Do you recognize this situation?
Your web service is correctly configured. SPN’s have been set, delegation is covered, you can read the WSDL from a computer in the domain. But access to the web service is denied as soon as you connect from a computer outside of the domain. Visual Studio or Internet Explorer ask repeatedly for your credentials, you are absolutely sure that you provided the correct username and password, but Internet Explorer gives you a blank page, without any clue about the problem. And Visual Studio keeps asking your credentials again and again and again…
This was the situation I had last week. It took some time to hunt this one down.
The Security Log in the Event Viewer of the server showed me the next list:
And the details of the Audit Failure showed the next information:
Obviously, the credentials were correct. But why was my user account denied to log on? A search on the internet helped me in the correct direction.
In Active Directory there is an attribute User-Workstations that contains a list of computer names from which a user can log on. This is a per-user setting. In my case, this list was composed of all server names in the domain, so my own laptop was excluded. After adding my laptop everything worked like a charm!
The attribute can be edited (or cleared) using the Active Directory Users and Computers snap in. Browse to the user and open the properties. Open the Account tab and click on the Log on To button:
This opens a list with all computer names from which a user can log on.
Add your computer name or select All computers to clear the list. Now you should be able to call your web service from a computer outside the domain.
This is not the whole story. It is possible that, after a while, the list of computers magically fills up with all server names again! If this happens, then you probably are dealing with Microsoft Essential Business Server. This server requires to have a CAL assigned to each user. A recurring process checks this requirement and every user who has not a CAL assigned is restricted to only log on to a server and not a workstation. For more information about managing the CALS see this article on Technet.
There might be other reasons that you cannot access a web service from outside a domain. However, you can add this situation to your checklist!