470,810 Members | 1,170 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,810 developers. It's quick & easy.

HttpListener windows authentication fails for domain account

I have a very simple console app using an HttpListener to listen for incoming
HTTP requests (see code below). My client and server machines are both in an
ADS domain and I'm logged into both using my domain account. The server app
is running as admin on an XPSP2 box. If I set authentication to Anonymous or
Basic, I can get requests. If I change to IntegratedWindowsAuthentication,
however, IE on the client prompts me for credentials. I can get through using
an account on the server, but I really want it to just authenticate me as the
domain account I'm logged in on the client. I can do a secure TCP remoting
call between machines as well as use Windows Auth for an IIS web share. This
should work no problem, so am I missing some simple config setting?

HttpListener listen = new HttpListener();
listen.Prefixes.Add("http://*:8111/");
listen.AuthenticationSchemes =
AuthenticationSchemes.IntegratedWindowsAuthenticat ion;
listen.Start();
HttpListenerContext ctx = listen.GetContext();

byte[] buffer = System.Text.Encoding.UTF8.GetBytes("<HTML><BODY>
Success</BODY></HTML>");

resp.ContentLength64 = buffer.Length;
resp.OutputStream.Write(buffer, 0, buffer.Length);
resp.OutputStream.Close();
listen.Stop();
Feb 3 '06 #1
5 5820
Hi David,

Welcome to the MSDN newgroup.

As for the HttpListener class, when using with integrated windows or
Negociate authentication schemas, the cilent and server will try using an
secure authentication both sides support and for 2000 or later, the
kerberos authentication maybe choosed. I think it is likely there occur
some problem when the client and server machine try determine the
authentication schema and performign the authentication communication which
is in ahead of our code. Have you tried using the fixed NTLM authentication
schema , based on my test, using the fixed NTLM authentication can work
correctly. In addition, I'll perform some further research on the
"IntegratedWindows" or "Negociate" ones to see whethre threre is any
existing problem on them. I'll updateyou soon.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Feb 6 '06 #2
In response to your suggestion, I tried AuthenticationSchemes.Ntlm and it let
me connect and gave me an authenticated WindowsIdentity. This is good news.
However, I was under the impression that IntegratedWinAuth or Negotiate would
both be smart enough to use NTLM if that was all the client and server could
agree on. To get another data point, I looked at the Identity I get on the
server when I do remoting over a secure TCP channel. In that experiment, the
server thread has a WindowsIdentity that's authenticated using NTLM. If the
remoting channel can figure it out, why can't the HttpListener? I also wonder
why .NET 2.0 is using NTLM when my environment is supposed to be ADS and
Kerberos, but that's probably beyond the scope of this post.
Feb 6 '06 #3
Hi David,

Thanks for your response.

After some discussion with our dev guys, we've got the point that cause the
problem behavior in our scenario. As I mentioned in the previous message,
for IntegratedWindowsAuthentication or Negociate mode, the client and
server will choose the most secure authentiation protocol, and for 2000 or
later version of windows, Kerberos will be used, however, performing
kerberos authentication require the server application(in our case is the
HttpListener's hosting application) be able to gain machine credential.
However, since our own console or winform application always run under our
own logon user, it can not do so. Therefore if you want to use
HttpListener and configured as IntegratedWindows or Negociate, we need to
make the host application running under Network Service account (or Local
System is also ok), and generally this is only available if our application
is a service application (which is configured in service controller that
can be specified to use Network Service or Local System account).

In addition, if we use NTLM authentication protocol, there is not such
requirement.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
believe you¡¯re running your app under your own account. With Negotiate or
Integrated, your client will attempt Kerberos auth and this will fail to
gain machine credentials unless you run your app as NetworkService.
Feb 7 '06 #4
Thank you for the respose. Your answer was quite helpful.
Feb 7 '06 #5
You're welcome David,

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Feb 9 '06 #6

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

8 posts views Thread by Bob Everland | last post: by
1 post views Thread by Darren Oakey | last post: by
reply views Thread by palbria | last post: by
reply views Thread by mihailmihai484 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.