401 Errors accessing PSI via ASP.NET

[ps213]

I have an ASP.NET app running on IIS instance A which talks to the PSI on IIS
instance B. The application requires the user to be authenticated using
Windows authentication.
At the interface with PS2007 the application instantiates an instance of the
Resource web service and sets the credentials to the default credentials in
the cache as per all the code samples.
When the application is run on the machine A the call through to PS 2007
works correctly. However, if a user invokes the application from another
machine the call fails with a 401 error even though the credentials available
at the call to the PSI are those of the authenticated user.
If the ASP.NET application is deployed to Server B - that is, local to the
PS 2007 insatllation - all authenticated users are able to use the
application successfully.
Hardwiring the credentials of a user with access to the PS2007 server allows
the web application to be available to all authenticated users from any
machine.
I cant for the life of me see why this is not working but doubtless there is
a simple explanation! I have tried all the usual workarounds, including
impersonation etc.

Can anyone put a finger on what I'm missing here?

Thanks!!

Paul

 

[ps213]

Found an old post from Jim Corbin which mentions the 2-Hop problem in
conjunction with a similar report:

"This looks like a 2-hop problem. IIS strips the Windows credentials from a
remote request when the ASP.NET app sends a SOAP request to Project Server
logon. The way around it is to configure Kerberos security. Search for
"Kerberos delegation" in MSDN, or in Windows Server 2003 help. You'll need
to be a domain admin."

Jim: does this sounds like a sound diagnosis for the problem I described?

Thanks

Paul

 

[Jim Corbin [MSFT]]

Paul,

Sorry for the delay. See "Account Security and 401 Errors" in (
http://msdn2.microsoft.com/en-us/library/bb428835.aspx#pj12_ImpersonationWeb_AccountSecurity )
.. Try adding the user accounts to the SSP, as described in the article:

stsadm -o editssp -title SharedServices1 -setaccounts "domain\user1,
domain\user2"

--Jim

 

[Gizmo Gizmo]

Hi,

I have also encountered this problem in a setup as yours Paul ...

Users accessing my webservice installed on the application server. The
webservice trying to login the impersonated user (the calling user) to
Project via the url
http://webserver/Projectserver/_vti_bin/PSI/LoginWindows.asmx

The error project throws is "401 Unauthorized".

If I install the webservice on the webserver (where PWA is) it works fine ...

Jim - I did try to add one user into the process account for the SSP as
described in the article you pointed out but still 401 error I am afraid.

Also, the solution in the article
(http://msdn2.microsoft.com/en-us/library/bb428835.aspx#pj12_ImpersonationWeb_AccountSecurity)
is about 401 access denied error. Don't know if this differs ...

The article describing how to run the application under a certain account
with elevated project permissions and impersonation the calling user for some
operations.

This is not what I am trying to acceive, and I wonder this is what Paul is
trying to acheive eighter.

I want all the calls to project server to be done with the identity of the
user calling my webservice. Thus I have enabled impersonation in web.config
<identity impersonate="true"> and are running the webservice with
DefaultAppPool that has identity "Network Service".

I wonder if this is not a double-hop problem after all. Problem is that I
really don't now how to fix it. Did you get around this problem Paul? And do
you have any more thoughts on this problem Jim?

Thanks,
Owe