How to get HttpClient to pass credentials along with the request

Question

I have a web application  hosted in IIS  that talks to a Windows service  The Windows service is using the ASP Net MVC Web API  self-hosted   and so can be communicated with over http using JSON  The web application is configured to do impersonation  the idea being that the user who makes the request to the web application should be the user that the web application uses to make the request to the service  The structure looks like this      The user highlighted in red is the user being referred to in the examples below      The web application makes requests to the Windows service using an HttpClient   var httpClient   new HttpClient new HttpClientHandler                                                      UseDefaultCredentials   true                           httpClient GetStringAsync  http   localhost some endpoint       This makes the request to the Windows service  but does not pass the credentials over correctly  the service reports the user as IIS APPPOOL ASP NET 4 0   This is not what I want to happen   If I change the above code to use a WebClient instead  the credentials of the user are passed correctly   WebClient c   new WebClient                                             UseDefaultCredentials   true                       c DownloadStringAsync new Uri  http   localhost some endpoint        With the above code  the service reports the user as the user who made the request to the web application   What am I doing wrong with the HttpClient implementation that is causing it to not pass the credentials correctly  or is it a bug with the HttpClient    The reason I want to use the HttpClient is that it has an async API that works well with Tasks  whereas the WebClient s asyc API needs to be handled with events

User · Accepted Answer

I was also having this same problem  I developed a synchronous solution thanks to the research done by  tpeczek in the following SO article  Unable to authenticate to ASP NET Web Api service with HttpClient  My solution uses a WebClient  which as you correctly noted passes the credentials without issue   The reason HttpClient doesn t work is because of Windows security disabling the ability to create new threads under an impersonated account  see SO article above    HttpClient creates new threads via the Task Factory thus causing the error   WebClient on the other hand  runs synchronously on the same thread thereby bypassing the rule and forwarding its credentials   Although the code works  the downside is that it will not work async   var wi    System Security Principal WindowsIdentity HttpContext Current User Identity   var wic   wi Impersonate    try       var data   JsonConvert SerializeObject new               Property1   1          Property2    blah               using  var client   new WebClient   UseDefaultCredentials   true                  client Headers Add HttpRequestHeader ContentType   application json  charset utf-8            client UploadData  http   url api controller    POST   Encoding UTF8 GetBytes data            catch  Exception exc           handle exception   finally       wic Undo        Note  Requires NuGet package  Newtonsoft Json  which is the same JSON serializer WebAPI uses

User · Answer

In  NET Core  I managed to get a System Net Http HttpClient with UseDefaultCredentials   true to pass through the authenticated user s Windows credentials to a back end service by using WindowsIdentity RunImpersonated   HttpClient client   new HttpClient new HttpClientHandler   UseDefaultCredentials   true      HttpResponseMessage response   null   if  identity is WindowsIdentity windowsIdentity        await WindowsIdentity RunImpersonated windowsIdentity AccessToken  async      gt                var request   new HttpRequestMessage HttpMethod Get  url          response   await client SendAsync request

User · Answer

It worked for me after I set up a user with internet access in the Windows service   In my code   HttpClientHandler handler   new HttpClientHandler    handler Proxy   System Net WebRequest DefaultWebProxy  handler Proxy Credentials   System Net CredentialCache DefaultNetworkCredentials        HttpClient httpClient   new HttpClient handler

User · Answer

Ok so I took Joshoun code and made it generic  I am not sure if I should implement singleton pattern on SynchronousPost class  Maybe someone more knowledgeble can help     Implementation   I assume you have your own concrete type  In my case I have am using code first with a class called FileCategory  FileCategory x   new FileCategory   CategoryName    Some Bs    SynchronousPost lt FileCategory gt test  new SynchronousPost lt FileCategory gt     test PostEntity x    api ApiFileCategories       Generic Class here  You can pass any type   public class SynchronousPost lt T gt where T  class               public SynchronousPost                         Client   new WebClient   UseDefaultCredentials   true                       public void PostEntity T PostThis string ApiControllerName   The ApiController name should be   api MyName                           this just determines the root url               Client BaseAddress   string Format                         System Web HttpContext Current Request Url Port    80      0     1   2       0     1                System Web HttpContext Current Request Url Scheme              System Web HttpContext Current Request Url Host              System Web HttpContext Current Request Url Port                           Client Headers Add HttpRequestHeader ContentType   application json charset utf-8                Client UploadData                                   ApiControllerName   Post                                     Encoding UTF8 GetBytes                                                                        JsonConvert SerializeObject PostThis                                                                                         private WebClient Client    get  set            My Api classs looks like this  if you are curious  public class ApiFileCategoriesController   ApiBaseController       public ApiFileCategoriesController IMshIntranetUnitOfWork unitOfWork                UnitOfWork   unitOfWork             public IEnumerable lt FileCategory gt  GetFiles                 return UnitOfWork FileCategories GetAll   OrderBy x  gt x CategoryName             public FileCategory GetFile int id                return UnitOfWork FileCategories GetById id               Post api ApileFileCategories      public HttpResponseMessage Post FileCategory fileCategory                UnitOfWork FileCategories Add fileCategory           UnitOfWork Commit             return new HttpResponseMessage              I am using ninject  and repo pattern with unit of work  Anyways  the generic class above really helps

User · Answer

What you are trying to do is get NTLM to forward the identity on to the next server  which it cannot do - it can only do impersonation which only gives you access to local resources  It won t let you cross a machine boundary  Kerberos authentication supports delegation  what you need  by using tickets  and the ticket can be forwarded on when all servers and applications in the chain are correctly configured and Kerberos is set up correctly on the domain   So  in short you need to switch from using NTLM to Kerberos    For more on Windows Authentication options available to you and how they work start at  http   msdn microsoft com en-us library ff647076 aspx

User · Answer

OK  so thanks to all of the contributors above  I am using  NET 4 6 and we also had the same issue  I spent time debugging System Net Http  specifically the HttpClientHandler  and found the following       if  ExecutionContext IsFlowSuppressed                IWebProxy webProxy    IWebProxy  null        if  this useProxy          webProxy   this proxy    WebRequest DefaultWebProxy        if  this UseDefaultCredentials    this Credentials    null    webProxy    null  amp  amp  webProxy Credentials    null          this SafeCaptureIdenity state           So after assessing that the ExecutionContext IsFlowSuppressed   might have been the culprit  I wrapped our Impersonation code as follows   using    WindowsIdentity ExecutionContext Current Identity  Impersonate    using  System Threading ExecutionContext SuppressFlow             HttpClient code goes here      The code inside of SafeCaptureIdenity  not my spelling mistake   grabs WindowsIdentity Current   which is our impersonated identity  This is being picked up because we are now suppressing flow  Because of the using dispose this is reset after invocation   It now seems to work for us  phew

User · Answer

You can configure HttpClient to automatically pass credentials like this   var myClient   new HttpClient new HttpClientHandler     UseDefaultCredentials   true

[c#] How to get HttpClient to pass credentials along with the request?

Examples related to c#

Examples related to asp.net-web-api

Examples related to impersonation

Examples related to windows-security