locked
HttpWebRequest authentication with NTLM secure server: 401: Unauthorized

    Question

  • Hi all,

    I am trying to connect to a secured server (https) that uses NTLM using HttpWebRequest.  No matter what I do, I get an http 401: Unauthorized response.  Connecting via IE or FF and entering the username and password by hand works fine.  I've been reading for a few hours looking for an answer, with no luck.  I've tried every variation I can think of on the following code:

     

    Code Snippet

    Uri targetUri = new Uri("https://decisions.court.gov.il/");

     

    // Create request

    HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(targetUri);

     

    CredentialCache credentials = new CredentialCache();

    //credentials.Add(new Uri("https://decisions.court.gov.il/"), "NTLM", new NetworkCredential(@"idc\user8", "Password1"));

    credentials.Add("subdomain.domain.gov.il", 443, "NTLM", new NetworkCredential(@"domain\username", "password"));

    request.Credentials = credentials;

     

    request.Method = "GET";

    request.KeepAlive = true;

    request.Accept = @"*/*";

    //request.PreAuthenticate = true;

     

    // Assign custom SSL certificate validation method for NewCourts website

    ServicePointManager.ServerCertificateValidationCallback += new

     

    RemoteCertificateValidationCallback(ValidateServerCertificate);

     

    // Get response

    WebResponse response = request.GetResponse();

     

    if ((response.ContentLength == 0))

    {

    Response.Write("operation failed");

    }

     

     

    ...

     

     

    This code is being running from an aspx page in a little test website running on the asp.net virtual server.  The ValidateServerCertificate simply returns true, because the target website's security certificate has some problem with it.

    Anyway, at request.GetResponse() I get the 401.

      I've tried setting up a secure site on intranet that uses NTLM and connected without any problem.

     

      Also, I've compared the successful Http conversation (using IE) with the unsuccessful one (from code) using fiddler.

     

    (I've changed some of the encoded strings for security purposes)

    Here is the successful one:

     

    Request1:

    GET / HTTP/1.1

    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-silverlight, application/x-silverlight-2-b1, */*

    Accept-Language: he

    Accept-Encoding: gzip, deflate

    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

    Host: decisions.court.gov.il

    Connection: Keep-Alive

    Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

     

    Response1:

    HTTP/1.1 401 Unauthorized

    Connection: Keep-Alive

    Content-Length: 1539

    Date: Wed, 14 May 2008 13:09:27 GMT

    Content-Type: text/html

    Server: Microsoft-IIS/6.0

    WWW-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADgAAAAFgomizBKoEtGUEEcAAAAAAAAAAIgAiAA+AAAABQLODgAAAA9JAEQAQwACAAYASQBEAEMAAQAQAEkARABDAFcARQBCADAAMwAEABgASQBEAEMALgBOAEcAQwBTAC4ATgBFAFQAAwAqAEkARABDAFcARQBCADAAMwAuAEkARABDAC4ATgBHAEMAUwAuAE4ARQBUAAUAGABJAEQAQwAuAE4ARwBDAFMALgBOA

    X-Powered-By: ASP.NET

    Proxy-Support: Session-Based-Authentication

     

    Request2:

    GET / HTTP/1.1

    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-silverlight, application/x-silverlight-2-b1, */*

    Accept-Language: he

    Accept-Encoding: gzip, deflate

    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

    Host: decisions.court.gov.il

    Connection: Keep-Alive

    Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGYAAAAYABgAfgAAAAYABgBIAAAACgAKAE4AAAAOAA4AWAAAAAAAAACWAAAABYKIogUBKAoAAAAPaQBkAGMAdQBzAGUAcgA4AFkATwBOAEEAVABBAE4Asg+k7ypywHIAAAAAAAAAAAAAAAAAAAAAcfHfL7K+dZv0C+MTwoR8Rfv8

     

    Response2:

    HTTP/1.1 200 OK

    Connection: Keep-Alive

    Content-Length: 31074

    Date: Wed, 14 May 2008 13:09:29 GMT

    Content-Type: text/html

    Server: Microsoft-IIS/6.0

    X-Powered-By: ASP.NET

     

     

    Here is the unsuccessful one:

     

    Request1:

    GET / HTTP/1.1

    Accept: */*

    Authorization: NTLM TlRMTVNTUAABAAAAt4II4gAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

    Host: decisions.court.gov.il

     

    Response1:

    HTTP/1.1 401 Unauthorized

    Connection: Keep-Alive

    Content-Length: 1539

    Date: Wed, 14 May 2008 13:30:14 GMT

    Content-Type: text/html

    Server: Microsoft-IIS/6.0

    WWW-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADgAAAA1goni2Jw+KKbZHyAAAAAAAAAAAIgAiAA+AAAABQLODgAAAA9JAEQAQwACAAYASQBEAEMAAQAQAEkARABDAFcARQBCADAAMwAEABgASQBEAEMALgBOAEcAQwBTAC4ATgBFAFQAAwAqAEkARABDAFcARQBCADAAMwAuAEkARABDAC4ATgBHAEMAUwAuAE4ARQBUAAUAGABJAEQAQwAuAE4ARwBDAFMALgBOAEU

    X-Powered-By: ASP.NET

    Proxy-Support: Session-Based-Authentication

     

    Request2:

    GET / HTTP/1.1

    Accept: */*

    Authorization: NTLM TlRMTVNTUAADAAAAGAAYAGgAAAAYABgAgAAAAAAAAABIAAAAEgASAEgAAAAOAA4AWgAAABAAEACYAAAANYKI4gUBKAoAAAAPaQBkAGMAXAB1AHMAZQByADgAWQBPAE4AQQBUAEEATgBrw0kTDXqdKwAAAAAAAAAAAAAAAAAAAACkMK62vxVBEfxyriQJhBNObP/Qc4tePyDpenjA75PDzN73P

    Host: decisions.court.gov.il

     

    Response2:

    HTTP/1.1 401 Unauthorized

    Connection: Keep-Alive

    Content-Length: 1539

    Date: Wed, 14 May 2008 13:30:14 GMT

    Content-Type: text/html

    Server: Microsoft-IIS/6.0

    WWW-Authenticate: NTLM

    X-Powered-By: ASP.NET

    Proxy-Support: Session-Based-Authentication

     

     

     

     

    I appreciate any help.

    Wednesday, May 14, 2008 12:37 PM

All replies

  • I'm having the EXACT same problem.  Did you ever come up with a solution for this?
    Wednesday, August 12, 2009 10:04 PM
  • Have you tried setting the NetworkCredential object to the request.Credentials property and not via a CredentialsCache object?

    http://www.alanjmcf.me.uk/ Please follow-up in the newsgroup. If I help, mark the question answered
    Thursday, August 13, 2009 9:09 AM
  • Can you get a network trace? In order for NTLM to succeed, it needs a Keep-Alive HTTP connection for the entire handshake.

    Also, are you going through a Proxy? If so,  NTLM is not guaranteed to work through a proxy.

    If you are not going through a proxy, get a network sniff, and verify if both Request1 and Request2 are going over the same TCP connection.

    If they are  going over the same TCP connection,  you need to get a system.net log on the client. For that, see the following:

    http://blogs.msdn.com/feroze_daud/archive/2005/05/12/416922.aspx


    hope that helps...

    feroze.

    --
    http://ferozedaud.blogspot.com
    http://blogs.msdn.com/feroze_daud
    Saturday, August 15, 2009 3:24 AM
  • Other people have also hit this problem. I investigated one issue, and blogged about the conclusion here:

    http://ferozedaud.blogspot.com/2009/10/ntlm-auth-fails-with.html

    if your client machine is running Vista/Windows7, then my blog entry has the answer to your question.


    feroze
    --
    My blog
    • Proposed as answer by Feroze Daud Saturday, October 03, 2009 3:01 AM
    Saturday, October 03, 2009 3:00 AM