Webservices - basic authentication problem


I'm trying to configure the WebServices-path on a formsauthenticated site to use basic authentication. But I cant get passed the (Windows) login prompt. If I comment out the basicauthenticationsection and get to the forms-loginpage I get in.

<location path="WebServices">
    <!--<episerver.basicAuthentication sendBasicChallenge="true" basicRealm="" />-->

So obviously I have the correct permissions. The httpmodule is configured.
    <add name="BasicAuthentication" type="EPiServer.Security.BasicAuthentication, EPiServer" />

EPiServer CMS 5 R2

Any ideas?


Oct 10, 2008 13:17

I have found a way to get it to work. But is it meant to be done like this?

The WebServices directory in R2 is handled with VirtualPathProviders and is physically the "C:\Program\EPiServer\CMS\5.2.375.7\Application\WebServices" directory. If I add an empty "WebServices" directory in the root of the site-directory and then in the IIS settings change the directory security for the "WebServices" directory. I set authentication mode to be only "Basic authentication" and I set the "Default domain:" to our domain-name. I have to use the WindowsMembership/Role or MultiplexingMembership/Role providers. I can skip the "Default domain" value in the IIS settings if I use the usernameformat=DomainAndName on the WindowsMembershipProvider. I can only log in with a windows account. If I use an SqlMembership account there is not even a request to the server and the BasicAuthentication-module.

Is this how it is meant to be setup. Or is the problem that I am testing it on a domain. Normally the scenario, on a public site with formsauthentication, is that its not on a domain. Will the set up be easier on a server without domain?

Testing on a 2003 server and on my XP. IIS 6 I guess.



Oct 10, 2008 15:01

Problem solved

When installing an EPiServer site the default IIS security settings are:
"Enable anonymous access" - enabled
"Integrated Windows authentication" - enabled

If "Integrated Windows authentication" is enabled the BasicAuthentication module want work. The "DecodeAuthenticationHeader" method in the BasicAuthentication module checks if the authentication-header starts with "Basic", if not it returns false and the user is never validated. If "Integrated Windows authentication" is enabled the authentication-header will start with "Negotiated" and the method will allways return false.

So if I disable "Integrated Windows authentication" on the site level I can use a SqlMemberShipProvider user to call the WebService.

Maybe this is obvious, but it wasn't for me.


Oct 13, 2008 14:07
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.