I have an MVC Application and an associated Web API project that are both hosted on a remote server on IIS. They share the same application pool. Whenever I try to make a call to the Web API from the MVC Application I get a 403 error, which appears to be coming from bad credentials being passed by the HttpClientHandler. I have
UseDefaultCredentials = true
and I have tried setting
Credentials = CredentialCache.DefaultNetworkCredentials
but neither of these allows the API request to go through.
Setting the Application Pool to use my AD Username/Password allows all API requests to go through, and also calling the API directly from Postman returns data properly.
My assumption is that IIS AppPool[Pool Name] is getting forwarded in the request, and the proper credentials are never passed. Is there anyway around this without making the API unsecure (I.e. only a couple of domain groups should be able to access it)?
Example of a call I'm making to the API from the MVC application
public async Task<HttpResponseMessage> CreateIncident(Incident model)
using (var client = new HttpClient(new HttpClientHandler { UseDefaultCredentials = true }))
var newIncident = new StringContent(JsonConvert.SerializeObject(model), Encoding.UTF8, "application/json");
var response = await client.PostAsync(hostUri, newIncident);
return response;
Without seeing the code its hard to say. Have you tried without setting the
parameter? I would run fiddler and compare the request sent by the MVC application and Postman.Without more information it is hard to say for sure, but the issue is likely due to the double-hop authentication you are attempting.
When I needed to do a similar task, I was unable to get HttpClient to work. I tried a number of suggested solutions from this question, How to get HttpClient to pass credentials along with the request?. While it was informative -- specifically, this portion of BlackSpy's answer explained why:
I ended up using WebClient (with required targeting .NET framework) with something like this in the MVC application (downloading a file from the web api, in this case):
While the requirement to target the full framework prevents this from being a .NET Core solution, but it looks like it has been added since then.
Add WebClient to new System.Net.WebClient contract
You can find out how to impersonate an already authenticated (windows) user at this GitHub discussion page: https://github.com/aspnet/Home/issues/1805
ilanc has a really good demo with a link towards the bottom.