IIS and HttpListener (.NET) with windows authentication

Question

I have a question about Windows authentication with IIS and HttpListener

I have the following setup (All installed in same Windows 8.1 box. No outside communication). All requests are sent as http://localhost/......

IIS

ASP.Net web application authentication

Anonymous: Disabled 
Windows Authentication: Enabled

.Net httpListener

running as a Service run as local System Account and Windows authentication enabled

this.httpListener = new HttpListener();
this.httpListener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication;

UWP Application (Windows 8.1)

UWP Application is just like a web browser. It has WebView control to see web contents.

The following capabilities are enabled

Enterprise Authentication
Internet (Client)
Location
Private Networks (Client & Server)

Problem

When I navigate from the uwp app to the IIS web app it is asking for the credentials by popping up Windows dialog box. This is annoying for the user experience perspective because user is logged in with same credentials. But When I access HttpListener it authenticates correctly and no credentials are required.

I also checked the requests through fiddler. Initial request is identical, but with next steps for IIS request, it is continuously asking for NTLM.

HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
WWW-Authenticate: Negotiate oYHOMIHLoAMKAQGhDAYKKwYBBAGCNwICC........
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET

Initial Request/Response

IIS

Request

GET http://localhost/webapp_net/ HTTP/1.1
Accept-Encoding: gzip, deflate
Host: localhost
Connection: Keep-Alive

Response

HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Date: Tue, 20 Nov 2018 21:37:24 GMT
Content-Length: 6016
Proxy-Support: Session-Based-Authentication

HttpListener

Request

GET http://localhost/appman HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-NZ
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; WebView/2.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: localhost

Response

HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Tue, 20 Nov 2018 21:37:18 GMT
Proxy-Support: Session-Based-Authentication

Does anyone have a similar experience or an explanation for this?

Feel free to ask questions if above is not clear. – DineshNS Nov 26 '18 at 01:17 — DineshNS, Nov 26 '18 at 01:17

score 2 · Answer 1 · answered Nov 28 '18 at 20:25

2

I have an explanation for this, you are attempting to achieve Single Sign On (SSO) using the negotiate / integrated windows authentication mechanism. This will not work with the Local Security Authority by itself. Negotiate attempts to first use Kerberos authentication, and falls back to NTLM if Kerberos is not configured. Kerberos is a windows authentication mechanism that requires a Key Distribution Center, which is provided by Microsoft's Active Directory for domain joined computers. SSO to an IIS server using integrated windows authentication can only be accomplished using the Kerberos protocol. NTLM is a challenge-response authentication mechanism, which will prompt for credentials on each request.

Sources:

https://docs.microsoft.com/en-us/windows-server/security/windows-authentication/windows-logon-scenarios https://msdn.microsoft.com/en-us/library/cc247021.aspx

answered Nov 28 '18 at 20:25

EPJK1337

61
7

1

Thank you very much for the reply. I have one question. How is the HttpListener working ? – DineshNS Nov 29 '18 at 02:05
It actually doesn't look like it is working, at least as intended. Your post indicates a HTTP/1.1 401 Unauthorized response, if you are able to access resources through the HTTPListener it is most likely falling back to anonymous authentication. – EPJK1337 Nov 30 '18 at 15:21
yes in the description it is 401. then it is negotiating with keys in the following responses (not included in the description) and request and finally getting 200 response. – DineshNS Dec 03 '18 at 22:27
1 Response HTTP/1.1 401 Unauthorized Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM Date: Mon, 03 Dec 2018 00:27:55 GMT Proxy-Support: Session-Based-Authentication – DineshNS Dec 03 '18 at 22:27
2nd request GET http://localhost/AppMan/js/knockout-min.js HTTP/1.1 ... Authorization: Negotiate YHMGBisGAQUFAqBpMG............. – DineshNS Dec 03 '18 at 22:29
2nd Response HTTP/1.1 401 Unauthorized Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 WWW-Authenticate: Negotiate oYHOMIHLoAMKAQGhDAYK.... – DineshNS Dec 03 '18 at 22:30
3rd Request GET http://localhost/AppMan/js/knockout-min.js HTTP/1.1.... Authorization: Negotiate oXcwdaADCgEBoloEWE5UT...... Host: localhost – DineshNS Dec 03 '18 at 22:30
3rd Response HTTP/1.1 200 OK Content-Length: 60354 Content-Type: application/x-javascript Server: Microsoft-HTTPAPI/2.0 WWW-Authenticate: oRswGaA.... Date: Mon, 03 Dec 2018 00:27:56 GMT – DineshNS Dec 03 '18 at 22:31
1

See if this article will help at all, specifically look at the 'auth' tab in fiddler and see what is going on with IIS, also check and make sure the IIS configuration is in 'Kernel Mode' [link](https://blogs.msdn.microsoft.com/ieinternals/2011/07/06/integrated-windows-authentication/) Maybe the HTTPAPI is able to take cached NTLM credentials and IIS is not, from my experience I have never gotten IIS to do SSO windows authentication with NTLM, only kerberos. – EPJK1337 Dec 06 '18 at 17:12