I have a question about Windows authentication with IIS and HttpListener
I have the following setup (All installed in same Windows 8.1 box. No outside communication). All requests are sent as http://localhost/……
IIS
ASP.Net web application authentication
Anonymous: Disabled
Windows Authentication: Enabled
.Net httpListener
running as a Service run as local System Account and Windows authentication enabled
this.httpListener = new HttpListener();
this.httpListener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication;
UWP Application (Windows 8.1)
UWP Application is just like a web browser. It has WebView control to see web contents.
The following capabilities are enabled
- Enterprise Authentication
- Internet (Client)
- Location
- Private Networks (Client & Server)
Problem
When I navigate from the uwp app to the IIS web app it is asking for the credentials by popping up Windows dialog box. This is annoying for the user experience perspective because user is logged in with same credentials. But When I access HttpListener it authenticates correctly and no credentials are required.
I also checked the requests through fiddler. Initial request is identical, but with next steps for IIS request, it is continuously asking for NTLM.
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
WWW-Authenticate: Negotiate oYHOMIHLoAMKAQGhDAYKKwYBBAGCNwICC........
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Initial Request/Response
IIS
Request
GET http://localhost/webapp_net/ HTTP/1.1
Accept-Encoding: gzip, deflate
Host: localhost
Connection: Keep-Alive
Response
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Date: Tue, 20 Nov 2018 21:37:24 GMT
Content-Length: 6016
Proxy-Support: Session-Based-Authentication
HttpListener
Request
GET http://localhost/appman HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-NZ
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; WebView/2.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: localhost
Response
HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Tue, 20 Nov 2018 21:37:18 GMT
Proxy-Support: Session-Based-Authentication
Does anyone have a similar experience or an explanation for this?
Best Answer
I have an explanation for this, you are attempting to achieve Single Sign On (SSO) using the negotiate / integrated windows authentication mechanism. This will not work with the Local Security Authority by itself. Negotiate attempts to first use Kerberos authentication, and falls back to NTLM if Kerberos is not configured. Kerberos is a windows authentication mechanism that requires a Key Distribution Center, which is provided by Microsoft's Active Directory for domain joined computers. SSO to an IIS server using integrated windows authentication can only be accomplished using the Kerberos protocol. NTLM is a challenge-response authentication mechanism, which will prompt for credentials on each request.
Sources:
https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-logon-scenarios https://msdn.microsoft.com/en-us/library/cc247021.aspx