TFS rest api authorizing GET but not PATCH

Question

I'm trying to change the status for a work item using the rest API provided by my TFS 2015 Update 3 (on premises). When I try to get the list of my items, everything works fine:

var client = new RestClient(uri);
client.Authenticator = new HttpBasicAuthenticator(this.TFSUsername, this.SecurityToken);
var request = new RestRequest(Method.GET);
request.AddHeader("cache-control", "no-cache");

IRestResponse response = client.Execute(request);

After I get this answer and I have all the information I need, I was going to update the status of one of these work items.

Using the same approach (and of course, the same credential), I'm getting the 401 status code, as I was trying to do it anonymously .

The only difference is that I'm using the verb PATCH (as documentation said I have to) and that I'm passing a body to identify what status I want to edit.

This is the code I'm using for the edit:

var client = new RestClient(uri);
client.Authenticator = new HttpBasicAuthenticator(this.TFSUsername, this.SecurityToken);
var request = new RestRequest(Method.PATCH);
request.AddHeader("cache-control", "no-cache");

string body = @"
  {
   'op':'add',
   'path':'/fields/System.State',
   'value':'Closed'
  }";
request.AddJsonBody(body);
IRestResponse response = client.Execute(request);

Any hints on why just changing the HTTP VERB is causing me this authorization issue?

Trying to do it with Postman is causing me the same issue.

UPDATE:

looking at the response header, I noticed this:

X-TFS-ProcessId →e2b98235-1d3a-4bb7-868f-0d91805aa307
ActivityId →08909688-ac81-4c37-9cea-b47e84fd3efe
X-TFS-Session →08909688-ac81-4c37-9cea-b47e84fd3efe
X-VSS-E2EID →08909688-ac81-4c37-9cea-b47e84fd3efe
X-FRAME-OPTIONS →SAMEORIGIN
WWW-Authenticate →Basic realm="http://xxxxxxx/tfs"
WWW-Authenticate →Negotiate
WWW-Authenticate →NTLM
X-Powered-By →ASP.NET
P3P →CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"
Lfs-Authenticate →NTLM
X-Content-Type-Options →nosniff
Date →Thu, 28 Feb 2019 00:20:57 GMT
Content-Length →0

What caught my attention was:

WWW-Authenticate →Basic realm="http://xxxxxxx/tfs"

WWW-Authenticate →Negotiate

WWW-Authenticate →NTLM

So it would support Basic authentication as the Get, but is not working. Are "Negotiate" and "NTLM" interfere somehow?

Thanks

Answer 1

After a lot of trying, I found out that the solution is pretty easy.

To make it work from the Authentication point of view, it's enough to use the NtlmAuthenticator (with Username and password) instead of the HttpBasicAuthenticator (even though is working for the get). I replaced my authenticator with NtlmAuthenticator for both get and patch and now is working fine.

var client = new RestClient(uri);
client.Authenticator = new NtlmAuthenticator(this.TFSUsername, this.TFSPassword);

The other tricky part that I found out (not precisely linked to the authentication) is that for the PATCH the content type has to be application/json-patch+json

Hope it helps