: Access Denied." error. I really had no idea about this exception, but the error info indicates that it is about the permission problem, then after many times google, I just realised it is the security issue known as "double-hop". The "double-hop" issue will raise "if your webservice exists on another server than your SPS the client sends it credentials to the SPS-server (first hop) which tries to forward the credentials to the webservice server (2nd hop)"(Quoted from http://msmvps.com/obts/archive/2005/01/18/33146.aspx).
But fortunately I found that there are several approachs finally, which can handle the "double-hop" issue:
1. Give a specific credential, to do this, you need to create a NetworkCredential instance, and pass the specific "name","password","domain" as the parameters.
2. Enabling delegation. Take a look at this for more detail.
3. Create a COM+ component to encapsulate required functionality, refer to this article.
4. Basic Authentication (you need to use HTTPS as the security reason)
But I recommend the first method, but basically it is not so secure when you store your alias and password in the web.config, but you can encrypt the userName and password and store in the registry, then you need some configuration steps to get the encrypt info, to accomplish this, please refer to http://support.microsoft.com/default.aspx?scid=kb;en-us;329290. And why I don't want to use the second mothed and the third method, about the second method, just as Nunos said, "You'll need to ask a domain admin to do this and normally they don't really like to accept this type of request". And about the third method, I think it is doable but you have to make more work and it is hard to deploy. Hope this helps.
But fortunately I found that there are several approachs finally, which can handle the "double-hop" issue:
1. Give a specific credential, to do this, you need to create a NetworkCredential instance, and pass the specific "name","password","domain" as the parameters.
2. Enabling delegation. Take a look at this for more detail.
3. Create a COM+ component to encapsulate required functionality, refer to this article.
4. Basic Authentication (you need to use HTTPS as the security reason)
But I recommend the first method, but basically it is not so secure when you store your alias and password in the web.config, but you can encrypt the userName and password and store in the registry, then you need some configuration steps to get the encrypt info, to accomplish this, please refer to http://support.microsoft.com/default.aspx?scid=kb;en-us;329290. And why I don't want to use the second mothed and the third method, about the second method, just as Nunos said, "You'll need to ask a domain admin to do this and normally they don't really like to accept this type of request". And about the third method, I think it is doable but you have to make more work and it is hard to deploy. Hope this helps.
相关文章推荐
- Error 0x80070020 when you try to start a Web site in IIS 7.0
- In C how do you redirect stdin/stdout/stderr to files when making an execvp() or similar call?
- One-way web service call in BizTalk Orchestration
- Contention, poor performance, and deadlocks when you make Web service requests from ASP.NET applications
- What if you encounter a problem when consume your WCF service ? How to Diagnostic it ?
- FW:One-way web service call in BizTalk Orchestration
- HOW TO: Find the Problem Exception Stack When You Receive an UnhandledExceptionFilter Call in the St
- JAVA错误:AXIS Web Service Problem: No compiler found in your classpath! (you may need to add ‘tools.jar’)
- JAVA错误:AXIS Web Service Problem: No compiler found in your classpath! (you may need to add ‘tools.ja
- wsse:InvalidSecurity Error When Testing FND_PROFILE Web Service in Oracle Applications R 12.1.2 from SOAP UI (Doc ID 1314946.1)
- When you start the Distributed Transaction Coordinator service in Windows XP/Server 2003,you receive error -1-73737712(转载)
- HOW TO: Find the Problem Exception Stack When You Receive an UnhandledExceptionFilter Call in the St
- you need to have ldconfig in your PATH env when enabling luajit
- [转]Work With Odata in Web API: Create Your First Odata Service
- 401 Unauthorized when call WCF in BizTalk,The authentication header received from the server was 'Negotiate,NTLM'
- Program with sps 2003 Web Query Webservice,would you like to share your thought?
- [ASP.NET AJAX]Important notes when we create web service methods for some extenders in AjaxControlToolkit package
- Creating your first Web Service provider and consumer in LotusScript and Java.
- check whether you have multiple ContextLoader* definitions in your web.xml
- how to call Web service in Excel 2003 / Excel 2005