I have a Winforms app that sends request to an ASP.NET app that is hosted on IIS.
I have Windows authentication enabled and authorization given to a specific domain group.
When I send requests from the browser I'm prompted to login. If I supply a user that is not in the group, then the prompt just comes up again. If I use a different method of sending requests like httprepl or with python, I get 401 Unauthorized.
My Winforms app will get 401 Unauthorized if either I don't supply credentials or supply incorrect credentials.
However when I use CredentialCache.DefaultNetworkCredentials, the request from my Winforms returns success with the correct returned content.
But the user I am using is not in the group. Why is it authorizing? Furthermore when I look at the CredentialCache object, I see no values for user or password. The PreAuthenticate setting seems to not matter either when I use CredentialCache.DefaultNetworkCredentials
HttpClient client = new HttpClient(new HttpClientHandler()
{
Credentials = CredentialCache.DefaultNetworkCredentials,
PreAuthenticate = true
});
And if it matters, the application pool identity is not a part of the group either.
It's possible that I ran the application once when the user was in the group, but why would subsequent attempts work even after I removed the user from the group?
I'm using ASP.NET Core 6.0, IIS 7.5, and .NET 7.0 for the Winforms app.
The issue here was that the authorization to the ASP.NET app is dependent on a specific AD group.
Since the original Kerberos ticket does not have this new group membership information, the membership changes I was making didn't have any effect.
For the user group membership to be correctly communicated to the server, a new Kerberos ticket needs to generated. This can happen if the user were to logoff and log back in, or after the ticket expires (8 hours in my case).
So I just logged off and logged back in.