WebClient + Credentials + HTTP 401 Status Codes

[Raterus]

Hello,

I'm using the WebClient class to query my webserver to get the contents of a certain page (protected with windows integrated security), I have no problems doing this, but have noticed the WebClient Class does not send the credentials I set until it gets an HTTP 401 return code.

We have just created a program to scan the IIS log files for authentication failures. I've noticed in these logs that the WebClient class actually makes two requests of the webserver, it first tries to get the page without sending the credentials, which fails with a 401 error. It tries immediately afterward, sending the credentials, which my webserver responds with the contents.

I'd really like to configure the WebClient class to send the credentials immediately, and not wait for the 401. Is this possible to do? It's messing up my program that scans the log files for 401 errors!

Thanks,
--Michael

 

[Joe Kaplan \(MVP - ADSI\)]

You can do this by setting PreAuthenticate to True on the WebClient. If the
protocol you are using supports it, then that will work. Normally,
PreAuthenticate works with Basic auth though. I don't think it works with
WIA or Digest (not positive though).

Joe K.

Hello,

I'm using the WebClient class to query my webserver to get the contents of a
certain page (protected with windows integrated security), I have no
problems doing this, but have noticed the WebClient Class does not send the
credentials I set until it gets an HTTP 401 return code.

We have just created a program to scan the IIS log files for authentication
failures. I've noticed in these logs that the WebClient class actually
makes two requests of the webserver, it first tries to get the page without
sending the credentials, which fails with a 401 error. It tries immediately
afterward, sending the credentials, which my webserver responds with the
contents.

I'd really like to configure the WebClient class to send the credentials
immediately, and not wait for the 401. Is this possible to do? It's
messing up my program that scans the log files for 401 errors!

Thanks,
--Michael

 

[Raterus]

The WebRequest object has PreAuthenticate, not WebClient. Do you know if there is a way to access the underlying WebRequest object that the WebClient uses? I didn't see a way to do this. Should I scrap the WebClient and just use WebRequest?

Thanks,
--Michael

 

[Joe Kaplan \(MVP - ADSI\)]

Oh sorry, missed that. I always just use HttpWebRequest. I'm not even sure
what the WebClient is for.

I'd definitely go in that direction

You'll have to mess with the streams yourself, but that isn't such a big
deal.

Joe K.

The WebRequest object has PreAuthenticate, not WebClient. Do you know if
there is a way to access the underlying WebRequest object that the WebClient
uses? I didn't see a way to do this. Should I scrap the WebClient and just
use WebRequest?

Thanks,
--Michael

 

[Raterus]

I modified my code to use WebRequest and set PreAuthenticate=True, and you are right, it still won't preauthenticate with integrated windows authentication. Now i'm wondering why? Would WebRequest be authenticating with Kerberos or NTLM? I'd imagine it is using NTLM, and since that is challenge/response that would make sense why I can't preauthenticate. I don't even want to know what it would take to get WebRequest to use Kerberos!

--Michael

 

[Joe Kaplan \(MVP - ADSI\)]

It is the Negotiate protocol, meaning that it will try to user Kerberos
first and will fail over to NTLM if Kerberos can't be negotiated. If both
client and server are Win2K+, Kerberos is probably being used. What I'm not
sure about is if there is an easy way to tell what got used.

I pulled this info on Pre-authentication from the WinHTTP MSDN docs that
might be helpful:
Preauthentication can be used with the following authentication schemes:
a.. Basic - always possible.
b.. Negotiate resolving into Kerberos - very likely possible; the only
exception is when the time-skews are off between the client and the domain
controller.
c.. (Negotiate resolving into NTLM) - never possible.
d.. NTLM - never possible.
e.. Digest - never possible.
f.. Passport - never possible; after the initial challenge-response,
WinHTTP uses cookies to pre-authenticate to Passport.

Joe K.

I modified my code to use WebRequest and set PreAuthenticate=True, and you
are right, it still won't preauthenticate with integrated windows
authentication. Now i'm wondering why? Would WebRequest be authenticating
with Kerberos or NTLM? I'd imagine it is using NTLM, and since that is
challenge/response that would make sense why I can't preauthenticate. I
don't even want to know what it would take to get WebRequest to use
Kerberos!

--Michael