Login/Register
ASP.NET Web API Self-Host with Windows Authentication
Asked Answered
Solved asp.netasp.net-mvcwindows-authenticationasp.net-web-apiself-hosting
H

9

24

I am trying to use the ASP.NET Web API Self-Host option with Windows authentication so I can determine the logged on user and ultimately accept or reject the user based on their identity. Here is my console application code:

using System;
using System.Web.Http;
using System.Web.Http.SelfHost;

namespace SelfHost
{
    class Program
    {
        static void Main(string[] args)
        {
            var config = new HttpSelfHostConfiguration("http://myComputerName:8080");
            config.UseWindowsAuthentication = true;

            config.Routes.MapHttpRoute(
                "API Default", "api/{controller}/{id}",
                new { id = RouteParameter.Optional });

            using (HttpSelfHostServer server = new HttpSelfHostServer(config))
            {
                server.OpenAsync().Wait();

                Console.WriteLine("Press Enter to quit.");
                Console.ReadLine();
            }
        }
    }
}

Here is the controller:

[Authorize]
public class HelloController : ApiController
{
    public string Get()
    {
        // This next line throws an null reference exception if the Authorize
        // attribute is commented out.
        string userName = Request.GetUserPrincipal().Identity.Name;
        return "Hello " + userName;
    }
}

Edit - I added the Authorize attribute, and the debugger shows that the code inside the Get action method is never invoked. The following HTML is returned:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=windows-1252" http-equiv=Content-Type></HEAD>
<BODY></BODY></HTML>

If the Authorize attribute is commented out, Request.GetUserPrincipal().Identity.Name throws a null reference exception since Request.GetUserPrincipal() yields null.

Holmann answered 5/3, 2012 at 17:52 Comment(7)
You just need to put a break point and find out which property above is null... is "ControllerContext" null? or "Request" or "GetUserPrincipal()" or "Identity"?Schumacher
Yeah, what property is generating the null ref?Tundra
@Tundra the Request.GetUserPrincipal() is null. I added the [Authorize] attribute as suggested by Eric King and then I just receive a bare bones HTML page with no content between two body tags and it never runs the code inside my Get action method in the controller class.Holmann
@jonnii thanks for adding the bounty! I have not solved this one.Holmann
I only need selfhost for integration testing, so I've hacked around it by using basic authentication specifically for that purpose (everything works in IIS).Outage
Hi, any update on this? I have same use case for my application. Is this fixed?thank you.Induration
cool, just setting HttpSelfHostConfiguration.ClientCredentialType to windows is working - probably issue got fixed.Induration
K
25

I've hit this issue as well and the only solution I've came up with is to deliver dedicated HttpSelfHostedConfiguration:

public class NtlmSelfHostConfiguration : HttpSelfHostConfiguration
{
    public NtlmSelfHostConfiguration(string baseAddress)
        : base(baseAddress)
    { }

    public NtlmSelfHostConfiguration(Uri baseAddress)
        : base(baseAddress)
    { }

    protected override BindingParameterCollection OnConfigureBinding(HttpBinding httpBinding)
    {
        httpBinding.Security.Mode = HttpBindingSecurityMode.TransportCredentialOnly;
        httpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
        return base.OnConfigureBinding(httpBinding);
    }
}

To use it you just need to change one line (you don't need to set UseWindowsAuthentication anymore):

var config = new NtlmSelfHostConfiguration("http://myComputerName:8080");

The only issue with this approach is that authentication is now required for every request made to server which is using this configuration.

Keitloa answered 25/3, 2012 at 21:46 Comment(9)
Maybe you have a problem on caller side, how are you calling your host? I was using this against web application so the browser was handling the authentication headers on client-side. If you are using your own client you need to set proper authentication headers by your own (if you don't you should get unauthorized response). Please try to call your URL in browser to see if host is forcing the authentication.Keitloa
I forgot to change the authentication scheme from basic => windows. My bad! This is a good work around for now, but as you said it means all the actions will require authentication.Outage
Also, I'm going to award you the bounty because this is probably the only work around to this.Outage
I do hope that this area is subject to change in actual release. We must remember that Web API is in beta status and that it has just taken a huge architecture change by moving from WCF to ASP.NET (this is most probably why there are so many issue in self-hosting, the team has focused on web-hosting scenario I believe).Keitloa
I implemented this workaround solution and it works great for my use case since I am using Internet Explorer as my client. Many thanks tpeczek for the solution and @Outage for generously providing the bounty to get this question more attention! I'm accepting this as the answer.Holmann
Hi, I have same use case. Is this fixed now? Thank you!Induration
cool, just setting HttpSelfHostConfiguration.ClientCredentialType to windows is working - probably issue got fixed.Induration
When doing HTTPS (this.BaseAddress.Scheme == Uri.UriSchemeHttps), you must set httpBinding.Security.Transport.ClientCredentialType after the call to base.OnConfigureBinding() and you must not set httpBinding.Security.Mode.Boulogne
Hi! Please take a look at my question #35751911Spellbinder
I
3

i have hosted "Web API" in windows service and this is what i did to support windows authentication (basically based on above question, answers, some related articles - i am just consolidating as it may be helpful for others)

@HTTP Server (web api):

Set (reference: http://msdn.microsoft.com/en-us/library/system.web.http.selfhost.httpselfhostconfiguration.clientcredentialtype(v=vs.118).aspx), 

HttpSelfHostConfiguration.ClientCredentialType = System.ServiceModel.HttpClientCredentialType.Windows;

@Client:

And then as Allan mentioned (above) set UseDefaultCredentials to true.

Using HttpClient:

var handler = new HttpClientHandler();
    handler.UseDefaultCredentials = true;
    _httpClient = new HttpClient(handler);

Using WebClient (reference: http://msdn.microsoft.com/en-us/library/system.net.webclient.usedefaultcredentials.aspx )

set webclient's usedefaultcrednetials to 'true'.

Best Regards!

Induration answered 22/5, 2014 at 19:12 Comment(1)
Hey , pls take a look at my question #9571945Spellbinder
P
3

I am a little late to this. However, if you are using Owin to self host and need windows auth. In your startup class you can add the following.

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        HttpListener listener = (HttpListener)app.Properties["System.Net.HttpListener"];
        listener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication;
    }
}
Poorhouse answered 26/4, 2016 at 16:49 Comment(1)
I wanted to put together a simple self hosted web api as a windows service. when using Owin , accessing the webapi via browser always promoted for login/password (entering the username password does seem to work as expected and the user is authenticated) but is there a way to void the login prompt ?Cory
W
2

Are you sure you're getting through the authentication part? You could use fiddler to check whether the requests are actually going through or whether the server always responds with 401 Unauthorized (since you're using authentication).

You could also try to implement your own custom AuthorizeAttribute and put breakpoints in it to make sure it gets hit (you'll want to override the OnAuthorization method and see if that gets hit).

using System.Web.Http;
public class MyAuth : AuthorizeAttribute
{
    public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        base.OnAuthorization(actionContext); //put breakpoint here
    }
}

Also, make sure you're using the Authorize attribute from System.Web.Http, and not from System.Web.Mvc. See here why.

Walkthrough answered 23/3, 2012 at 8:24 Comment(4)
Everything works when deployed to IIS (or hosted through visual studio), it's just the self host stuff that's not working. What I've done for now is make the self-host stuff use basic authentication with a delegating handler, I only need it for integration tests so that code won't be going into production. Assuming that all works it seems that the only part that isn't working in the windows authentication... I tried what you suggested, the breakpoint never gets hit.Outage
Well that's fishy. I've created a simple project to reproduce your issue, and the Windows authentication doesn't work for me either in a self-hosted version. As I checked in fiddler though, that was because it never returned a challenge-message to the client, it just simply returned unauthorized(since no authentication token is sent until a challenge reply is received). It did, however, hit my breakpoint in my custom OnAuthorization method. You used the [MyAuth] tag instead of [Authorize], I assume.Walkthrough
This is exactly what I was seeing. Without the challenge you're never going to be authenticated. I'm pretty sure this is a bug in self-host...Outage
It seems like a bug to me as well. You could try to implement your own custom MessageHandler to add the correct challenge headers to the response... but I'm not sure that would be enough (the authentication mechanisms involves several steps, and you shouldn't be reinventing the wheel here).Walkthrough
B
2

Similar to tpeczek's answer but updated to reflect HTTPS usage. tpeczek's answer doesn't work for HTTPS because the call to base.OnConfigureBinding(httpBinding); with HTTPS overwrites the changes. Additionally, you cannot use httpBinding.Security.Mode = HttpBindingSecurityMode.TransportCredentialOnly; with HTTPS.

Use a custom HttpSelfHostConfiguration:

public class NtlmSelfHostConfiguration : HttpSelfHostConfiguration
{
    public NtlmSelfHostConfiguration(string baseAddress)
        : base(baseAddress)
    { }

    public NtlmSelfHostConfiguration(Uri baseAddress)
        : base(baseAddress)
    { }

    protected override BindingParameterCollection OnConfigureBinding(
        HttpBinding httpBinding)
    {
        if (this.BaseAddress.Scheme == Uri.UriSchemeHttps)
        {
            var ret = base.OnConfigureBinding(httpBinding);
            httpBinding.Security.Transport.ClientCredentialType =
                HttpClientCredentialType.Ntlm;
            return ret;
        }

        httpBinding.Security.Mode = HttpBindingSecurityMode.TransportCredentialOnly;
        httpBinding.Security.Transport.ClientCredentialType = 
            HttpClientCredentialType.Ntlm;
        return base.OnConfigureBinding(httpBinding);
    }
}

Then, you can do

var config = new NtlmSelfHostConfiguration("http://myComputerName:8080");

or

var config = new NtlmSelfHostConfiguration("https://myComputerName:8443");

to get a configuration to pass into new HttpSelfHostServer(config)

Boulogne answered 12/12, 2014 at 23:53 Comment(1)
Hi please take a look at my question here #35751911Spellbinder
E
1

Have you tried putting the [Authorize] attribute on your controller?

[Authorize]
public class HelloController : ApiController
Editheditha answered 5/3, 2012 at 20:51 Comment(1)
I added the [Authorize] attribute to my controller, but now I just receive a bare bones HTML page with no content between the body tags. I'm hitting the page with IE.Holmann
B
1

Here is a link to a short video explaining how to use authorization.

http://www.asp.net/web-api/videos/getting-started/authorization

In essence use the [Authorize] attribute on the class, catch the error and return an HTTP 401 response and then have the client detect it and go to the login page

Baum answered 7/3, 2012 at 5:35 Comment(0)
P
1

Just to add, if you're using tpeczek's solution and also using HttpClient, you might need to do this:

        var handler = new HttpClientHandler();
        handler.UseDefaultCredentials = true;
        _httpClient = new HttpClient(handler);
Picasso answered 16/10, 2013 at 19:49 Comment(0)
B
0

Related answer for whom need it, about basic auth with token

Merging some help, info, answers and a self auth system that I made for a real Web API I could finally use roles and attributes tags for this. Is made for Authorization tag in the header.

Server invocation:

 var config = new HttpSelfHostConfiguration("http://localhost:8080");
            config.UserNamePasswordValidator = new PHVValidator();
            config.Routes.MapHttpRoute(
                "API Default", "{controller}/{id}",
                new { id = RouteParameter.Optional });

            using (HttpSelfHostServer server = new HttpSelfHostServer(config))
            {
                server.OpenAsync().Wait();
                Application.EnableVisualStyles();
                Application.SetCompatibleTextRenderingDefault(false);
                Application.Run(new DominusForm());
            }

Auth Method: (hardcoded for ex. only, choose user, pass and roles from anywhere)

    public class PHVValidator : System.IdentityModel.Selectors.UserNamePasswordValidator
    {
        public override void Validate(string userName, string password)
        {
            if (userName == "admin" && password == "123")
            {
                string[] rolarray = new string[] { "admin" };
               IPrincipal principal = new GenericPrincipal(new GenericIdentity(userName), rolarray);
                Thread.CurrentPrincipal = principal;
            }
        }
    }

Method: 

[Authorize(Roles = "admin")]
public HttpResponseMessage Get()
{
     do things
}
Ballottement answered 25/7, 2017 at 17:51 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.