"401: Access Denied" when you call webservice in your webpart.

    I recently ran into a big problem when I work on my ListAggregation webpart, the webpart need to pull some lists data from remote Wss site into my local Wss site, these two servers are not in the same domain, and all use the NTLM credential. So I desided to use the lists.asmx webservice to finish this task. In my webpart, I used System.Net.CredentialCache.DefaultCredentials to get the webservice credential, but when I deployed my webpart to my site, I got "The request failed with HTTP status 401: Access Denied." error. I really had no idea about this exception, but the error info indicates that it is about the permission problem, then after many times google, I just realised it is the security issue known as "double-hop". The "double-hop" issue will raise "if your webservice exists on another server than your SPS the client sends it credentials to the SPS-server (first hop) which tries to forward the credentials to the webservice server (2nd hop)"(Quoted from http://msmvps.com/obts/archive/2005/01/18/33146.aspx).

    But fortunately I found that there are several approachs finally, which can handle the "double-hop" issue:
    1. Give a specific credential, to do this, you need to create a NetworkCredential instance, and pass the specific "name","password","domain" as the parameters.
    2. Enabling delegation. Take a look at this for more detail.
    3. Create a COM+ component to encapsulate required functionality, refer to this article.
    4. Basic Authentication (you need to use HTTPS as the security reason)

   But I recommend the first method, but basically it is not so secure when you store your alias and password in the web.config, but you can encrypt the userName and password  and store in the registry, then you need some configuration steps to get the encrypt info, to accomplish this, please refer to http://support.microsoft.com/default.aspx?scid=kb;en-us;329290. And why I don't want to use the second mothed and the third method, about the second method, just as Nunos said, "You'll need to ask a domain admin to do this and normally they don't really like to accept this type of request". And about the third method, I think it is doable but you have to make more work and it is hard to deploy.

    Hope this helps.

转载于:https://www.cnblogs.com/fengzhimei/archive/2005/08/03/206895.html