System.Net.WebClient doesn't work with Windows Authentication

Peter Hahndorf picture Peter Hahndorf · Jun 23, 2009 · Viewed 20.5k times · Source

I am trying to use System.Net.WebClient in a WinForms application to upload a file to an IIS6 server which has Windows Authentication as it only 'Authentication' method.

WebClient myWebClient = new WebClient();
myWebClient.Credentials = new System.Net.NetworkCredential(@"boxname\peter", "mypassword"); 
byte[] responseArray = myWebClient.UploadFile("http://localhost/upload.aspx", fileName);

I get a 'The remote server returned an error: (401) Unauthorized', actually it is a 401.2

Both client and IIS are on the same Windows Server 2003 Dev machine.

When I try to open the page in Firefox and enter the same correct credentials as in the code, the page comes up. However when using IE8, I get the same 401.2 error.

Tried Chrome and Opera and they both work.

I have 'Enable Integrated Windows Authentication' enabled in the IE Internet options.

The Security Event Log has a Failure Audit:

Logon Failure:
    Reason:     An error occurred during logon
    User Name:  peter
    Domain:     boxname
    Logon Type: 3
    Logon Process:  ÈùÄ
    Authentication Package: NTLM
    Workstation Name:   boxname
    Status code:    0xC000006D
    Substatus code: 0x0
    Caller User Name:   -
    Caller Domain:  -
    Caller Logon ID:    -
    Caller Process ID:  -
    Transited Services: -
    Source Network Address: 127.0.0.1
    Source Port:    1476

I used Process Monitor and Fiddler to investigate but to no avail.

Why would this work for 3rd party browsers but not with IE or System.Net.WebClient?

Answer

Goyuix picture Goyuix · Jun 18, 2010

I have seen a similar issue, where the Integrated / NTLM security will only work if you are accessing the host by machine name or localhost. In fact, it is a [poorly] document feature in Windows that is designed to protect against "reflection attacks".

Basically, you need to create a registry key on the machine that is trying to access the server, and whitelist the domain you are trying to hit. Each host name / FQDN needs to be on it's own line - there are no wildcards and the name must match exactly. From the KB Article:

  • Click Start, click Run, type regedit, and then click OK.
  • In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  • Right-click MSV1_0, point to New, and then click Multi-String Value.
  • Type BackConnectionHostNames, and then press ENTER.
  • Right-click BackConnectionHostNames, and then click Modify.
  • In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
  • Exit Registry Editor, and then restart the computer.

http://support.microsoft.com/kb/956158/en-us