Geeks With Blogs

News My Blog has been MOVED to https://mfreidge.wordpress.com
Michael Freidgeim's OLD Blog My Blog has been MOVED to https://mfreidge.wordpress.com

Some customers of our application have ISA Server that requires Proxy Authentication.

When ASP.NET applcicationed called external web services (e.g. Google APIs) it caused the error:

The request failed with HTTP status 407: Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ).

 

In .Net 1/1.1. it was required to set in code myProxy.Credentials  = CredentialCache.DefaultCredentials  .

Now in .Net 2. there is a new defaultProxy attribute useDefaultCredentials that specifies whether the default credentials for this host are used to access the web proxy. The default value is false.
If it is set to true,  ISA Server  is happy because .NET sends user credentials in format “DomainName\ServerName$”(which corresponds to Web Server “NETWORK SERVICE“ account.

Note   The settings of  useDefaultCredentials should be done in <system.net> <defaultProxy> element in web.config or machine.config. Note that .NET Framework 2.0 provides a machine-level Web.config file that has ASP.NET–specific configuration settings. It means that changes in machine.config may have no effect for application, until you modify the machine-level Web.config file(located in %windir%\Microsoft.NET\Framework\{version}\CONFIG folder) to remove/comment out    <defaultProxy> section in it(by default it has   <proxy usesystemdefault="true" />)
     

By the way, attributes in proxy element according to Intellisense expect to have “False” and “True” with upper case first character, but documentation show “false” and “true”  all in low case. Fortunately  .Net framework is not case-sensitve in this case -and both spellings work fine.

 

UPDATE: It was found, that sometimes it is not enough, and the same error appears.
You need to change IIS worker process account to be LAN user ID( for security reason do not use any personal account, but create new account with minimal permissions and add only those permissions that required..

Change Identity of user account in Application Pool.

  1. In IIS Manager, expand the local computer, expand Application Pools,
  2. Ensure that your Web Application is under selected application pool.
  3. Right-click the application pool, and then click Properties.
  4. Click the Identity tab, and click Configurable.
  5. In the User name and Password boxes, type the user name and password of the account under which you want the worker process to operate. The account should be added to the IIS_WPG group  and have a permission “run as part of operating system”
  6. Click OK.

Add the account to the IIS_WPG group

1.

Click Start, right-click My Computer, and then click Manage.

2.

Expand Local Users and Groups, and then click Groups.

3.

In the Name column, right-click IIS_WPG, and then click Properties.

4.

Click Add.

5.

In the Select Users dialog box, type User Account.

6.

click OK.

7.

Click OK to add the account to the IIS_WPG group.

Add “Act as part of the operating system" permission,

1.

Go to Control Panel / Administrative Tools

2.

Run Local Security Policy.

3.

Select User Rights Assignment under Local Policies in the left pane.

4.

Double-click the "Act as part of the operating system" policy in the right pane, and add your specified user account

 

Update: See also related post: Call WebServices through SQuid proxy server with authentication requested  

Posted on Wednesday, March 8, 2006 11:19 AM ASP.NET , .Net Framework | Back to top


Comments on this post: Set defaultProxy configuration Element for Proxy Server

# re: Set defaultProxy configuration Element for Proxy Server
Requesting Gravatar...
Hi Michael,
The above mentioned changes are to be made in Web.Config or the .aspx page.

I am consuming a webservice out of our network, development on VS.Net 2005(Could not even add web refrence through VS.Net 2003)
, Lang: VB, .Net 2.0


Thanks
Vijay
Left by vijay on Apr 19, 2006 9:55 PM

# re: Set defaultProxy configuration Element for Proxy Server
Requesting Gravatar...
useDefaultCredentials is an attribute of configuration>
<system.net>
<defaultProxy> element that can be specified in web.config or machine.config.
Left by Michael Freidgeim on Apr 20, 2006 7:41 AM

# re: Set defaultProxy configuration Element for Proxy Server
Requesting Gravatar...
Great! I send email via ISA server and have trouble. I searched so many links but cant resolve. Your entry is so suitable with me. Thanks
Left by Nghi on Dec 01, 2009 2:46 AM

# re: Set defaultProxy configuration Element for Proxy Server
Requesting Gravatar...
hello,

very useful post. I have the same issue with this proxy server. very very much thanks.
Left by canada flowers on Sep 11, 2011 9:19 PM

# re: Set defaultProxy configuration Element for Proxy Server
Requesting Gravatar...
hi,
i am getting the below error when i am calling a Linked service from my ASP.net application.
"An error occurred while requesting Request Token at https://api.linkedin.com/uas/oauth/requestToken
with parameters oauth_consumer_key=eo7prot76lkr&oauth_signature_method=HMACSHA1&oauth_timestamp=1343124667&oauth_nonce=4417284&oauth_version=1.0&oauth_callback=http://localhost:62449/SocialAuth/validate.sauth&oauth_signature=TTsmJCXraOhsfvQKl6l/icJqejo=The remote name could not be resolved: 'linkedin.com' "

I have added the below code in web.config as mentioned above.
system.net>
<defaultProxy>
<proxy usesystemdefault="False" proxyaddress="http://linkedIn.com" bypassonlocal="True" autoDetect="False"/>
</defaultProxy>
</system.net>


I am gettting the same error even after addig the above code . Dont know where i went wrong.Please help me out.
Left by purushotham on Jul 24, 2012 8:15 PM

# re: Set defaultProxy configuration Element for Proxy Server
Requesting Gravatar...
My post was about authentication, you error related to domain.resolution. Ensure that you can access http://api.linkedin.com/vfrom your server. Proxyaddress is the address of your domain proxy, it is not http://linkedin.com/
Left by michael freidgeim on Jul 24, 2012 10:29 PM

# re: Set defaultProxy configuration Element for Proxy Server
Requesting Gravatar...
I have done all the steps, but I have issues with a web application on IIS with AD authentication. When a request is going through proxy, the credential is coming as IWAM_computer name, not the functional account used int eh Application pool
Left by Joji on Sep 20, 2017 5:26 AM

# re: Set defaultProxy configuration Element for Proxy Server
Requesting Gravatar...
Your question is not directly related to the post (that was written more than 10 years ago). Better to ask your question on stackoverflow.
Left by Michael freidgeim on Sep 20, 2017 6:48 AM

Your comment:
 (will show your gravatar)


Copyright © Michael Freidgeim | Powered by: GeeksWithBlogs.net