ASP.NET Web API - NTLM authentication and HTTPS

Question

I have the following configuration:

self-hosted ASP.NET Web API
ASP.NET MVC 3 web application

Web app [2] comunicates with Web API [1] over HTTPS. They both (for now) live on the same machine.

Http binding for the Web API [1] is configured like that:

httpBinding.Security.Mode = HttpBindingSecurityMode.Transport; httpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
httpBinding.TransferMode = TransferMode.Streamed

I cannot make it work using https AND ntlm authorization.

If I communicate over plain http it works and I'm properly authenticated
If I communicate over https it gives me "401 Unauthorized" error for all controller actions which have [Authorize] tag (it works for actions which do not require authorization though)

Why changing ONLY the transport protocol (from http to https) stops NTLM authentication from working?

Thanks for any help with that!

just one thing to clarify - HTTPS is used between web app and web api, NOT between web app and the browser — Jacek Nowak, Jan 14 '13 at 10:46
Yes, System.Web.Http.AuthorizeAttribute . It works properly when http is used for transport. Only changing this to https breaks the authorization... — Jacek Nowak, Jan 15 '13 at 16:27

score 2 · Answer 1 · answered Jan 06 '15 at 00:25

@Jacek Nowak I have run into the same problem myself and today I just came across the answer which is detailed in the following post.

Below is how I would code it up.

public class NTLMSelfHostConfiguration : HttpSelfHostConfiguration
{
    public NTLMSelfHostConfiguration(string baseAddress) : base(baseAddress) { }
    public NTLMSelfHostConfiguration(Uri baseAddress) : base(baseAddress) { }
    protected override BindingParameterCollection OnConfigureBinding(HttpBinding httpBinding)
    {
        httpBinding.Security.Mode = HttpBindingSecurityMode.TransportCredentialOnly;
        httpBinding.Security.Transport.ClientCredentialType = System.ServiceModel.HttpClientCredentialType.Ntlm;
        httpBinding.ConfigureTransportBindingElement = 
            element => element.AuthenticationScheme = 
                System.Net.AuthenticationSchemes.IntegratedWindowsAuthentication;
        return base.OnConfigureBinding(httpBinding);
    }
}


public static class Program()
{
    public static void main(string[] args)
    {
        var config = new NTLMSelfHostConfiguration("https://localhost/");            
        config.Routes.MapHttpRoute("Main",
                                    "api/{controller}");

        var server = new HttpSelfHostServer(config);

        server.OpenAsync().Wait();

        Console.WriteLine("Running");
        Console.ReadLine();

        server.CloseAsync().Wait();


    }
}

ASP.NET Web API - NTLM authentication and HTTPS

1 Answers1