Some customers of our application have ISA Server that requires Proxy Authentication.
When ASP.NET applcicationed called external web services (e.g. Google APIs) it caused the error:
The request failed with HTTP status 407: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ).
In .Net 1/1.1. it was required to set in code myProxy.Credentials = CredentialCache.DefaultCredentials .
Now in .Net 2. there is a new defaultProxy attribute useDefaultCredentials that specifies whether the default credentials for this host are used to access the web proxy. The default value is false.
If it is set to true, ISA Server is happy because .NET sends user credentials in format “DomainName\ServerName$”(which corresponds to Web Server “NETWORK SERVICE“ account.
Note The settings of useDefaultCredentials should be done in <system.net> <defaultProxy> element in web.config or machine.config. Note that .NET Framework 2.0 provides a machine-level Web.config file that has ASP.NET–specific configuration settings. It means that changes in machine.config may have no effect for application, until you modify the machine-level Web.config file(located in %windir%\Microsoft.NET\Framework\{version}\CONFIG folder) to remove/comment out <defaultProxy> section in it(by default it has <proxy usesystemdefault="true" />)
By the way, attributes in proxy element according to Intellisense expect to have “False” and “True” with upper case first character, but documentation show “false” and “true” all in low case. Fortunately .Net framework is not case-sensitve in this case -and both spellings work fine.
UPDATE: It was found, that sometimes it is not enough, and the same error appears.
You need to change IIS worker process account to be LAN user ID( for security reason do not use any personal account, but create new account with minimal permissions and add only those permissions that required..
Change Identity of user account in Application Pool.
- In IIS Manager, expand the local computer, expand Application Pools,
- Ensure that your Web Application is under selected application pool.
- Right-click the application pool, and then click Properties.
- Click the Identity tab, and click Configurable.
- In the User name and Password boxes, type the user name and password of the account under which you want the worker process to operate. The account should be added to the IIS_WPG group and have a permission “run as part of operating system”
- Click OK.
Add the account to the IIS_WPG group
|
1. |
Click Start, right-click My Computer, and then click Manage. |
|
2. |
Expand Local Users and Groups, and then click Groups. |
|
3. |
In the Name column, right-click IIS_WPG, and then click Properties. |
|
4. |
Click Add. |
|
5. |
In the Select Users dialog box, type User Account. |
|
6. |
click OK. |
|
7. |
Click OK to add the account to the IIS_WPG group. |
Add “Act as part of the operating system" permission,
|
1. |
Go to Control Panel / Administrative Tools |
|
2. |
Run Local Security Policy. |
|
3. |
Select User Rights Assignment under Local Policies in the left pane. |
|
4. |
Double-click the "Act as part of the operating system" policy in the right pane, and add your specified user account |
Update: See also related post: Call WebServices through SQuid proxy server with authentication requested
posted @ Wednesday, March 08, 2006 11:19 AM