HttpWebRequest with basic authentication fails with 401 error for DefaultNetworkCredentials

About

Asked 18/1, 2013 at 16:8 Answered 18/1, 2013 at 17:31

c#httpwebrequest basic-authentication networkcredentials

I am testing an application with a local Web server (IIS, Windows 8), the site requires Basic authentication, and as long as I explicitly pass my credentials, everything works fine:

request.Credentials = new NetworkCredential("User", "Password", "Domain");
request.PreAuthenticate = true;

But I would like to use integrated security, so I tried to change the first line as follows:

request.Credentials = CredentialCache.DefaultNetworkCredentials;

(I also tried DefaultCredentials)

I checked the network traffic with Fiddler, and I see that in the second case Http request is sent without an authorization header, so it's not surprising that it fails. But why?

UPDATE. I believe I misunderstood default credentials concept. DefaultNetworkCredentials may not be used to generate basic authentication header, it must be a user/password pair. So this behavior is by design.

Predikant answered 18/1, 2013 at 16:8 Comment(8)

May be a silly question, but did you turn on integrated authentication for the website in IIS? You'll see a header in the response (from memory: www-authenticate negotiate) stating what authentication mechanisms the server accepts. – Bisectrix 18/1, 2013 at 16:10

You need to configure delegation if you want the client credentials to leave the boundary of the web server that is acting as a client to another server. NTLM cannot be delegated. You could use Kerberos. – Thermoelectricity 18/1, 2013 at 16:28

@DarinDimitrov, but everything occurs on the same server. It's just my local machine. – Predikant 18/1, 2013 at 16:34

@dash, if I only enable basic authentication, then it works with explicitly set user/password and fails with DefaultNetworkCredentials. If I enable both basic and Windows authentication, then Negotiate is selected so I can't test Basic. – Predikant 18/1, 2013 at 16:36

Browser will try basic first, and then the best one it supports out of the list of remaining methods. In this instance, as you are on Windows, running against IIS, it's not surprising it tries Negotiate over Basic. See support.microsoft.com/?id=264921 – Bisectrix 18/1, 2013 at 16:43

Yes @Bisectrix I know that Negotiate wins over Basic. My scenario is when ONLY Basic is enabled, and then request fails with DefaultNetworkCredentials but succeeds with explicitly set credentials. I wonder why DefaultNetworkCredentials are not translated to proper authentication headers. – Predikant 18/1, 2013 at 16:57

I'd be surprised if it popped your windows credentials into a basic header as they are plain text - it would be a great way to harvest network credentials :-) – Bisectrix 18/1, 2013 at 17:13

Ah I misunderstood the whole thing, thanks @Bisectrix – Predikant 18/1, 2013 at 17:27

Thanks to people who commented on the topic, I realized that I misunderstood the concept of default credentials. They can't be used in the case then only Basic authentication is enabled, so this is the correct behavior.

Predikant answered 18/1, 2013 at 17:31 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags