tag:blogger.com,1999:blog-1528805174514452404.post2072521895924358284..comments2024-03-27T17:10:25.297-04:00Comments on Allen Conway: Using Basic Authentication In REST Based Services Hosted in IISAllen Conwayhttp://www.blogger.com/profile/07010967958393033081noreply@blogger.comBlogger25125tag:blogger.com,1999:blog-1528805174514452404.post-14345999505584610982017-07-24T13:03:34.589-04:002017-07-24T13:03:34.589-04:00very helpfull thaks a lotvery helpfull thaks a lotshrawan4ithttps://www.blogger.com/profile/06019624867065008978noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-63183805964689555632017-04-25T06:59:29.556-04:002017-04-25T06:59:29.556-04:00Hello Allen,
Soryy for digging up such a long pos...Hello Allen,<br /><br />Soryy for digging up such a long post, I want to prose to modification to your solution. In CheckAccessCore method change:<br />throw new WebFaultException("Please provide a username and password", HttpStatusCode.Unauthorized);<br />to<br />WebOperationContext.Current.OutgoingResponse.Headers.Add("WWW-Authenticate: Basic realm=\"My Servies\"");<br /> WebOperationContext.Current.OutgoingResponse.StatusCode = HttpStatusCode.Unauthorized;<br /><br />And your solution is usable with SOAP services accessed through standard ClientBase derivative.<br /><br />Maciej G.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-69195803562921636402016-08-05T05:34:18.678-04:002016-08-05T05:34:18.678-04:00Thank you thousand times for this blog entry. This...Thank you thousand times for this blog entry. This was the solution for converting a working selfhosted WCF REST API with basic authentication to work in IIS.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-12150965925103342572016-04-06T10:48:29.602-04:002016-04-06T10:48:29.602-04:00One thing i learned is that do not trust MSDN docu...One thing i learned is that do not trust MSDN documentation. No clarity, no details. only for reading for time pass.Yogeshhttps://www.blogger.com/profile/11135683048389705015noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-62695616337438004892016-02-08T04:17:25.078-05:002016-02-08T04:17:25.078-05:00This guide seems to miss the tag
which is a sibbl...This guide seems to miss the tag<br /><br />which is a sibbling of <br /><br /><br />I don't know why no one has mentioned, if i don't put this tag i don't get the alert asking for user name and password.<br /><br />I still cannot make my code to call ServiceAuthorizationManager though. The alert pops up asking for the user name and password but nothing happens when i supply it. <br /><br />Any ideas?Anonymoushttps://www.blogger.com/profile/02249934437657595433noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-89639716649781178372015-12-02T05:13:12.828-05:002015-12-02T05:13:12.828-05:00Still the best article on this area!Still the best article on this area!Anonymoushttps://www.blogger.com/profile/12303623052531051102noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-81696111710507919852015-07-29T21:21:22.771-04:002015-07-29T21:21:22.771-04:00Trying this with .NET 4.0 and both running locally...Trying this with .NET 4.0 and both running locally in Visual Studio and also trying while hosted in IIS 7.5. In both cases if the credentials specified in code are not a match, it throws a 401 error as expected but I never receive a prompt for credentials as you say will occur. Your screenshot shows a prompt for credentials, but I am not seeing this on my end. Please advise how you are getting this to occur. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-89681660945894714532014-11-03T05:50:33.828-05:002014-11-03T05:50:33.828-05:00You are probably sick of me by now but that's ...You are probably sick of me by now but that's me. When I find something interesting I'm like a 5 year old boy.<br /><br />Have being doing various tests and I have a change suggestion to your code<br /><br />// Return true only if credentials are valid. False returns a 500 Internal Server Error as http code<br /> if (credentials != null && CheckCredentials(credentials)) return true;<br /><br /> WebOperationContext.Current.OutgoingResponse.Headers.Add("WWW-Authenticate: Basic realm='WCF_Service'");<br /><br />// Set the OutgoingResponse status code, otherwise the xml json will contain the 401 error but the http response status code will be 200...<br /> WebOperationContext.Current.OutgoingResponse.StatusCode = HttpStatusCode.Unauthorized;<br /> throw new WebFaultException("Unauthorized request", HttpStatusCode.Unauthorized);Anonymoushttps://www.blogger.com/profile/06923276914524214385noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-63682395598884054032014-10-31T06:32:20.831-04:002014-10-31T06:32:20.831-04:00Find out a simple way. In the CustomAuthorizationM...Find out a simple way. In the CustomAuthorizationManager if the<br />operationContext.IncomingMessageProperties.Via.OriginalString<br />matches the address of the mex endpoint, I return true ;-)<br />Did a simple test with Wcf Test Client. I can add using the mex endpoint but since there is no authentication possible from it, for every request I get a 401Anonymoushttps://www.blogger.com/profile/06923276914524214385noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-71478097764337693072014-10-31T06:04:09.616-04:002014-10-31T06:04:09.616-04:00It is just great, really great. I'm really gra...It is just great, really great. I'm really grateful for your post.<br /><br />I've tested this on a basic connection (soap) too.<br /><br />Can even test on SoapUI using the "authenticate pre-emptively".<br /><br />Only negative point so far is that I cannot use the mex endpoint, because it is also hidden behind the authentication.<br /><br />Tried to use different service behaviors for the mex endpoints but I didn't succeed yet.Anonymoushttps://www.blogger.com/profile/06923276914524214385noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-48658445361749078862014-10-30T10:45:52.836-04:002014-10-30T10:45:52.836-04:00Thank you for your fast asnwer. The certificate wa...Thank you for your fast asnwer. The certificate was ok. As I said on last one, is was just the transport security activation.Anonymoushttps://www.blogger.com/profile/06923276914524214385noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-42247822898825283822014-10-30T10:37:20.758-04:002014-10-30T10:37:20.758-04:00Found it. Used a little bit my brain and all infor...Found it. Used a little bit my brain and all information that I already read:<br /><br />To go by https<br /><br /> <br /> <br /> <br /> <br /> <br /> <br /> Anonymoushttps://www.blogger.com/profile/06923276914524214385noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-23676509854354176672014-10-30T10:17:33.418-04:002014-10-30T10:17:33.418-04:00The 404 might be an indicator that you do not have...The 404 might be an indicator that you do not have the HTTPS binding set up or configured in IIS correctly and therefore it cannot be found. Have a look at something like http://www.codeproject.com/Tips/722979/Setting-up-IIS-with-HTTPS-Binding to ensure you have your HTTPS endpoint set up correctly.Allen Conwayhttps://www.blogger.com/profile/07010967958393033081noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-65414106212001128272014-10-30T10:05:37.467-04:002014-10-30T10:05:37.467-04:00Over http it works fine but when I try over https ...Over http it works fine but when I try over https I get a 404 error. Any clue?<br /><br />Thank you very much for this post. Have being searching for over a year. Didn't found this one on my first research.Anonymoushttps://www.blogger.com/profile/06923276914524214385noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-43713456748315477602014-06-17T07:28:35.194-04:002014-06-17T07:28:35.194-04:00looking at the status codes using fiddler I saw th...looking at the status codes using fiddler I saw that in CheckAccessCore:<br />1. when throwing WebFaultException(HttpStatusCode.Unauthorized) it actually returns 500 instead of 401.<br />2. returning 'false' shows status code 500 in fiddler instead of 403.<br />3. returning 'true' shows 200 and passes client to the requested resource.<br /><br />Changing HttpContext.Response.StatusCode didn't help..Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-24095492735332744122014-04-04T19:06:56.044-04:002014-04-04T19:06:56.044-04:00I have an Azure based WCF REST service and I am ge...I have an Azure based WCF REST service and I am getting following error in development emulator:<br /><br />The authentication schemes configured on the host ('Anonymous') do not allow those configured on the binding 'WebHttpBinding' ('Basic'). Please ensure that the SecurityMode is set to Transport or TransportCredentialOnly. Additionally, this may be resolved by changing the authentication schemes for this application through the IIS management tool, through the ServiceHost.Authentication.AuthenticationSchemes property, in the application configuration file at the element, by updating the ClientCredentialType property on the binding, or by adjusting the AuthenticationScheme property on the HttpTransportBindingElement. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-6431387357493353562014-03-25T13:33:19.853-04:002014-03-25T13:33:19.853-04:00what an awesome post man, great job, and great job...what an awesome post man, great job, and great job with the rest of the posts.Danhttps://www.blogger.com/profile/08838194238185714903noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-18755286120880330192013-12-14T09:05:08.426-05:002013-12-14T09:05:08.426-05:00Its been a while since I ran this example but the ...Its been a while since I ran this example but the WebOperationContext helper class has the details of the incoming request including headers and is not something manually populated in our code. Try using Fiddler to view the request to your REST WCF service and make sure the headers exist and contain the correct information. After that double check your WCF configuration to make sure it is pointing to the proper custom class.Make sure IIS is set to 'Anonymous'Allen Conwayhttps://www.blogger.com/profile/07010967958393033081noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-58939245659074052372013-12-14T07:31:16.682-05:002013-12-14T07:31:16.682-05:00I have implemented above functionality but while v...I have implemented above functionality but while validating user credentials at CoreAccess function i am getting "WebOperationContext.Current" as null. I dont know why this happens ?? You have any idea about this?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-16513949484855895372013-11-21T19:52:15.062-05:002013-11-21T19:52:15.062-05:00Well, I dumped a lot of time in this, and like you...Well, I dumped a lot of time in this, and like you I discovered that there's no IIS7 support for the approach you outline in previous articles. I can't be too mad at you -- because overall you did save me with this article and you appear to be someone who can write well about technical matters. Thank you, sir. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-67320353941251347572013-10-30T12:42:21.056-04:002013-10-30T12:42:21.056-04:00Hi,
i have found this question in stackoverflow:
...Hi,<br /><br />i have found this question in stackoverflow:<br /><br />http://stackoverflow.com/questions/13166848/still-getting-duplicate-token-error-after-calling-duplicatetokenex-for-impersona/19688051#19688051<br /><br />¿Did you find any answer? ¿is possible? I'm doing exactly the same <br /><br />Thanks in advanceAlphahttps://www.blogger.com/profile/18145165573627051073noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-78024051721487954332013-10-24T20:31:21.937-04:002013-10-24T20:31:21.937-04:00Thanks for the post. When trying to implement meth...Thanks for the post. When trying to implement method level security, no username is given in securityCtx.PrimaryIdentity.Name. Is there another way?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-79708058517849537232013-10-07T16:58:30.405-04:002013-10-07T16:58:30.405-04:00nice post.nice post.Anonymoushttps://www.blogger.com/profile/15321049435574606951noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-70869133062647351742013-08-07T11:56:44.352-04:002013-08-07T11:56:44.352-04:00One thing to help other users. It was briefly sta...One thing to help other users. It was briefly stated, but something I overlooked... Turn off Basic Auth in IIS and remove tag from your webHttpBinding!Travichhttps://www.blogger.com/profile/11600162979693139996noreply@blogger.comtag:blogger.com,1999:blog-1528805174514452404.post-15791962570451422932013-02-25T16:17:32.028-05:002013-02-25T16:17:32.028-05:00I just tried the steps in this article (having rea...I just tried the steps in this article (having read the 2 blog posts before this one only to find out I couldn't go that route since I want to host in IIS). Anyway - am happy to say that my initial efforts in following the steps in this post worked great. Looks like it will do the trick for me. Thanks!Anonymousnoreply@blogger.com