与SSPI的INDY TIdHttp集成安全身份验证问题

Question

I'm trying to call a web service hosted on IIS with Windows Authentication security applied.

I'm using Delphi XE with INDY 10 and the TIdHttp component.

I can successfully call the web service if I pass in a valid username and password but I would like to use Integrated Security so that it automatically uses the credentials from the calling thread and does not require the user to manually input their details.

I've included IdAuthenticationSSPI in the uses clause and call the http request as:

IdHttp1.Request.BasicAuthentication := False;
IdHttp1.HTTPOptions := [hoInProcessAuth];
// IdHttp1.Request.Username := '...'; // including this works
// IdHttp1.Request.Password := '...'; // including this works

IdHttp1.Get(myURL, myOutputStream);

My understanding is that with IdAuthenticationSSPI it will impersonate the user of the calling thread if no credentials are passed.

I've seen comments on the atozedsoftware.newsgroups website that suggest this is possible but unfortunately I get a "HTTP/1.1 401 Unauthorized".

Does anyone have any suggestions?

Answer 1

Following on from Remy Lebeau's comment it appears this is not possible with INDY until a known issue is fixed.

I've solved my issue in another way and I'll post it here in case anyone else is interested.

First I imported the WinHTTP type library (C:\\Windows\\system32\\winhttp.dll) and added WinHttp_TLB to the uses clause.

Then I used it like this:

var
    http: IWinHttpRequest;
    url: String;
begin
    url := 'my web service';
    http := CoWinHttpRequest.Create;
    try
        http.SetAutoLogonPolicy(0); // Enable SSO
        http.Open('GET', url, False);
        http.Send(EmptyParam);
        ShowMessage(http.ResponseText);
    finally
        http := nil;
    end;
end;