472,978 Members | 2,142 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,978 software developers and data experts.

HttpListener windows authentication fails for domain account

I have a very simple console app using an HttpListener to listen for incoming
HTTP requests (see code below). My client and server machines are both in an
ADS domain and I'm logged into both using my domain account. The server app
is running as admin on an XPSP2 box. If I set authentication to Anonymous or
Basic, I can get requests. If I change to IntegratedWindowsAuthentication,
however, IE on the client prompts me for credentials. I can get through using
an account on the server, but I really want it to just authenticate me as the
domain account I'm logged in on the client. I can do a secure TCP remoting
call between machines as well as use Windows Auth for an IIS web share. This
should work no problem, so am I missing some simple config setting?

HttpListener listen = new HttpListener();
listen.AuthenticationSchemes =
AuthenticationSchemes.IntegratedWindowsAuthenticat ion;
HttpListenerContext ctx = listen.GetContext();

byte[] buffer = System.Text.Encoding.UTF8.GetBytes("<HTML><BODY>

resp.ContentLength64 = buffer.Length;
resp.OutputStream.Write(buffer, 0, buffer.Length);
Feb 3 '06 #1
5 5981
Hi David,

Welcome to the MSDN newgroup.

As for the HttpListener class, when using with integrated windows or
Negociate authentication schemas, the cilent and server will try using an
secure authentication both sides support and for 2000 or later, the
kerberos authentication maybe choosed. I think it is likely there occur
some problem when the client and server machine try determine the
authentication schema and performign the authentication communication which
is in ahead of our code. Have you tried using the fixed NTLM authentication
schema , based on my test, using the fixed NTLM authentication can work
correctly. In addition, I'll perform some further research on the
"IntegratedWindows" or "Negociate" ones to see whethre threre is any
existing problem on them. I'll updateyou soon.


Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
Feb 6 '06 #2
In response to your suggestion, I tried AuthenticationSchemes.Ntlm and it let
me connect and gave me an authenticated WindowsIdentity. This is good news.
However, I was under the impression that IntegratedWinAuth or Negotiate would
both be smart enough to use NTLM if that was all the client and server could
agree on. To get another data point, I looked at the Identity I get on the
server when I do remoting over a secure TCP channel. In that experiment, the
server thread has a WindowsIdentity that's authenticated using NTLM. If the
remoting channel can figure it out, why can't the HttpListener? I also wonder
why .NET 2.0 is using NTLM when my environment is supposed to be ADS and
Kerberos, but that's probably beyond the scope of this post.
Feb 6 '06 #3
Hi David,

Thanks for your response.

After some discussion with our dev guys, we've got the point that cause the
problem behavior in our scenario. As I mentioned in the previous message,
for IntegratedWindowsAuthentication or Negociate mode, the client and
server will choose the most secure authentiation protocol, and for 2000 or
later version of windows, Kerberos will be used, however, performing
kerberos authentication require the server application(in our case is the
HttpListener's hosting application) be able to gain machine credential.
However, since our own console or winform application always run under our
own logon user, it can not do so. Therefore if you want to use
HttpListener and configured as IntegratedWindows or Negociate, we need to
make the host application running under Network Service account (or Local
System is also ok), and generally this is only available if our application
is a service application (which is configured in service controller that
can be specified to use Network Service or Local System account).

In addition, if we use NTLM authentication protocol, there is not such


Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
believe you¡¯re running your app under your own account. With Negotiate or
Integrated, your client will attempt Kerberos auth and this will fail to
gain machine credentials unless you run your app as NetworkService.
Feb 7 '06 #4
Thank you for the respose. Your answer was quite helpful.
Feb 7 '06 #5
You're welcome David,


Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
Feb 9 '06 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

by: Bob Everland | last post by:
I have an application that is ISAPI and the only way to secure it is through NT permissions. I need to have a way to login to windows authentication so that when I get to the ISAPI application no...
by: sherkozmo | last post by:
I have my SQL 7.0 server set for Mixed security. I see now (finally) the advantages of having windows authentication security for windows groups. I do most of my developing in Access Projects...
by: Vinodi | last post by:
Hi, I have a peculiar problem (or maybe not). I have SQL clients installed on XP boxes. These XP boxes are a member of let us say "XYZ" domain. SQL Server is installed on one of the boxes having...
by: Darren Oakey | last post by:
G'day - I'm going insane trying to solve this proble, and would desperately love some assistance: My problem: I am making a web site usable by both internal users and the general public....
by: Alice Wong | last post by:
I am setting up my Web ASP.net application to connect to Sql server using windows authentication. I set up IIS to have integrated windows authenication and sql to allow Windows authentication....
by: Martin | last post by:
How does one set up basic authentication on an HttpListener? I know I need to set the HttpListener.AuthenticationSchemes to AuthenticationSchemes.Basic but then I'm unsure how and against what...
by: palbria | last post by:
Hello, I was wondering if there was any way to set the default domain while using windows authentication. People are haveing trouble remembering that it needs to be "domain\username". I would...
by: DotNetDanny | last post by:
Hello Machine: Windows Vista Business, standalone machine (no domain). Installed an old classic ASP webapplication in IIS7, running under a new app.pool with 'NETWORK SERVICE' account (using...
by: jonmundsack | last post by:
I have an intranet site on my LAN which has "anonymous access" turned OFF, and "integrated Windows authentication" turned on. This allows me to access the "AUTH_USER" server variable, which I use...
by: lllomh | last post by:
Define the method first this.state = { buttonBackgroundColor: 'green', isBlinking: false, // A new status is added to identify whether the button is blinking or not } autoStart=()=>{
by: DJRhino | last post by:
Was curious if anyone else was having this same issue or not.... I was just Up/Down graded to windows 11 and now my access combo boxes are not acting right. With win 10 I could start typing...
by: Aliciasmith | last post by:
In an age dominated by smartphones, having a mobile app for your business is no longer an option; it's a necessity. Whether you're a startup or an established enterprise, finding the right mobile app...
by: tracyyun | last post by:
Hello everyone, I have a question and would like some advice on network connectivity. I have one computer connected to my router via WiFi, but I have two other computers that I want to be able to...
by: NeoPa | last post by:
Introduction For this article I'll be using a very simple database which has Form (clsForm) & Report (clsReport) classes that simply handle making the calling Form invisible until the Form, or all...
by: Teri B | last post by:
Hi, I have created a sub-form Roles. In my course form the user selects the roles assigned to the course. 0ne-to-many. One course many roles. Then I created a report based on the Course form and...
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 1 Nov 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM) Please note that the UK and Europe revert to winter time on...
by: isladogs | last post by:
The next online meeting of the Access Europe User Group will be on Wednesday 6 Dec 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, Mike...
by: GKJR | last post by:
Does anyone have a recommendation to build a standalone application to replace an Access database? I have my bookkeeping software I developed in Access that I would like to make available to other...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.