Article ID: 811318 - Last Review: April 19, 2007 - Revision: 2.10

PRB: "Access Denied" Error Message When You Call a Web Service While Anonymous Authentication Is Turned Off

View products that this article applies to.

On This Page

Expand all | Collapse all

SYMPTOMS

When you try to call a Web service application and Anonymous access authentication is turned off, you may receive the following error message.
The request failed with HTTP status 401: Access Denied.

Description: An unhandled exception occurred during the execution of the current Web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Net.WebException: The request failed with HTTP status 401: Access Denied.
Back to the top

CAUSE

When Anonymous access authentication is turned off for the Web service application, all the caller applications must provide the credentials before making any request. By default, the Web service client proxy does not inherit the credentials of the security context where the Web service client application is running.
Back to the top

RESOLUTION

To resolve this problem, you must use the Credentials property of the Web service client proxy to set the security credentials for Web service client authentication.

To set the Credentials property, do one of the following:
  • First Method
    Assign the DefaultCredentials to the Credentials property of the Web Service Proxy class to call the Web service while Anonymous access authentication is turned off. The DefaultCredentials property of the CredentialCache class provides system credentials of the security context where the application is running. To do this, use the following code:

    Visual C# .NET Sample
    //Assigning DefaultCredentials to the Credentials property
//of the Web service client proxy (myProxy).
myProxy.Credentials= System.Net.CredentialCache.DefaultCredentials;
    Visual Basic .NET Sample
    'Assigning DefaultCredentials to the Credentials property
'of the Web service client proxy (myProxy).
myProxy.Credentials= System.Net.CredentialCache.DefaultCredentials
  • Second Method
    You may also use the CredentialCache class to provide credentials for Web service client authentication. Create an instance of the CredentialCache class. Create an instance of NetworkCredential that uses the specified user name, password, and domain. Add the NetworkCredential to the CredentialCache class with the authentication type. To do this, use the following code:

    Visual C# .NET Sample
    //Create an instance of the CredentialCache class.
CredentialCache cache = new CredentialCache();

// Add a NetworkCredential instance to CredentialCache.
// Negotiate for NTLM or Kerberos authentication.
cache.Add( new Uri(myProxy.Url), "Negotiate", new NetworkCredential("UserName", "Password", "Domain")); 

//Assign CredentialCache to the Web service Client Proxy(myProxy) Credetials property.
myProxy.Credentials = cache;

    Visual Basic .NET Sample
    'Create an instance of the CredentialCache class.
Dim cache As CredentialCache = New CredentialCache()

'Add a NetworkCredential instance to CredentialCache.
'Negotiate for NTLM or Kerberos authentication.
cache.Add(New Uri(myProxy.Url), "Negotiate", New NetworkCredential("UserName", "Password", "Domain"))

'Assign CredentialCache to the Web service Client Proxy(myProxy) Credetials property.
myProxy.Credentials = cache
Note The CredentialCache class and the NetworkCredential class belong to the System.Net namespace.

For more information about how to set the Credentials property, see the "More Information" section in this article.
Back to the top

STATUS

This behavior is by design.
Back to the top

MORE INFORMATION

DefaultCredentials represents the system credentials for the current security context where the application is running. For a client-side application, the default credentials are typically the Windows credentials such as user name, password, and domain of the user who is running the program. For ASP.NET programs, the default credentials are the user credentials of the identity for the ASP.NET worker process, or the user who is being impersonated. In the following sample ASP.NET program, DefaultCredentials represents the ASPNET user account (or NetworkService user account for applications run on Microsoft Internet Information Services [IIS] 6.0) because no impersonation is set to the caller.

Back to the top

Steps to Reproduce the Behavior

  1. Create a new ASP.NET Web Service by using Visual C# .NET or Visual Basic .NET.
  2. Name the project WebServiceTest.
  3. By default, Service1.asmx is created.
  4. Uncomment the default WebMethod "HelloWorld()".
  5. On Build menu, click Build Solution.
  6. Turn off Anonymous access to WebServiceTest. To do this, follow these steps:
    1. In Control Panel, double-click Administrative Tools.
    2. Double-click Internet Information Services.
    3. Expand Internet Information Services, and then locate the WebServiceTest virtual directory.
    4. Right-click WebServiceTest, and then click Properties.
    5. Click the Directory Security tab.
    6. Under Anonymous access and authentication control, click Edit.
    7. In the Authentication Methods dialog box, click to clear the Anonymous access check box.
    8. Click to select the Integrated Windows authentication check box.

      Note Verify that only Integrated Windows authentication is selected.
    9. Click OK to close the Authentication Methods dialog box.
    10. Click OK to close Properties.
  7. On the Build menu, click Build Solution.
  8. Type the following address in the browser to view the Service1 Web service description:
    http://localhost/WebServiceTest/Service1.asmx
  9. Test the HelloWorld WebMethod. The WebMethod works as expected.
  10. Add a Web Reference to a test ASP.NET Web Application. To do this, follow these steps:
    1. Create a new ASP.NET Web Application by using Visual C# .NET or Visual Basic .NET. Name the project WebServiceCaller.
    2. By default, WebForm1.aspx is created.
    3. In Solution Explorer, right-click References, and then click Add Web Reference.
    4. In the Address text box, type the URL for WebServiceTest as follows:
      http://localhost/WebServiceTest/Service1.asmx
    5. Click Go or press ENTER, and then click Add Reference.
  11. In Solution Explorer, right-click WebForm1.aspx, and then click View Code.
  12. Append the following code to the Page_Load event:

    Visual C# .NET Sample:
    // Start an instance of the Web service client-side proxy.
localhost.Service1 myProxy = new localhost.Service1();
Response.Write( myProxy.HelloWorld());
    Visual Basic .NET Sample:
    'Start an instance of the Web service client-side proxy.
Dim myProxy As localhost.Service1 = New localhost.Service1()
Response.Write(myProxy.HelloWorld())
  13. On the Debug menu, click Start, and then view the application in the browser.
  14. The error message that is discussed in the "Symptoms" section appears in the browser.
  15. To resolve this problem, assign DefaultCredentials to the Credentials property of the Web service client-side proxy. To do this, insert the following code before the line "Response.Write( myProxy.HelloWorld())":

    Visual C# .NET Sample:
    myProxy.Credentials= System.Net.CredentialCache.DefaultCredentials;
    Visual Basic .NET Sample:
    myProxy.Credentials = System.Net.CredentialCache.DefaultCredentials
  16. Repeat step 13.
Back to the top

REFERENCES

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
301273  (http://support.microsoft.com/kb/301273/EN-US/ ) HOW TO: Write a Simple Web Service by Using Visual Basic .NET
308359  (http://support.microsoft.com/kb/308359/EN-US/ ) HOW TO: Write a Simple Web Service by Using Visual C# .NET


For more information, visit the following Microsoft Web sites:
http://msdn2.microsoft.com/en-us/library/aa302415.aspx (http://msdn2.microsoft.com/en-us/library/aa302415.aspx)
http://msdn2.microsoft.com/en-us/library/w67h0dw7(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/w67h0dw7(vs.71).aspx)
http://msdn2.microsoft.com/en-us/library/system.net.credentialcache(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/system.net.credentialcache(vs.71).aspx)
http://msdn2.microsoft.com/en-us/library/system.net.credentialcache.defaultcredentials(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/system.net.credentialcache.defaultcredentials(vs.71).aspx)
Back to the top
APPLIES TO
  • Microsoft Web Services Enhancements for Microsoft .NET 1.1
  • Microsoft ASP.NET 1.1
  • Microsoft ASP.NET 1.0
  • Microsoft Web Services (included with the .NET Framework) 1.0
Back to the top
Keywords: 
kbauthentication kbsecurity kberrmsg kbwebforms kbprb KB811318
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations