ASP.NET Web API Self-Host with Windows Authentication
Solution 1
I've hit this issue as well and the only solution I've came up with is to deliver dedicated HttpSelfHostedConfiguration:
public class NtlmSelfHostConfiguration : HttpSelfHostConfiguration
{
public NtlmSelfHostConfiguration(string baseAddress)
: base(baseAddress)
{ }
public NtlmSelfHostConfiguration(Uri baseAddress)
: base(baseAddress)
{ }
protected override BindingParameterCollection OnConfigureBinding(HttpBinding httpBinding)
{
httpBinding.Security.Mode = HttpBindingSecurityMode.TransportCredentialOnly;
httpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
return base.OnConfigureBinding(httpBinding);
}
}
To use it you just need to change one line (you don't need to set UseWindowsAuthentication anymore):
var config = new NtlmSelfHostConfiguration("http://myComputerName:8080");
The only issue with this approach is that authentication is now required for every request made to server which is using this configuration.
Solution 2
i have hosted "Web API" in windows service and this is what i did to support windows authentication (basically based on above question, answers, some related articles - i am just consolidating as it may be helpful for others)
@HTTP Server (web api):
Set (reference: http://msdn.microsoft.com/en-us/library/system.web.http.selfhost.httpselfhostconfiguration.clientcredentialtype(v=vs.118).aspx),
HttpSelfHostConfiguration.ClientCredentialType = System.ServiceModel.HttpClientCredentialType.Windows;
@Client:
And then as Allan mentioned (above) set UseDefaultCredentials to true.
Using HttpClient:
var handler = new HttpClientHandler();
handler.UseDefaultCredentials = true;
_httpClient = new HttpClient(handler);
Using WebClient (reference: http://msdn.microsoft.com/en-us/library/system.net.webclient.usedefaultcredentials.aspx )
set webclient's usedefaultcrednetials to 'true'.
Best Regards!
Solution 3
I am a little late to this. However, if you are using Owin to self host and need windows auth. In your startup class you can add the following.
public class Startup
{
public void Configuration(IAppBuilder app)
{
HttpListener listener = (HttpListener)app.Properties["System.Net.HttpListener"];
listener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication;
}
}
Solution 4
Are you sure you're getting through the authentication part? You could use fiddler to check whether the requests are actually going through or whether the server always responds with 401 Unauthorized (since you're using authentication).
You could also try to implement your own custom AuthorizeAttribute and put breakpoints in it to make sure it gets hit (you'll want to override the OnAuthorization method and see if that gets hit).
using System.Web.Http;
public class MyAuth : AuthorizeAttribute
{
public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
base.OnAuthorization(actionContext); //put breakpoint here
}
}
Also, make sure you're using the Authorize attribute from System.Web.Http, and not from System.Web.Mvc. See here why.
Solution 5
Similar to tpeczek's answer but updated to reflect HTTPS usage. tpeczek's answer doesn't work for HTTPS because the call to base.OnConfigureBinding(httpBinding); with HTTPS overwrites the changes. Additionally, you cannot use httpBinding.Security.Mode = HttpBindingSecurityMode.TransportCredentialOnly; with HTTPS.
Use a custom HttpSelfHostConfiguration:
public class NtlmSelfHostConfiguration : HttpSelfHostConfiguration
{
public NtlmSelfHostConfiguration(string baseAddress)
: base(baseAddress)
{ }
public NtlmSelfHostConfiguration(Uri baseAddress)
: base(baseAddress)
{ }
protected override BindingParameterCollection OnConfigureBinding(
HttpBinding httpBinding)
{
if (this.BaseAddress.Scheme == Uri.UriSchemeHttps)
{
var ret = base.OnConfigureBinding(httpBinding);
httpBinding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Ntlm;
return ret;
}
httpBinding.Security.Mode = HttpBindingSecurityMode.TransportCredentialOnly;
httpBinding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Ntlm;
return base.OnConfigureBinding(httpBinding);
}
}
Then, you can do
var config = new NtlmSelfHostConfiguration("http://myComputerName:8080");
or
var config = new NtlmSelfHostConfiguration("https://myComputerName:8443");
to get a configuration to pass into new HttpSelfHostServer(config)
Dave Johnson
Software developer specializing in Microsoft .NET (C#, ASP.NET)
Updated on July 17, 2022Comments
-
Dave Johnson almost 2 years
I am trying to use the ASP.NET Web API Self-Host option with Windows authentication so I can determine the logged on user and ultimately accept or reject the user based on their identity. Here is my console application code:
using System; using System.Web.Http; using System.Web.Http.SelfHost; namespace SelfHost { class Program { static void Main(string[] args) { var config = new HttpSelfHostConfiguration("http://myComputerName:8080"); config.UseWindowsAuthentication = true; config.Routes.MapHttpRoute( "API Default", "api/{controller}/{id}", new { id = RouteParameter.Optional }); using (HttpSelfHostServer server = new HttpSelfHostServer(config)) { server.OpenAsync().Wait(); Console.WriteLine("Press Enter to quit."); Console.ReadLine(); } } } }Here is the controller:
[Authorize] public class HelloController : ApiController { public string Get() { // This next line throws an null reference exception if the Authorize // attribute is commented out. string userName = Request.GetUserPrincipal().Identity.Name; return "Hello " + userName; } }Edit - I added the Authorize attribute, and the debugger shows that the code inside the Get action method is never invoked. The following HTML is returned:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content="text/html; charset=windows-1252" http-equiv=Content-Type></HEAD> <BODY></BODY></HTML>If the Authorize attribute is commented out,
Request.GetUserPrincipal().Identity.Namethrows a null reference exception sinceRequest.GetUserPrincipal()yields null.