Friday, August 26, 2011

Authenticate a Web Service in EPiServer using a SQL Server membership account

I dumped into some trouble today, trying to authenticate a web service in EPiServer using a SQL Server membership account. You would think following the steps in the Web Services tech note would be enough. However, the tech note is missing some important information. Therefore I thought I’d create a small overview myself.

Assumptions:

1) You have created a web service in the WebServices folder of your EPiServer website. Or you are trying to authenticate one of the build-in web services using a SQL Server membership account.

2) You have configured EPiServer to Enable Basic Authentication by adding the BasicAuthentication http module in the <system.web><httpModules> section (for IIS 6) or <system.webserver><modules> section (for IIS 7) of your web.config file:

<system.webServer>
<modules ...>
<add name="BasicAuthentication" type="EPiServer.Security.BasicAuthentication, EPiServer" />
<!-- Other modules -->
</modules>
</system.webServer>

3) You have a <location path=”WebServices”> section in your web.config file:

<location path="WebServices">
<episerver.basicAuthentication sendBasicChallenge="true" basicRealm="" />
<system.web>
<httpRuntime maxRequestLength="1000000" />
<authorization>
<allow roles="Administrators, WebServices" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<clear />
<add name="webresources" path="WebResource.axd" verb="GET" type="System.Web.Handlers.AssemblyResourceLoader" />
<add name="WebServiceHandlerFactory-Integrated" path="*.asmx" verb="GET,HEAD,POST,DEBUG" type="System.Web.Services.Protocols.WebServiceHandlerFactory, System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" modules="ManagedPipelineHandler" scriptProcessor="" resourceType="Unspecified" requireAccess="Script" allowPathInfo="false" preCondition="integratedMode" responseBufferLimit="4194304" />
<add name="wildcard" path="*" verb="*" type="EPiServer.Web.StaticFileHandler, EPiServer" />
</handlers>
</system.webServer>
</location>

4) You have created a group called WebServices in EPiServer admin mode, and have added a SQL membership user to this group. This is the user you want to authenticate your web service with.

5) You have disabled integrated authentication and basic authentication in IIS.

So, what’s the problem?

If you test your web service in a browser (http://localhost/WebServices/MyWebService.asmx), you should get a windows login window instead of the http://localhost/util/login.aspx page. Awesome! This means that you’ve configured everything correctly.

Now if you’re unlucky like me, you will get an unauthorized message when trying to logon using the web service user you created in step 4. So you go over your configuration again and again and again. But everything looks correct…

So what the tech note fails to mention is the fact that your web service user has to be added to the list of web service users under “Permissions to functions” in Admin mode.

So, add the user and voilá!