NTLM failure

  • Thread starter Thread starter John Lee
  • Start date Start date
J

John Lee

Hi,

I have a virtual directory configured as "integrated windows authentication"
and "anonymous acccess" is turned off. I can use IE to acccess that page but
when I try to access the page using

HttpWebRequest wr = (HttpWebRequest) System.Net.WebRequest.Create(url);
wr.Credentials = CredentialCache.DefaultCredentials;
HttpWebResponse resp = (System.Net.HttpWebResponse)wr.GetResponse();

I got "System.Net.WebException: The remote server returned an error: (401)
Unauthorized." error, Any idea why?

Thanks very much!
John
 
Hi John,

Glad to see you again :-).

As for the 401 error you encountered when requesting page protected by
integrated windows authentication through
HttpWebRequest component, it is because the HttpWebRequest component won't
automatically provide the client side credential (from the current logon
user like what IE does). So we need to manually attach the credential if
the serverside dosn't allow anonymous accessing. For example, the following
code snippet just provide a credential (NTLM auth schema):

=====================
NetworkCredential myCred = new NetworkCredential(
"username","password","domain or machine name");

CredentialCache myCache = new CredentialCache();

myCache.Add(new Uri("www.contoso.com"), "NTLM", myCred);


WebRequest wr = WebRequest.Create("www.contoso.com");
wr.Credentials = myCache;
...............
======================

Here is the MSDN reference on System.Net.NetworkCredential class:

http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemnetnetworkcred
entialclasstopic.asp?frame=true

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Thanks Steven!

But I need to use the current logon user's credential to access that page
and
the following code should work - but it does not work for me:

wr.Credentials = CredentialCache.DefaultCredentials;

Another thing I noticed that might be related, I created a virtual directory
"test" with "windows integrated authentication" only on a 2003 server
"server1" with SP1 box.
step 1. open a new instance of IE, access http://server1/test it will popup
asking for username/password, type in password and it will work
2. IF i add http://server1 into local intranet zone, repeat step 1, no popup
to ask password

I tested the above scenario on several box and it's consistent. so my
another question is that when we use HttpWebRequest to access the virtual
directory by using logon user's network credential - how to configure the
accessed uri is in local intranet zone from code or it SHOULD grab that
setting done by IE?

Thanks!
John
 
Thanks for your respones John,

As for the further question you mentioned, here are my understandings:

1. YES, IE will automatically send the current logon session's credential
when accessing trusted or intranet zone sites and
anonymous access is not allowed. We can also verfify this in the IE's
Tools---->Internet Options--->Security---->certain Zone ---> Custom Level
setting---> UserAuthentication. Logon

2.When using HttpWebRequest, it has nothing related to IE setting. So we
will always need to manually provide the credential when accessing remote
resouce when require authentication. And yes, the
System.Net. CredentialCache.DefaultCredentials contains the current logon
user's credential (in winform or console app), but if this credential is
not valid on the remote server, the request will also fail. Different from
IE( IE will popup authentication dialog to let us input username/password
when current user is not valid on remote server), using httpwebrequest ,
there is no such dialog.

So as for your scenario, I think the problem is your current logon user is
not a valid account on the remote server. Is your logon user account a
local account on the machine where you running the httpwebrequest app? If
so, this account is not valid to the remote server, you need to provide a
valid account on the remote server , this account can be either of :
1. A domain account

2. A duplicated local account which has same username/password on both
client and server machine.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Back
Top