How can I generate my own SPNEGO http header in C#, please? RRS feed

  • Question

  • I use a WCF WebHttpBinding client to consume services (which are actually hosted by a JBoss server) and use Windows Authentication via a Kerberos ticket in a SPNEGO token.
    The trouble is that I see two http requests per service call, one without an Authorize header, a 401 response then a second with the SPNEGO.  Now, no doubt this is all RFC-4559 compliant, but I would like to be able to avoid the doubled round trip overhead.  There is no direct provision in the WCF WebHttpBinding to do this.
    I can though add an endpoint behavior to add my own http header, I would like to use that to provide SPNEGO on the first request, but what I don't know is how to construct and serialize an SPNEGO, say for my client's default credentials, in C#.
    If I have it right, then I know what authorization my service will accept (Kerberos) so I shouldn't need the initial 401 response.  I think I have seen others do this for say Basic Authentication, but then constructing the header is very simple.
    I first asked this in the WCF forum, but a moderator there has suggested I post here and in winserversecurity.
    Thanks in anticipation

    Friday, November 4, 2011 1:50 PM

All replies

  • Why would you want to do that? You explained yourself already but I'm really asking whether or not the double call is affecting your business functionality, which is what you should be interested in? If not your business requiements, is it affecting your non-functional requirements such as performance, scalability etc?

    It likely is not because this is how it is spec'd and implemented to work, first request is anonymous with return request for the correct protocol. Changing your client so that it does something different is a recipe for future disaster because only your client among the other clients will work differently. If it bothers you that much, just don't look at the headers. I call this the bury-your-head-in-the-sand approach.

    Monday, November 7, 2011 7:53 PM
  • Thanks.

    The reason that I want to avoid the double call is that although the application is intranet, the round trip is cross global and so the latency substantial.

    I don't want to avoid the headers, because I need the Kerberos security.  I could possibly simplify things by implementing more of my own security (at both ends), but in general rolling ones own is a recipe for insecurity.

    I do take your point about special cased, but this is our own single client & our own single service (we all start thinking that, don't we?)  There are other possible solutions, of course, but many are equally as special.

    It just seems to me that one contained change ought to be able to deliver the benefit while making use of the rest of the stack.

    Tuesday, November 8, 2011 1:31 PM
  • I am actually surprise that the WebHttpBinding does that.

    On WebClient or HttpWebRequest the property to prevent the double-roundtrip is called PreAuthenticate.

    I would investigate if something similar exists or if there is any way to reach down to the actual HTTP client to set it.


    The other question would be - if you are using the WebHttpBinding, you are consuming a Restful service. So why do you actually use the RPCish WCF client proxy to access the service - and not do it "properly" using WebClient or HttpClient?


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Tuesday, November 8, 2011 5:23 PM
  • Thanks

    I was aware of PreAuthenticate on WebClient and it does look like it may do what I require. Unfortunately I can find no sign of anything similar in WCF.  You are right though, it may just be that I can get down to the HttpReques in WCF to enabl;e PreAuthenticate there, I will investigate.

    The choice of technology can be difficult with many choices, in this case I was not involved in our choice & I suspect we may have just chosen the most recent.  I recently attended training in C# and WPF by the very excellent David Wheeler for Developmentor, at the time I couldn't justify his WCF course and I am now starting to rue that.

    I had previously discounted moving to WebRequest or HttpRequest, thinking that in any case I would have to code the authentication, but if PreAuthentication works it may well be straightforward.

    Thanks very much for the pointers

    Wednesday, November 9, 2011 9:49 AM
  • In my opinion - using the WCF ChannelFactory for RESTful services is just wrong.

    Microsoft has released a new HTTP Client, appropriately called HttpClient ("HttpClient" on NuGet).

    This is a very nice and easy to use client for HTTP based services (just sayin').

    Well - come to DM's WCF course - I'll see you there ;)

    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Wednesday, November 9, 2011 10:01 AM