HttpListener windows authentication fails for domain account

Hi David,

Welcome to the MSDN newgroup.

As for the HttpListener class, when using with integrated windows or
Negociate authentication schemas, the cilent and server will try using an
secure authentication both sides support and for 2000 or later, the
kerberos authentication maybe choosed. I think it is likely there occur
some problem when the client and server machine try determine the
authentication schema and performign the authentication communication which
is in ahead of our code. Have you tried using the fixed NTLM authentication
schema , based on my test, using the fixed NTLM authentication can work
correctly. In addition, I'll perform some further research on the
"IntegratedWindows" or "Negociate" ones to see whethre threre is any
existing problem on them. I'll updateyou soon.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

In response to your suggestion, I tried AuthenticationSchemes.Ntlm and it let
me connect and gave me an authenticated WindowsIdentity. This is good news.
However, I was under the impression that IntegratedWinAuth or Negotiate would
both be smart enough to use NTLM if that was all the client and server could
agree on. To get another data point, I looked at the Identity I get on the
server when I do remoting over a secure TCP channel. In that experiment, the
server thread has a WindowsIdentity that's authenticated using NTLM. If the
remoting channel can figure it out, why can't the HttpListener? I also wonder
why .NET 2.0 is using NTLM when my environment is supposed to be ADS and
Kerberos, but that's probably beyond the scope of this post.

Hi David,

Thanks for your response.

After some discussion with our dev guys, we've got the point that cause the
problem behavior in our scenario. As I mentioned in the previous message,
for IntegratedWindowsAuthentication or Negociate mode, the client and
server will choose the most secure authentiation protocol, and for 2000 or
later version of windows, Kerberos will be used, however, performing
kerberos authentication require the server application(in our case is the
HttpListener's hosting application) be able to gain machine credential.
However, since our own console or winform application always run under our
own logon user, it can not do so. Therefore if you want to use
HttpListener and configured as IntegratedWindows or Negociate, we need to
make the host application running under Network Service account (or Local
System is also ok), and generally this is only available if our application
is a service application (which is configured in service controller that
can be specified to use Network Service or Local System account).

In addition, if we use NTLM authentication protocol, there is not such
requirement.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
believe you¡¯re running your app under your own account. With Negotiate or
Integrated, your client will attempt Kerberos auth and this will fail to
gain machine credentials unless you run your app as NetworkService.

Thank you for the respose. Your answer was quite helpful.

You're welcome David,

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)