0
votes

Here is my scenario: I have a SharePoint site I am working on, and it is on one server farm. In this site, I have created an HttpHandler that uses a SharePoint search webservice that is located on a different server. So that looks something like this:

  1. SharePoint Server A, where my site lives
    • Has a service reference to SharePoint search web service on Server B
    • Has an http handler that uses the service reference to call the search service
  2. SharePoint Server B, where the search service lives

My code looks like this:

BasicHttpBinding binding = new BasicHttpBinding();

binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;

QueryServiceSoapClient _queryService = new QueryServiceSoapClient(binding, new EndpointAddress("http://easearch.ea.com/_vti_bin/search.asmx"));
_queryService.ClientCredentials.Windows.AllowNtlm = true;
_queryService.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
_queryService.ClientCredentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
//_queryService.ClientCredentials.Windows.ClientCredential = new NetworkCredential("MyUsername", "MyPassword", "MyDomain"); //This is the only way it seems to work
//NetworkCredential userCredential = CredentialCache.DefaultCredentials.GetCredential(_queryService.Endpoint.ListenUri, "NTLM");
//_queryService.ClientCredentials.Windows.ClientCredential = userCredential;

string status = _queryService.Status();

If I use this code from a console application on my dev box, it works as expected. But when I try to use the same code from my http handler, it gives the error

The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'.

I've tried a number of different combinations of the code above and the only one that works from my HttpHandler is when I directly provide my credentials. Anyone have any ideas?

Thanks.

1

1 Answers

1
votes

NTLM cannot delegate credentials to a remote server.

This is known as the "double hop" issue. http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx

You'll have to configure Kerberos. Basically:

  • Configure SharePoint to use Kerberos (in "authentication provider" in central administration)
  • Create a SPN for SharePoint on your application pool account (with command line "setspn")
  • Create a SPN for the website runnong on server B on the application account running this site
  • Configure delegation between the 2

Yes, Kerberos is not that easy to put in place...