This the error that I get..
" Login failed for user '(null)'. Reason: Not associated with a trusted
SQL Server connection"


This is the flow.

IE==>ASP.net Web Site (Basic Authentication enabled and impersonation
true in web.config)
== makes a call to==>Web service on a different machine(NT
authentication and impersonation is true)====ADO.NET==>sql server

Now before making call to web servive

I am doing
obj.Credentials = CredentialCache.DefaultCredentials;

I know ...i am dealing with double hop issue.

but one of the solution is to use basic authentication (other solution
is Kerberos)
..but i cant make it work with basic authentication.I m using SSL on
website and baisc authentication.

as exlained where
http://blogs.msdn.com/nunos/archive/2004/03/12/88468.aspx


what am i missing.Do i need to use basic authentication at web service
(on second box) also?

Thanks
Sidd

The blog entry seems to say everything that is necessary. What work-around
did you choose?

Whether you need to use "basic authentication at web service (on second
box)" depends on the work-around that you used. The work-arounds are
basically:
1. Use Basic authentication everywhere
2. Use "Protocol Transitioning" on Windows Server 2003 to allow front-end to
be anything, like Basic over SSL, while back-end MUST use Kerberos
3. Use SQL Authentication to back-end

Show quoteHide quote

David,
I was trying with basic authentication solution.
I always thought basic authentication will pop up a window and user has
to manually enter login ,password there.

1)So i have basic authentication enabled on first box ..ASP.Net web
site

2)ASP.net makes a call to web service on the second box.
If i enable basic authentication on second box also what does that
mean?
will second box promt first box for the login password?
Webservice is called from asp.net code ....so that won't work...

Does it work differently if you have basic authenyication on both
box....meaning...does first box create some sort of token and passes
that to box 2 so that box 2 does not promt for login password?

I actually tried enabling basic authentication on second box and I got
"access denied"
error.

This is the same error that you get when you enter wrong login password
in the box that basic authentication promts you.So that made me think
that second box is trying to throw basic authentication credentials box
to asp.net code and asp.net code can not handle it so i get access
denied error.

I did have this line of code...when I was trying to use basic
authentication box on both servers.

obj.Credentials = CredentialCache.DefaultCredentials

I am not sure if that affected it.
Thanks
Sidd

David,
I was trying with basic authentication solution.
I always thought basic authentication will pop up a window and user has
to manually enter login ,password there.

1)So i have basic authentication enabled on first box ..ASP.Net web
site

2)ASP.net makes a call to web service on the second box.
If i enable basic authentication on second box also what does that
mean?
will second box promt first box for the login password?
Webservice is called from asp.net code ....so that won't work...

Does it work differently if you have basic authenyication on both
box....meaning...does first box create some sort of token and passes
that to box 2 so that box 2 does not promt for login password?

I actually tried enabling basic authentication on second box and I got
"access denied"
error.

This is the same error that you get when you enter wrong login password
in the box that basic authentication promts you.So that made me think
that second box is trying to throw basic authentication credentials box
to asp.net code and asp.net code can not handle it so i get access
denied error.

I did have this line of code...when I was trying to use basic
authentication box on both servers.

obj.Credentials = CredentialCache.DefaultCredentials

Thanks
Sidd

Just out of curiosity, do you know what the LogonMethod metabase property is
set to for the relevant web application?  When doing plaintext logons, IIS
can be configured to try a few different methods.  Not all methods preserve
the password for reuse, so that might have something to do with it.

I think the default setting, NETWORK_CLEARTEXT does preserve the password,
so this should not be the problem by default, but it could have been changed
to BATCH or NETWORK somehow and then it might not work.

You can look up the LogonMethod metabase property in MSDN for more info.
The LogonUser API documentation talks a little bit more about what these
flags mean.

Also, the most important troubleshooting technique available is to enable
all logon event auditing on both the front end and back end servers so that
you can see the details of the authentication taking place in IIS and on the
remote machine where it is failing.

Joe K.

Show quoteHide quote

I will check LogonMethod metabase property .

============================================THIS IS NOT THE SOLUTION=
but this what I have to do in asp.net page to be able to successfully
make call to the webservice.
Web service and asp.net web application are on different box and both
have basic authentication enabled.

following code sits in asp.net page.

Call goes fine but this is not the solution for my problem . because
here you have to give login name password while creating netword
credential object and i do not have the password of the user.
Since asp.net is running n basic authentication I want to pass
credentials automatically.
In other word I don't think i will have access to users password to be
abl to pass it to newtwork credential object.

Any ways the code is
======================================
WebReference.Service1 obj = new WebReference.Service1();

obj.Url ="http://XX.XX.X.XX/doublehopissuetest/service1.asmx";

    NetworkCredential netCredential = new NetworkCredential(
"LoginName","Password" );  // I don't think i can get to user's
password..problem here

Uri uri = new
Uri("http://XX.XX.X.XX/doublehopissuetest/service1.asmx");
ICredentials credentials = netCredential.GetCredential(uri, "Basic");
obj.Credentials = credentials;

//obj.Credentials = CredentialCache.DefaultCredentials;
obj.PreAuthenticate = true;
TextBox1.Text = obj.GetCredentials(); //obj.ConnectSQL();
==================================

========================================

You actually can get the user's plaintext password if they authenticated
with basic authentication.  Just read the AUTH_PASSWORD server variable, or
you can parse it out of the authorization header by converting the base64 to
binary, then converting that to a string using ISO-8859-1 encoding.  That
will result in a string like "user:password".  From there, you just parse
our the string.

Joe K.

Show quoteHide quote

You misunderstand how authentication protocols work. Such as Basic
Authentication.

There is no login dialog box to worry about at all.

When you configure IIS to require Basic authentication, it just means that
IIS:
1. checks the request for an Authorization header with protocol named
"Basic"
2. base64-decode the the value of that request header into a blob of the
form username:password
3. Calls LogonUser with that username and password to retrieve a NT user
token
4. Use that NT user token to impersonate thread handling the request to
access resources on behalf of that NT user on the system

So, as long as the client sends the Authorization header with Basic user
credentials properly encoded, Basic Authentication is "working".

Now, Browsers are designed to make anonymous requests and expect 401
response for sites that require authentication. And how the browser responds
to a 401 response is arbitrary according to client-side configuration.
Browser may choose to pop up that login dialog. Or it can choose to
auto-authenticate. Etc. This is what happens on that first hop between web
browser and ASP.Net application.

On the second hop, ASP.Net application is making the new WebService request
as the "HTTP client", and since it is the client that decides on a login
dialog popup, ASP.Net has no such behavior and so there is no such login
dialog popup to worry about. Instead, you *must* figure out a way to have
ASP.Net make that request with an Authorization: Basic  header. How that is
done, I have no idea -- it is ASP.Net specific behavior at this point.

Within ASP.Net code, you can parse out the username/password from the
Authorization: header. Or you can use AUTH_USER and AUTH_PASSWORD when
AUTH_TYPE == "Basic" to retrieve the same information.

Show quoteHide quote

Another StrongNameIdentityPermission/LinkDemand question
SIMple SSL question ??
how to grant the application the required permission?
Use of Unrestricted flag ???
security warning in self signed certificate
Assigning Strong Name to COM dlls
Authentication method ??
Client Certifcate Info in Web Service
IIS 5.1 security
deploying executable to network to be ran in logon script