[英]Getting Unauthorized : Access denied on web api
So a while ago I created a web api to log who is using all our application. 所以不久前,我创建了一个Web API来记录谁在使用我们的所有应用程序。
In dev, it works fine. 在开发人员中,它可以正常工作。 It prod, it worked for a month and all of suddenly stopped working. 它生产了一个月,然后突然停止工作。 To the best of my knowledge nothing has changed on the prod site. 据我所知,产品网站上没有任何变化。
If I hit the webapi directly, it works. 如果我直接点击webapi,它就可以工作。 It's when I'm using a site calling the api then the problem occurs. 这是当我使用一个调用api的网站时发生的问题。
I've checked, the IIS settings between dev and prod are the same. 我检查过,dev和prod之间的IIS设置是相同的。 (Both windows authentication and it's advanced settings are the same, anonymous is off.) (Windows身份验证及其高级设置相同,匿名关闭。)
Both sites are using the same application pool (the client site and api site). 两个站点都使用相同的应用程序池(客户端站点和api站点)。 With domain accounts as the identity. 以域帐户为标识。
I've done file compares between dev and prod of the web.config and applicationhost.config and nothing seems out of the ordinary. 我已经完成了web.config和applicationhost.config的dev和prod之间的文件比较,似乎没有什么异常。
I'm running out of ideas of what to check. 我已经没有什么要检查的想法了。
Web api controller Web API控制器
[Authorize]
public class ValuesController : ApiController
{
public string Get(string samAccountName, bool success, string permissionName)
{
var returnValue = "Failed";
if (!string.IsNullOrWhiteSpace(samAccountName) && !string.IsNullOrWhiteSpace(permissionName))
{
// Do my logging (removed all the try catch etc to simplify thing)
returnValue = "Success";
}
return returnValue;
}
}
Code to hit the api on the client 在客户端上打API的代码
/// <summary>
/// This method calls a web api get method to log the call of the audit
/// </summary>
/// <param name="authorityName">This is the name of the permission to check</param>
/// <param name="success">This is the flag to determine if the call was successful.</param>
/// <returns>Returns an Async task</returns>
private async Task WriteToAuditLogAsync(string authorityName, bool success)
{
try
{
using (var client = new HttpClient(new HttpClientHandler { UseDefaultCredentials = true }))
{
client.BaseAddress = new Uri(GlobalConfiguration.AuditBaseAddress);
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
var values = string.Format(
CultureInfo.InvariantCulture, GlobalConfiguration.AuditApivalue,
this.userName.ToUpper(CultureInfo.InvariantCulture),
success.ToString(),
authorityName.ToUpper(CultureInfo.InvariantCulture));
// HTTP GET
var response = await client.GetAsync(values, HttpCompletionOption.ResponseHeadersRead).ConfigureAwait(false);
}
}
catch (Exception ex)
{
LogWriter.CriticalError(ex);
}
}
Error message 错误信息
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
Here are sections of the web.config 这是web.config的部分
<appSettings>
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
<customErrors mode="Off" />
<authentication mode="Windows" />
</system.web>
<system.webServer>
<security>
<authorization>
<clear />
<add accessType="Allow" users="*" />
</authorization>
</security>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
dev IIS log 开发IIS日志
2016-07-15 14:26:45 10.9.9.9 GET /ApmApi/api/Values samAccountName=somename&success=True&permissionName=somePermission 80 - 10.9.9.9- - 401 2 5 593
2016-07-15 14:26:53 10.9.9.9 GET /ApmApi/api/Values samAccountName=somename&success=True&permissionName=somePermission 80 Domain\AppPool 10.9.9.9- - 200 0 0 7015
Prod IIS log - It seems like the permissions are being sent.. Prod IIS日志-似乎正在发送权限。
2016-07-15 17:09:45 10.9.9.8 GET /ApmApi/api/Values samAccountName=somename&success=True&permissionName=somePermission 80 - 10.9.9.8 - - 401 2 5 546
2016-07-15 17:09:45 10.9.9.8 GET /ApmApi/api/Values samAccountName=somename&success=True&permissionName=somePermission 80 - 10.9.9.8 - - 401 1 3221225581 0
If you are running out of ideas I'd recommend going through David Wang's excellent checklist: 如果您没有足够的想法,建议您仔细阅读David Wang的出色清单:
HOWTO: Diagnose 401.x HTTP errors on IIS HOWTO:在IIS上诊断401.x HTTP错误
确保已将集成作为应用程序池托管管道模式。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.