windows authentication uses guest
From: Roger Miller (rogerm_at_gasullivan.com)
Date: Thu, 26 Jun 2003 14:48:17 -0500
My problem is I can't get authentication to fail like I think it should.
I've got a fat client using web services on Windows 2000. Initially to
access the web services, we attempt to use the default credentials. If this
fails (we have some cross domain scenarios), we prompt the user to provide a
username/password. We set the web references credentials to a new
credential object we create, and (if successful) use these credentials for
all future access.
My problem is this...when I supply bogus credentials, its not failing
authentication. I have anonymous off in IIS (for this virtual directory)
and integrated windows authentication on; also my web config sets windows
authentication; so I expect a 401: Access denied error.
Instead it apparently works and goes into my
windowsAuthentication_onAuthenticate method in the global.asax. Looking at
the user there, the identity is "servername\guest".
There are a few strange circumstances.
1) I'm in development, so both my client and web service are sitting on the
2) As such, I'm running in a single domain.
3) Since I would authenticate, I've commented out the lines (client side)
that try to authenticate with the default user and go straight into my
4) The other odd thing is that if I supply a valid user credentials, the
identity is correct; If I supply one with bogus domain, I get the "Access
Denied" error I expect.
It could be a testing artifact, but it makes me very nervous. Any thoughts
on whats wrong and why I get the servername\guest as the identity.