Web Service NTLM Authentication Trouble - InfoPath Dev
in

InfoPath Dev

Having trouble finding a blog or post that answers your question? Check out our Custom Search Page

Web Service NTLM Authentication Trouble

Last post 02-03-2010 02:05 PM by lambrite. 3 replies.
Page 1 of 1 (4 items)
Sort Posts: Previous Next
  • 09-10-2009 01:15 PM

    • ruselw
    • Not Ranked
    • Joined on 09-10-2009
    • Posts 3

    Web Service NTLM Authentication Trouble

    Hi Everyone! 

    The short version of my trouble is that I have forms that are trying to call a web service through the forms services web service proxy but they are being denied access to the web service because the proxy is not properly authenticating with the web service.  I understand that the proxy is supposed to authenticate using the MOSS service account but it is trying to impersonate the logged on user which doesn't work because I don't have Kerberos enabled.   I just want to make a secure web service connection without having to enable Kerberos or SSO.

    Here is the long version:  I created several web enabled forms that use a web service for querying and submitting data. They were all working fine except that when I got ready to move them to production I realized that I had left anonymous access enabled for the web service the whole time and my client frowns upon anonymous access in production.  Go figure!  I then changed the IIS settings for my web service to Integrated Windows Authentication only and made the appropriate changes in the web.config to only allow authorized users.  The result is that my forms work when I am logged in locally to the MOSS server, but if I access them from a different computer it becomes a double hop scenario and the form calls the web service without authenticating and is denied access.  I just want the form to use the MOSS service account to call the web service and after doing some research it appears that the Forms Service Proxy is designed to allow me to do just that.  I enabled the Forms Service Proxy in SharePoint Central Admin and in all my UDC files, but my forms are still trying to impersonate my account when they call the web service instead of using the MOSS service account as I would expect.  I have verified this by checking the IIS logs.  I know that the forms are using the proxy because if I disable the proxy in SharePoint Central Admin I receive errors in the SharePoint logs saying that an exception occurred in the Forms Service Proxy.  That error goes away when I re-enable the proxy.  I know SSO is another option but I don't want to use it because I understand that the users will have to enter their passwords the first time they use it and that is really not an option.

     Does anyone have any ideas of how I can troubleshoot this?  Please help!

     Russ

  • 02-01-2010 01:53 PM In reply to

    Re: Web Service NTLM Authentication Trouble

    Did you figure this out? I am running into the same problem - whenever I display the form in a browser, it results in a 401 error.  There doesn't seem to be much documentation about webservices that are not related to MOSS. 

    I am calling a service which requires basic authentication but is open to all domain users, on a different domain. I have tried

    • locally managed UDCX
    • locally managed UDCX with SSO entry
    • centrally managed UDCX
    • centrally managed UDCX with SSO entry

    I do not have kerberos enabled and would prefer not to enable it.  My understanding was that enabling SharePoint's SSO would handle the double hop issue (so that kerberos is unnecessary); do I misunderstand that?

     

  • 02-02-2010 09:25 PM In reply to

    • ruselw
    • Not Ranked
    • Joined on 09-10-2009
    • Posts 3

    Re: Web Service NTLM Authentication Trouble

     Yep, I ended up using centrall managed UDCX with SSO.  Here's what I did:

    • Enabled SSO through central admin website
    • In the SSO screen in central admin, created a new SSO application 
    • Created a single group mapping from the Domain Users group to a service account that had access to the web service. 
    • Added the following tag to my UDCX:
    <udc:Authentication>
    <udc:SSO AppId="MyApp" CredentialType="NTLM"></udc:SSO>
    </udc:Authentication>
    In your case you need to replace NTLM with Basic.  Note that with this method you are always using the same account to connect to the web service.  If you wanted to pass along the user credentials you would probably have write a custom screen to let them do that.  Yikes!  This was a really painful setup process for something that would have been very simple in plain old .NET.  Just one of the many ways InfoPath makes life harder for programmers...
  • 02-03-2010 02:05 PM In reply to

    Re: Web Service NTLM Authentication Trouble

    Thank you so much for your suggestion!  Changing it to basic, along with changing my SSO entry to not use Windows Authentication, did the trick! 

Page 1 of 1 (4 items)
Copyright © 2003-2017 Qdabra Software. All rights reserved.
View our Terms of Use.