IIS 7 and Above
Set up a Web service with basic authentication and LocalService calls
Last post Oct 09, 2017 08:32 AM by Yuk Ding
Oct 05, 2017 07:02 AM|jcinstaller|LINK
Is it possible to configure a web service so that you need basic authentication but it allows the "NT AUTHORITY\LocalService" account too? It's an MVC application deployed on a IIS 8.5, all the site's authentication is basic (already working) and its located
in 'Default web site/app/WebServices/ws.asmx'.
I've tried writing a powershell (v4) script retrieving my credentials:
$Username = "user"
$Password = "password" | ConvertTo-SecureString -AsPlainText -Force
$Url = "http://localhost/app/WebServices/ws.asmx"
$UserCreds = New-Object System.Management.Automation.PSCredential($Username, $Password)
$proxy = New-WebServiceProxy -Uri $url -Credential $UserCreds
$response = $proxy.Method("Param")
Is there a way to do the same but allowing "NT AUTHORITY\LocalService" account to call only the web service? Then I think I could get its credentials with this code and use them instead of mine:
$Username = "NT AUTHORITY\LocalService"
$Password = "anything" | ConvertTo-SecureString -AsPlainText -Force
I can't remove basic authentication though.
Oct 06, 2017 02:57 AM|Yuk Ding|LINK
Why do you want to use managed account for authentication? I didn't find any document about how to set the password for the account like network service,local service. Use managed account for authentication is not a good idea while it have higher permission
thant network service.
The password of local service is blank. So if you need to user localservice, maybe you could try password $Password = "password" while this link say that
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684188(v=vs.85).aspx would ignore any password.
Oct 06, 2017 06:54 AM|jcinstaller|LINK
Thanks for your reply. This web service is used to run periodic processes in an application, and is called from an external program the customer uses to manage all their periodic tasks. When we developed the application it used windows-based authentication,
and the account set up with the external app was enough, but we were asked to change the authentication of our application to basic. We had the periodic task disabled, and we didn't test its authentication.
Now, when we've tried to enable the call from the external program, it obviously asks for a user/password. In order to avoid creating a specific domain user for these particular case, I thought of adding a scheduled task in the server to run a powershell script,
and add in the script the code to call the web service. This is why I've considered the possibility to use an existing local account, as I only want it to call the web service. I thought it would be simple to set up and if the account has minimum privileges
it would not represent a security risk.
I guess the easiest way would be to create a domain account, disabling its password expiration, and use it in the customer's app to call the web service, but I'd like to try an approach that didn't involve adding an account. (It seems no other task has required
something like this)
Thanks for your help
Oct 09, 2017 08:32 AM|Yuk Ding|LINK
I'm not sure whether it is available to approach without adding account. The localservice should unavailable for basic authentication. Maybe you could consult the WCF forum for any other solution instead.