HttpWebRequest over HTTPS with NTLM not working-Collection of common programming errors
I am trying to make an HttpWebRequest from an ASP.Net page on a server called SV-REQ against another IIS7 server called SV-RES. When I set IIS on SV-RES to use Digest, Basic, or Negotiate and make the change to the credential cache object to use the appropriate method, the code executes fine and I get a valid response from SV-RES confirming that the user credentials are correct. However, when I set IIS to use “Windows Authentication” on SV-RES I get back a 401 error when using NTLM in the credential cache object.
I am really at a loss and would appreciate if anyone has information for how to make this work.
Note: The server where this code is being executed is running under anonymous authentication over HTTP. The server getting the request is NTLM (as previously stated) over HTTPS as can be seen in the code below.
This is the code on SV-REQ that is being executed. SV-REQ is IIS7 and is configured for ASP.Net 2.0
Dim credCache As CredentialCache = New CredentialCache()
Dim mUri As Uri = New Uri("https://sv-res.my-domain-here.com/default.htm")
Dim mreq As HttpWebRequest = WebRequest.Create(mUri.ToString)
credCache.Add(mUri, "NTLM", New NetworkCredential(muser, mpass, mdomain))
mreq.Credentials = credCache
Dim mres As HttpWebResponse = mreq.GetResponse
Here is the error I get back from SV-RES from the above code. SV-RES is also IIS7 configured for ASP.Net 2.0
The remote server returned an error: (401) Unauthorized. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Net.WebException: The remote server returned an error: (401) Unauthorized. Source Error: Line 31: credCache.Add(mUri, "NTLM", New NetworkCredential(muser, mpass, mdomain)) Line 32: mreq.Credentials = credCache Line 33: Dim mres As HttpWebResponse = mreq.GetResponse Line 34: Dim sr As StreamReader = New StreamReader(mres.GetResponseStream()) Line 35: txtResult.Text = sr.ReadToEnd() Source File: C:\inetpub\httproot\contentscan.aspx.vb Line: 33 Stack Trace: [WebException: The remote server returned an error: (401) Unauthorized.] System.Net.HttpWebRequest.GetResponse() +1126 contentscan.Page_Load(Object sender, EventArgs e) in C:\inetpub\httproot\contentscan.aspx.vb:33 System.Web.UI.Control.OnLoad(EventArgs e) +132 System.Web.UI.Control.LoadRecursive() +66 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2428
-
Well after quite a bit of investigation I have found the problem here. Looks like it is related to a security update that doesn’t really get talked about very often and as such I have written up a post about it over on my site: http://www.tinyint.com/index.php/2009/08/24/401-error-on-httpwebrequest-with-ntlm-authentication/
The short of it though is that the security update patches a vulnerability in SMB and part of this involves a loopback check on the hostname when doing authentication requests. If you leave this loopback check enabled, you have to enter your hostname in the registry to be able to properly authenticate.