NTLM/Windows Authentication on Service to Service on same server breaking

Manish Khandelwal 0 Reputation points
2023-07-03T09:37:27.92+00:00

HI Team,

I have written WebAPI to be protected by enabling Windows Authentication.

This webapi is working fine on connecting from external services or users.

But when Service on same server connects to it, it is failing. This other service is WebApplication also enabled for Windows Authentication.

When this other application connects to WebAPI on different server it connects fine, but on same server it returns 401 Invalid Credentials Error.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;} 
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;} 
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} 
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,678 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,516 Reputation points
    2023-07-04T14:15:15.07+00:00

    Hello,

    The error message you provided suggests that the service on the same server is encountering a 401 Unauthorized error when trying to connect to your WebAPI with Windows Authentication enabled. This issue can occur due to several reasons. Here are some potential causes and solutions to consider:

    1.Double-Hop Authentication: The scenario you described involves a double-hop authentication scenario, where the second service needs to authenticate on behalf of the original client. By default, Windows Authentication does not support delegation of credentials to another server. To enable delegation, you need to configure Kerberos Constrained Delegation or use other authentication mechanisms like Security Assertion Markup Language (SAML) or OAuth.

    2.SPN Configuration: Ensure that the Service Principal Name (SPN) is correctly configured for the WebAPI and the second service. The SPN is required for Kerberos authentication to work properly. You can use the setspn command-line tool to manage SPNs.

    3.Account Permissions: Verify that the account under which the second service is running has the necessary permissions to access the WebAPI. Ensure that the account is a member of the appropriate Windows security group that has access to the API.

    4.Local Intranet Zone: Check the Internet Options in the Control Panel on the server where the second service is running. Under the Security tab, make sure that the Local Intranet zone is set to "Automatic logon only in Intranet zone" or "Automatic logon with current username and password." This setting ensures that the Windows credentials of the logged-in user are passed to the WebAPI.

    5.Disable Anonymous Authentication: In the Internet Information Services (IIS) Manager, ensure that Anonymous Authentication is disabled for the WebAPI site/application and only Windows Authentication is enabled.

    6.Check for Loopback Restrictions: On the server where the WebAPI is hosted, Windows has a loopback check security feature that can prevent connections to the same machine using certain hostnames. You can disable this feature by adding a registry entry. Please refer to Microsoft's documentation on "DisableLoopbackCheck" for detailed steps.

    7.Network Connectivity and DNS: Verify that there are no network connectivity issues between the services. Ensure that the server's DNS settings are correct, and the server can resolve the hostname of the WebAPI server.

    8.Check Event Viewer Logs: Examine the Event Viewer logs on both servers for any related errors or warnings that could provide more information about the issue.

    If you have followed these steps and the issue persists, further investigation may be required. Consider consulting with your system administrator, network team, or contacting Microsoft Support for more targeted assistance based on your specific environment and setup.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.