stackoom
  简体   繁体   中英

C# WebClient NTLM authentication starting for each request

 原文  2016-09-30 08:51:14       c#/ .net/ authentication/ webclient/ ntlm

Question

Consider a simple C# NET Framework 4.0 application, that:

  • uses WebClient
  • authenticates using NTLM (tested on IIS 6.0 and IIS 7.5 server)
  • retrieves a string from an URL multiple times using DownloadString()

Here's a sample that works fine: 

using System;
using System.Net;

namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            string URL_status = "http://localhost/status";

            CredentialCache myCache = new CredentialCache();
            myCache.Add(new Uri(URL_status), "NTLM", new NetworkCredential("username", "password", "domain"));

            WebClient WebClient = new WebClient();
            WebClient.Credentials = myCache;

            for (int i = 1; i <= 5; i++)
            {
                string Result = WebClient.DownloadString(new Uri(URL_status));
                Console.WriteLine("Try " + i.ToString() + ": " + Result);
            }

            Console.Write("Done");
            Console.ReadKey();
        }
    }
}

The problem:

When enabling tracing I see that the NTLM authentication does not persist.

Each time Webclient.DownloadString is called, NTLM authentication starts (server returns "WWW-Authenticate: NTLM" header and the whole authenticate/authorize process repeats; there is no "Connection: close" header).

Wasn't NTLM supposed to authenticate a connection, not a request?

Is there a way to make WebClient reuse an existing connection to avoid having to re-authenticate each request?

2 answers

solution1
 15 ACCPTED  2016-10-10 17:29:00

After 10 days of trying everything I could think of and learning a lot in the process, I finally figured a fix for this issue.

The trick is to enable UnsafeAuthenticatedConnectionSharing by overriding GetWebRequest and setting the property to true in the HttpWebRequest you get back.

You may want to combine that with the ConnectionGroupName property to avoid the potential use of the connection by unauthenticated applications.

Here is the sample from the question modified to work as expected. It opens a single NTLM authenticated connection and reuses it: 

using System;
using System.Net;

namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            string URL_status = "http://localhost/status";

            CredentialCache myCache = new CredentialCache();
            myCache.Add(new Uri(URL_status), "NTLM", new NetworkCredential("username", "password", "domain"));

            MyWebClient webClient = new MyWebClient();
            webClient.Credentials = myCache;

            for (int i = 1; i <= 5; i++)
            {
                string result = webClient.DownloadString(new Uri(URL_status));
                Console.WriteLine("Try {0}: {1}", i, result);
            }

            Console.Write("Done");
            Console.ReadKey();
        }
    }

    public class MyWebClient : WebClient
    {
        protected override WebRequest GetWebRequest(Uri address)
        {
            WebRequest request = base.GetWebRequest(address);

            if (request is HttpWebRequest) 
            {
                var myWebRequest = request as HttpWebRequest;
                myWebRequest.UnsafeAuthenticatedConnectionSharing = true;
                myWebRequest.KeepAlive = true;
            }

            return request;
        }
    }   
}

At this point I would also like to thank @Falco Alexander for all the help; while his suggestions didn't quite work for me, he did point me in the right direction to look for and finally find the answer.

solution2
 1  2016-09-30 09:48:43

Check your IIS's setting, though that should be default. 

<windowsAuthentication
   enabled="True"
   authPersistSingleRequest="False"
   UseKernelMode>

</windowsAuthentication> 

Ref: https://msdn.microsoft.com/en-us/library/aa347472.aspx

Did you check the zone your localhost IIS is in? This was also a pitfall from the client side in the past when working with WinInet. Check that default behaviour of WebClient .

Edit:

After reproducing the error, I could figure out it's the missing NTLM preauthentication implementation of WebClient that keeps you from a single 401 request: 

var WebClient = new PreAuthWebClient();
WebClient.Credentials = new NetworkCredential("user", "pass","domain");

//Do your GETs 

Public class PreAuthWebClient: WebClient
{
    protected override WebRequest GetWebRequest (Uri address)
    {
        WebRequest request = (WebRequest) base.GetWebRequest (address);
        request.PreAuthenticate = true;
        return request;
  }
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question NTLM request in C# and php C# to Teamcity NTLM Authentication failing C# WebClient HTTPS Authentication Policy c# application with http interface needs to implement NTLM authentication C# WebClient upload JSON in POST request Add request headers with WebClient C# POST request using C# WebClient Force Azure Re-Authentication for each request in C# C# WebClient HTTP Basic Authentication Failing 401 with Correct Credentials The HTTP request is unauthorized with client authentication scheme 'Ntlm'
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM