IIS and HttpListener (.NET) with windows authentication

httpiisntlmwindows-authentication

I have a question about Windows authentication with IIS and HttpListener

I have the following setup (All installed in same Windows 8.1 box. No outside communication). All requests are sent as http://localhost/……

IIS

ASP.Net web application authentication

Anonymous: Disabled 
Windows Authentication: Enabled

.Net httpListener

running as a Service run as local System Account and Windows authentication enabled

this.httpListener = new HttpListener();
this.httpListener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication;

UWP Application (Windows 8.1)

UWP Application is just like a web browser. It has WebView control to see web contents.

The following capabilities are enabled

  • Enterprise Authentication
  • Internet (Client)
  • Location
  • Private Networks (Client & Server)

Problem

When I navigate from the uwp app to the IIS web app it is asking for the credentials by popping up Windows dialog box. This is annoying for the user experience perspective because user is logged in with same credentials. But When I access HttpListener it authenticates correctly and no credentials are required.

I also checked the requests through fiddler. Initial request is identical, but with next steps for IIS request, it is continuously asking for NTLM.

HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
WWW-Authenticate: Negotiate oYHOMIHLoAMKAQGhDAYKKwYBBAGCNwICC........
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET

Initial Request/Response

IIS

Request

GET http://localhost/webapp_net/ HTTP/1.1
Accept-Encoding: gzip, deflate
Host: localhost
Connection: Keep-Alive

Response

HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Date: Tue, 20 Nov 2018 21:37:24 GMT
Content-Length: 6016
Proxy-Support: Session-Based-Authentication

HttpListener

Request

GET http://localhost/appman HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-NZ
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; WebView/2.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: localhost

Response

HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Tue, 20 Nov 2018 21:37:18 GMT
Proxy-Support: Session-Based-Authentication

Does anyone have a similar experience or an explanation for this?

Best Answer

I have an explanation for this, you are attempting to achieve Single Sign On (SSO) using the negotiate / integrated windows authentication mechanism. This will not work with the Local Security Authority by itself. Negotiate attempts to first use Kerberos authentication, and falls back to NTLM if Kerberos is not configured. Kerberos is a windows authentication mechanism that requires a Key Distribution Center, which is provided by Microsoft's Active Directory for domain joined computers. SSO to an IIS server using integrated windows authentication can only be accomplished using the Kerberos protocol. NTLM is a challenge-response authentication mechanism, which will prompt for credentials on each request.

Sources:

https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-logon-scenarios https://msdn.microsoft.com/en-us/library/cc247021.aspx

Related Topic