none
Basic authentication with WCF-WebHttp adapter does not work RRS feed

  • Question

  • Basic authentication with WCF-WebHttp adapter does not work. The adapter does not add an authorization header to the message.

    I have tried this in BizTalk 2013 R2 with CU1 and BizTalk Server 2016 with CU1 with same result.

    This must be a bug right?

    Saturday, October 7, 2017 5:23 PM

Answers

All replies

  • Well, 100%, the Adapter works correctly with Basic Authentication.

    But, what do you mean by "Header"?  Are you the client or service?

    The client wouldn't normally send (though technically allowed) the Authorization header because it's the service, not the client, that determines the authentication method.

    So, what error are you getting or what exactly is not working?

    Sunday, October 8, 2017 9:03 PM
    Moderator
  • Hi,

    When tracing the request from BizTalk in Fiddler with the following configuration:

    Security mode: "TransportCredentialsOnly" or "Transport"
    Transport client credentials type: Basic

    I was expecting to see in HTTP header something like:
    Authorization: Basic THVtaTp0ZXN0MTIzNA==

    But the "Authorization" header is missing.
    Sunday, October 8, 2017 9:19 PM
  • Yes, it is a bug, Basic Authentication does not work in the WCF-WebHttp adapter.

    See WCF-WebHttp Adapter – Basic Authorisation  

    Either use another adapter, or create a custom end point behaviour to add the header until Microsoft fixes this.

    There is another workaround, adding it in the Outbound HTTP Headers under the Messages tab, but not recommended as it is not secure.

    For more bugs and issues, see BizTalk 2013 R2 known bugs, issues & quirks


    Sunday, October 8, 2017 10:54 PM
  • Thanks for confirming this.

    How can a bug like this slip by without being noticed. The problem still exist in BizTalk 2016 with CU1.

    I will report this on BizTalk User Voice page.
    Sunday, October 8, 2017 11:17 PM
  • Consider, this isn't necessarily wrong.  Is the server returning a WWW-Authenticate?

    It may be a design choice to avoid sending unsolicited credentials.

    Monday, October 9, 2017 1:20 PM
    Moderator