Hello,

We have a web app that uses a WCF service and uses Active Directories for authentication. We're have a problem with the login process which only occurs if the user enters the right username but wrong password. If this happens, the application just hangs in a state of limbo. It doesn't get through to the service.

On the application side, we have this:

public static bool Login(HttpContext context, string userID, string password)
{
...

LoginInfoSend loginInfoSend = new LoginInfoSend()
{
UserName = EncryptBase64(userID),
WebSession = EncryptBase64(context.Session.SessionID),
Password = password
};

string token = client.Login(loginInfoSend);

...
}

On the service side, we have this:

public string Login(LoginInfoSend loginData)
{
...
}

We can put break points in the service and log messages and these both work when the user enters the correct credential, when the user enters an incorrect username, but not when the user enters the correct user name but wrong password.

As we are using Active Directories, we figure IIS must be choking between the point when the application makes the call but before the service gets the call. Personally, I'm not even sure why Active Directories cares about what credentials I enter in since, as I understand it, it gets the credentials of the user who is currently logged into Windows automatically and uses that. I should be able to send anything into Login(), any list of arguments, just like I do with every other service call in the application, and it shouldn't make a difference to IIS. The only reason we're doing it this way is that we want two layers of authentication. We want IIS to authenticate with Active Directories, but we also want to authenticate against the username/password in our database (hence the reason we ask for credentials on the login page). But how does IIS know that the LoginInfoSend object contains the user's credentials and that the password is wrong when it is wrong?