How to negotiate authenication with HttpWebRequest

  • Thread starter Thread starter Roy Chastain
  • Start date Start date
R

Roy Chastain

I have the following code.
Basically it attempts to connect without authentication and if that fails, it is to attempt supplied and/or default credentials.
It does not work. If I capture the traffic on the network, the code below only results in 1 GET Request being sent to the server
even though it does go through the loop and the call to wc_request.GetResponse() is done 3 times as expected.

See line with <------ If I remove the null and use CredentialCache.DefaultCredentials it works on the first pass through the
loop, but I don't really want to do that.

What are the correct steps to get the HttpWebRequest to actually send the 2nd and 3rd GET Request packets?
(PS. Are the error_response.Close() actually doing anything useful?)

private void TryConnect ()
{
HttpWebResponse error_response;
bool authorized = false;

while (! authorized)
{
try
{
if (Authorization == ConnectAuthorization_Type.CA_Provided)
if (Credentials != null)
wc_request.Credentials = Credentials;
else
{
Authorization = ConnectAuthorization_Type.CA_Default;
wc_request.Credentials = CredentialCache.DefaultCredentials;
}
else
if (Authorization == ConnectAuthorization_Type.CA_Default)
wc_request.Credentials = CredentialCache.DefaultCredentials;
else
wc_request.Credentials = null; //CredentialCache.DefaultCredentials; <---------
wc_response = (HttpWebResponse)(wc_request.GetResponse());
authorized = true;
}
catch (WebException ex)
{
if (ex.Status == WebExceptionStatus.ProtocolError)
{
error_response = (HttpWebResponse)ex.Response;
if (error_response.StatusCode == HttpStatusCode.Unauthorized)
{
if (Authorization == ConnectAuthorization_Type.CA_Default)
{
error_response.Close();
throw ex;
}
if (Authorization == ConnectAuthorization_Type.CA_None)
{
error_response.Close();
Authorization = ConnectAuthorization_Type.CA_Provided;
}
else
if (Authorization == ConnectAuthorization_Type.CA_Provided)
{
error_response.Close();
Authorization = ConnectAuthorization_Type.CA_Default;
}
continue;
}
}
throw ex;
}
}
} /* method WebConnect TryConnect */
 
Hi Roy,

We have reviewed this issue and are currently researching on it. We will
update you ASAP. Thanks for your patience!

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."
 
Hi Roy,

As for the HttpWebRequest, it will automatically do the 1,2,3 requests
internally if we supply the Credentials to the Credentials property. In
fact, we can use some trace tools(such as the Soaptoolkit's trace utility)
to montior the underlying connection. By default, since the
"PreAuthenticate" is set to false, when we provide a valid credential, the
httpwebrequest will send the 3 Get Requests, anonymous, authentiate with
credentials, and actual request(with data returned). If the
"PreAuthenticate" is set to false , only 2nd and 3rd will occur.

So if you need to prevent the Httpwebrequet from auto send ing authenticate
credentials (the 2nd get request), you should keep the Credentials property
as null.

Thanks & Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Well, this does still not quite solve the problem. I really would like to just attempt the default credentials and then try some
other credentials if the default credentials fail. I believe the bottom line question is how do I 'reset', the HttpWebRequest
object so that it will try everything again.

Thanks
 
Hi Roy,

Thanks for your followup.
When we attache the default credentials and send request , if fails, we
should close that request and then construct a new httpwebrequest object
and attach the new credential. If we still use the former one, the
credential will remain the old one and the request may fail again.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Back
Top