I have some code that calls the TFS API and returns team meta data. (e.g. team names, area paths, etc.) The code works fine locally in Visual Studio ASP.NET MVC project, but fails whenever I deploy to the server.
What I have tried that didn't work:
I granted the AppPool user account Full control to the registry key (did not work)
Also, tried granting Everyone Full Control to the registry key (still did not work)
Any insight into how to set up the correct permissions of configuration for IIS deployed apps to hit the TFS API would be greatly appreciated. (error message below)
Here's the Error message the app produces:
System.UnauthorizedAccessException
Access to the registry key 'HKEY_CURRENT_USER\Software\Microsoft\VSCommon\12.0\ClientServices\TokenStorage\VisualStudio' is denied.
System.UnauthorizedAccessException: Access to the registry key 'HKEY_CURRENT_USER\Software\Microsoft\VSCommon\12.0\ClientServices\TokenStorage\VisualStudio' is denied.
at Microsoft.Win32.RegistryKey.Win32Error(Int32 errorCode, String str)
at Microsoft.Win32.RegistryKey.CreateSubKeyInternal(String subkey, RegistryKeyPermissionCheck permissionCheck, Object registrySecurityObj, RegistryOptions registryOptions)
at Microsoft.Win32.RegistryKey.CreateSubKey(String subkey, RegistryKeyPermissionCheck permissionCheck, RegistryOptions options)
at Microsoft.VisualStudio.Services.Common.TokenStorage.RegistryTokenStorageHelper.GetRootKey(String subkeyName)
at Microsoft.VisualStudio.Services.Common.TokenStorage.RegistryTokenStorage.RetrieveToken(VssTokenKey tokenKey)
at Microsoft.TeamFoundation.Client.TfsClientCredentialStorage.RetrieveToken(Uri serverUrl, VssCredentialsType credentialType)
at Microsoft.TeamFoundation.Client.CookieCredential.OnCreateTokenProvider(Uri serverUrl, HttpWebResponse response)
at Microsoft.TeamFoundation.Client.IssuedTokenCredential.CreateTokenProvider(Uri serverUrl, HttpWebResponse response, IssuedToken failedToken)
at Microsoft.TeamFoundation.Client.TfsClientCredentials.TryGetTokenProvider(Uri serverUrl, IssuedTokenProvider& provider)
at Microsoft.TeamFoundation.Client.Channels.TfsHttpRequestHelpers.PrepareWebRequest(HttpWebRequest webRequest, Guid sessionId, String operationName, CultureInfo cultureInfo, TfsRequestSettings settings, TfsClientCredentials credentials, IdentityDescriptor impersonate, IssuedToken& currentToken, IssuedTokenProvider& tokenProvider)
at Microsoft.TeamFoundation.Client.Channels.TfsHttpRequestHelpers.CreateSoapRequest(Uri requestUri, Guid sessionId, String soapAction, String operationName, CultureInfo cultureInfo, TfsRequestSettings settings, TfsClientCredentials credentials, IdentityDescriptor impersonate, IssuedToken& currentToken, IssuedTokenProvider& tokenProvider)
at Microsoft.TeamFoundation.Client.Channels.TfsHttpWebRequest.CreateWebRequest()
at Microsoft.TeamFoundation.Client.Channels.TfsHttpWebRequest.SendRequest()
at Microsoft.TeamFoundation.Client.Channels.TfsHttpRequestChannel.Request(TfsMessage message, TimeSpan timeout)
at Microsoft.TeamFoundation.Client.Channels.TfsHttpClientBase.Invoke(TfsClientOperation operation, Object[] parameters, TimeSpan timeout, Object[]& outputs)
at Microsoft.TeamFoundation.Framework.Client.RegistrationProxy.GetRegistrationEntries(String toolId)
at Microsoft.TeamFoundation.Framework.Client.RegistrationService.RefreshMemoryCache()
at Microsoft.TeamFoundation.Framework.Client.RegistrationService.Microsoft.TeamFoundation.Server.IRegistration.GetRegistrationEntries(String toolId)
at Microsoft.TeamFoundation.Framework.Client.IdentityManagementService..ctor(TfsConnection tfsBase)
at Microsoft.TeamFoundation.Framework.Client.IdentityManagementService2..ctor(TfsConnection tfsBase)
at Microsoft.TeamFoundation.Client.TfsConnection.CreateInternalProxy(Type serviceType)
at Microsoft.TeamFoundation.Client.TfsConnection.GetServiceInstance(Type serviceType, Object serviceInstance)
at Microsoft.TeamFoundation.Client.TfsConnection.GetService(Type serviceType)
at Microsoft.TeamFoundation.Client.TfsConnection.GetService[T]()
at Microsoft.TeamFoundation.Client.TfsTeamService.QueryTeams(String projectId)
I have been having the same problem and have solved it by setting the "Load User Profile" in IIS application pool settings to True.
I don't know if this is some new dependency in TFS 2013 or whether IIS 8.5 has changed the default, but this fixes it for me.
I ran into this same issue, but setting Load User Profile to TRUE didn't work for me. What did eventually work was going into the registry and adding a "HKCU\Software\Microsoft\VSCommon\12.0\ClientServices" key for the appropriate user(s). Apparently the TFS assemblies get a little cranky when you try to use them on systems without Visual Studio installed on them.
Credit goes to whoever added this information to http://msdn.developer-works.com/article/12173562/After+upgrade+from+TFS+2010+to+TFS+2013+the+soap+notifications+stop+working.
We had this issue and setting the "Load User Profile" in IIS application pool settings to True worked for us. But then the same issue came back and we found setting "Load User Profile" in IIS application pool settings to False fixed the issue once again. So it appears to me that it is the toggling of this setting that is fixing something rather than the actual value it is set to. No matter what "Load User Profile" in IIS application pool is set to, I would try toggling it to the opposite value, refresh the application pool and see if that helps. If anyone tracks down the root cause of this please share.
Related
I have two domains A and B, with a user Administrator in each. Both admins have different objectGuids, SIDs and passwords. There's an IIS 8.5 in B configured with Windows Authentication (Methods Negotiate/NTLM, Extended Security disabled, Kernel mode auth enabled). Domain B trusts domain A (one-way trust).
When I now open IE as A\administrator, and connect to the IIS in B, the IIS returns to me that the user logged in is B\administrator (should be A\administrator).
This is my code:
public class UserController : ApiController
{
// GET api/<controller>
public User Get()
{
var usr = ((WindowsIdentity)User.Identity).User;
return new User() {
Name = User.Identity.Name,
SID = usr==null?"":usr.ToString()
};
}
}
Also, the same is in the IIS log:
2018-05-07 09:19:10 172.17.41.31 GET /winauthtest/User - 80 B\Administrator 172.17.42.11 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+10.0;+WOW64;+Trident/7.0;+.NET4.0C;+.NET4.0E) - 404 0 2 31
Is this intended behaviour or a bug, and if it's a bug, where to report the bug?
Can I fix it by changing Windows Authentication settings, or what else could I do about it?
Do you know any other possibility to get the true SID of the user that is accessing my IIS?
OMG, I had the same problem and your problem gave me a hint as to why this is happening. So, running my project in Chrome gives me the wrong domain, while opening in Edge gives me the correct domain. I have my project set up using Windows Authentication and it seems Chrome is in some way blocking Windows Authentication.
This link gives more info.
https://specopssoft.com/blog/configuring-chrome-and-firefox-for-windows-integrated-authentication/
In the end, another of my coworker had the same issue and we couldn't fix it properly. It would misbehave randomly. The only solution that seemed to work was restarting the PC.
I am trying to create a local workspace so I can map it to VisualStudio online account. Here is the command I am trying to run.
tf workspace -new -login:"Windows Live ID"\user,pass -collection:https://shaggyinjun.visualstudio.com/DefaultCollection
For some reason I am seeing an error. The command does have a domain/user,pass. What is this new username and password it is asking me for ?
Federated authentication to this server requires a username and password.
Apparantly this is issue is caused even when using java clients. Here is what Visual Studio Online has to say for it's questionable behavior.
Alternate authentication credentials
Some applications that work outside the browser (including Team Explorer Everywhere
command line client and the git-tf utility) require basic authentication credentials.
Other applications do not properly handle using an e-mail address for the user name
during authentication.
To work with these applications, you need to enable alternate credentials, set a
password, and optionally set a secondary user name not in the form of an e-mail address. > Please note that alternate credentials cannot be used to sign in to the service from a web
browser or outside of these applications.
Here is another question that I posted and was shot down. Just documenting here for future reference
I am able to login using my Visual Studio online credentials via the CLC, but When I try to do the same with a java program, I get an Authentication exception. Is there anything special that needs to be done for Java and / or Visual Studio Online ?
Java Code
public static final String NATIVE_LIBS_SYSTEM_PROPERTY = "com.microsoft.tfs.jni.native.base-directory";
public void connect() {
System.setProperty(NATIVE_LIBS_SYSTEM_PROPERTY, TFS_NATIVE_LIBS_HOME);
Credentials credentials = new UsernamePasswordCredentials("Windows Live ID\\user", "password");
TFSConnection connection = null;
try {
connection = new TFSConfigurationServer(new URI("https://shaggyinjun.visualstudio.com/DefaultCollection"), credentials);
connection.authenticate();
} catch (URISyntaxException ex) {
Exceptions.printStackTrace(ex);
}
}
}
Exception
com.microsoft.tfs.core.ws.runtime.exceptions.UnauthorizedException: Authorization failure connecting to 'https://shaggyinjun.visualstudio.com/DefaultCollection/TeamFoundation/Administration/v3.0/LocationService.asmx' (authenticating as Windows Live ID\user)
at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequestInternal(SOAPService.java:709)
at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequest(SOAPService.java:473)
at ms.ws._LocationWebServiceSoap12Service.connect(_LocationWebServiceSoap12Service.java:384)
at com.microsoft.tfs.core.clients.framework.location.internal.LocationWebServiceProxy.connect(LocationWebServiceProxy.java:70)
Caused: com.microsoft.tfs.core.exceptions.TFSUnauthorizedException: Access denied connecting to TFS server https://shaggyinjun.visualstudio.com/ (authenticating as Windows Live ID\venkatram.akkineni#gmail.com)
at com.microsoft.tfs.core.exceptions.mappers.TECoreExceptionMapper.map(TECoreExceptionMapper.java:75)
at com.microsoft.tfs.core.exceptions.mappers.LocationExceptionMapper.map(LocationExceptionMapper.java:32)
at com.microsoft.tfs.core.clients.framework.location.internal.LocationWebServiceProxy.connect(LocationWebServiceProxy.java:76)
at com.microsoft.tfs.core.clients.framework.location.LocationService.connect(LocationService.java:754)
at com.microsoft.tfs.core.clients.framework.location.LocationService.authenticate(LocationService.java:928)
at com.microsoft.tfs.core.TFSConnection.authenticate(TFSConnection.java:748)
at org.netbeans.modules.libswrapper.Installer.restored(Installer.java:54)
at org.netbeans.core.startup.NbInstaller.loadCode(NbInstaller.java:471)
[catch] at org.netbeans.core.startup.NbInstaller.loadImpl(NbInstaller.java:394)
at org.netbeans.core.startup.NbInstaller.access$000(NbInstaller.java:105)
at org.netbeans.core.startup.NbInstaller$1.run(NbInstaller.java:346)
at org.openide.filesystems.FileUtil$2.run(FileUtil.java:447)
at org.openide.filesystems.EventControl.runAtomicAction(EventControl.java:127)
at org.openide.filesystems.FileSystem.runAtomicAction(FileSystem.java:609)
at org.openide.filesystems.FileUtil.runAtomicAction(FileUtil.java:431)
at org.openide.filesystems.FileUtil.runAtomicAction(FileUtil.java:451)
at org.netbeans.core.startup.NbInstaller.load(NbInstaller.java:343)
at org.netbeans.ModuleManager.enable(ModuleManager.java:1194)
at org.netbeans.ModuleManager.enable(ModuleManager.java:1017)
at org.netbeans.core.startup.ModuleList.installNew(ModuleList.java:340)
at org.netbeans.core.startup.ModuleList.access$2400(ModuleList.java:118)
at org.netbeans.core.startup.ModuleList$Listener.stepEnable(ModuleList.java:1409)
at org.netbeans.core.startup.ModuleList$Listener.access$1400(ModuleList.java:1007)
at org.netbeans.core.startup.ModuleList$Listener$1.run(ModuleList.java:1231)
at org.openide.filesystems.EventControl.runAtomicAction(EventControl.java:127)
at org.openide.filesystems.FileSystem.runAtomicAction(FileSystem.java:609)
at org.netbeans.core.startup.ModuleList$Listener.run(ModuleList.java:1207)
at org.openide.util.RequestProcessor$Task.run(RequestProcessor.java:1423)
at org.openide.util.RequestProcessor$Processor.run(RequestProcessor.java:2033)
If you're connecting to visualstudio.com from the cross-platform command line client, you need to set up and use "alternate credentials".
You cannot use a Microsoft Account (Live ID) because - crazy as it sounds - that only works by supplying passwords to that web page and we cannot rely on a web browsers existence on many platforms.
I've been having an issue with registration using the Visigo.Sharepoint.FormsBasedAuthenticaiton web parts. Some of the time there is an Unknown Error display and sometimes it goes through fine, which led me to believe it has something to do with one of the servers in the farm. So I went to the directly to the login page on server1 and everything was fine and the when I went to the login page on server2 I get an Error page that just says File Not Found.
I looked into the logs using the Correlation ID provided on the error screen and came across this which seems to point to the PasswordRecoveryWebPart being the issue.
System.IO.FileNotFoundException: The Web application at http://site2/pages/login.aspx could not be found. Verify that you have typed the URL correctly. If the URL should be serving existing content, the system administrator may need to add a new request URL mapping to the intended application.
at Microsoft.SharePoint.SPSite..ctor(SPFarm farm, Uri requestUri, Boolean contextSite, SPUserToken userToken)
at Microsoft.SharePoint.SPSite..ctor(String requestUrl)
at Visigo.Sharepoint.FormsBasedAuthentication.Utils.GetMembershipProvider(HttpContext context)
at Visigo.Sharepoint.FormsBasedAuthentication.PasswordRecoveryWebPart.AddPasswordRecoveryControl()
at Visigo.Sharepoint.FormsBasedAuthentication.PasswordRecoveryWebPart.CreateChildControls()
at System.Web.UI.Control.EnsureChildControls()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Control.PreRenderRecursiveInternal()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
I started comparing the FBA layouts and feature files on both servers and don't see anything that is missing. I'm not sure what to look at next and what any possible remedies would be. Thanks.
Update
Based on a question below, I've been trying to login to the second server so that I can go to the Site Settings page and look at the FBA User Management information. Since my login page is the same as the registraiton page and therefore on the second server is erroring out I created a new page with just the custom login webpart on it. Unfortuantely I can't seem to login when accessing the second server directly and get these errors in the logs for it.
SPSecurityTokenService.Issue() failed: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateFormsAuthProviderNames(Uri context, String membershipProvider, String roleProvider)
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.SetProviderNames(RequestSecurityToken request)
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsIdentity identity, RequestSecurityToken request, Boolean initializeForActor)
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsPrincipal principal, RequestSecurityToken request)
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken request)
Request for security token failed with exception: System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: Object reference not set to an instance of an object. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.ValidateFormsAuthProviderNames(Uri context, String membershipProvider, String roleProvider)
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo.SetProviderNames(RequestSecurityToken request)
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsIdentity identity, RequestSecurityToken request, Boolean initializeForActor)
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.SPRequestInfo..ctor(IClaimsPrincipal principal, RequestSecurityToken request)
at Microsoft.SharePoint.IdentityModel.SPSecurityTokenService.GetTokenLifetime(Lifetime requestLifetime)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Issue(IClaimsPrincipal principal, RequestSecurityToken r...)
System.ServiceModel.FaultException`1[[System.ServiceModel.ExceptionDetail, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]: Object reference not set to an instance of an object.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForFormsAuthentication(Uri context, String membershipProviderName, String roleProviderName, String username, String password, Boolean isPersistent)
at Microsoft.SharePoint.IdentityModel.SPClaimsUtility.AuthenticateFormsUser(Uri context, String userName, String password)
at UHPS.Login.Login.loginControl_Authenticate(Object sender, AuthenticateEventArgs e)
at System.Web.UI.WebControls.Login.AttemptLogin() at System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e)
at System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
I'm not sure why the end result is a file not found exception, but considering that the error's occurring at GetMembershipProvider, my guess is that the membership provider has not been configured on the one server that's giving the error.
The membership provider entries have to exist in the web application's web.config on each SharePoint server. Instructions on configuring the membership provider are here:
http://donalconlon.wordpress.com/2010/02/23/configuring-forms-base-authentication-for-sharepoint-2010-using-iis7/
Does anyone have any ideas as to why CredentialCache.DefaultCredential would return an ICredential instance with empty strings for domain, username, and password? I'm running a WCF service on IIS 7.5. It works fine on one server but never works on another. I have verified that the IIS application has Windows Authentication enabled....
Here is how it's being used:
string url = string.Format("{0}/departments/finance/_vti_bin/listdata.svc", _IntranetAddress);
var financeDataContext = new FinanceDataContext(new Uri(url))
{
Credentials = CredentialCache.DefaultCredentials
};
I am not sure how it is working in one of your servers? I hope you already read this
http://msdn.microsoft.com/en-us/library/system.net.credentialcache.defaultcredentials.aspx
but it clearly says "The ICredentials instance returned by DefaultCredentials cannot be used to view the user name, password, or domain of the current security context."
The NetworkCredential returned from CredentialCache.DefaultCredential is just a placeholder. If you look at it using the Debugger, you'll see that it's of type SystemNetworkCredential. Internal API check for this type to see if integrated authentication should be used or not. There are other ways to get the current username (like WindowsIdentity.GetCurrent()).
EDIT:
To specify impersonation for a WCF operation, add this attribute to the method implementing a contract:
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public void SomeMethod()
{
// do something here
}
I am trying to use System.Net.WebClient in a WinForms application to upload a file to an IIS6 server which has Windows Authentication as
it only 'Authentication' method.
WebClient myWebClient = new WebClient();
myWebClient.Credentials = new System.Net.NetworkCredential(#"boxname\peter", "mypassword");
byte[] responseArray = myWebClient.UploadFile("http://localhost/upload.aspx", fileName);
I get a 'The remote server returned an error: (401) Unauthorized', actually it is a 401.2
Both client and IIS are on the same Windows Server 2003 Dev machine.
When I try to open the page in Firefox and enter the same correct credentials as in the code, the page comes up.
However when using IE8, I get the same 401.2 error.
Tried Chrome and Opera and they both work.
I have 'Enable Integrated Windows Authentication' enabled in the IE Internet options.
The Security Event Log has a Failure Audit:
Logon Failure:
Reason: An error occurred during logon
User Name: peter
Domain: boxname
Logon Type: 3
Logon Process: ÈùÄ
Authentication Package: NTLM
Workstation Name: boxname
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 127.0.0.1
Source Port: 1476
I used Process Monitor and Fiddler to investigate but to no avail.
Why would this work for 3rd party browsers but not with IE or System.Net.WebClient?
I have seen a similar issue, where the Integrated / NTLM security will only work if you are accessing the host by machine name or localhost. In fact, it is a [poorly] document feature in Windows that is designed to protect against "reflection attacks".
Basically, you need to create a registry key on the machine that is trying to access the server, and whitelist the domain you are trying to hit. Each host name / FQDN needs to be on it's own line - there are no wildcards and the name must match exactly. From the KB Article:
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
Type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
Exit Registry Editor, and then restart the computer.
http://support.microsoft.com/kb/956158/en-us
Have you tried ...
new NetworkCredential( "peter", "password", "boxname" );
You might also try ...
var credCache = new CredentialCache();
credCache.Add( new Uri ("http://localhost/upload.aspx"),
"Negotiate",
new NetworkCredential("peter", "password", "boxname"));
wc.Credentials = credCache;
Also, according to this it may be that IIS is configured wrong. Try replacing "Negotiate" with "Basic" in the above and checking your IIS config for the website. There's also a bunch of possible causes here.
Try going into IE's options and explicitly add the site to the Intranet Zone. Then re-run the program. You should also not run the program from an administrator login. This may trigger the Enhanced Security Configuration for Internet Explorer.
It could explain why you can hit the site with Firefox and Opera, but not with IE or WebClient.
Without knowing your IIS deployment, and assuming that you have the correct authorization rules for upload set in IIS (e.g. the right allow* ACL's on the right dirs you are trying to upload content to, etc), first thing I would try is to set UseDefaultCredentials to true instead of explicitly set Credential. (Maybe you think you are accessing the server with the Credentials you are setting but that's not the case? That would be possible if this works.)
This is a very common scenario, so I would focus on IIS authorization rules for the directory in which you are trying to upload the file, the actual ACL's on that directory. For ex. is your site impersonating or not? if it is, then you have to have actual ACL's on that dir, otherwise whatever account app pool is running on.