GetListItems /_vti_bin/Lists.asmx Authentication Issue

Question

I am calling /_vti_bin/Lists.asmx op=GetListItems in SharePoint 2013 using JAX-WS.

If I browse the using the browser at <site>/sites/subsite/subsite/Lists.asmx?wsdl (Get) it will ask for a username / password.

If I call the same web service in a java app using JAX-WS (Post), it will allow the request and return a list of items (using an anonymous account). I'm expecting the web service to return 401 unauthorized and issue a challenge instead of serving the request.

I've scoured the documentation and we're guessing that the domain account of the host machine is being used as the authenticated user, but we have no proof yet since if we try to browse the SharePoint site using a browser on the same machine, it prompts for a username and password.

We're gonna try to sniff the HTTP traffic via Fiddler and see what's going on and try to see if we can request the IIS logs from SharePoint (we don't administer the SharePoint site).

I'm checking here if any SharePoint experts might have a clue as to what is happening.

Answer 1

It was a java quirk on how it does NTLM authentication. If challenged by a server, it will try to first use the host machine's user and credentials, if that is accepted, it will not use the custom Authenticator set as default. The workaround is to run the java program from a local user instead since the host machine in this case is part of the Active Directory users that the SharePoint server recognise.

Answer 2

You can follow below link to check if Anonymous access is enabled on your site.

https://support.cloudshare.com/hc/en-us/articles/200701115-How-to-Enable-Anonymous-Access-to-a-SharePoint-2013-site.

Also if you visit /sites/subsite/subsite in browser is it asking you for username and password, if Yes then you need to check in IE settings whether integrated windows authentication is enabled or not.