Why does Silverlight 4 ClientHttp WebRequest prompt the user for a login and password?

Question

One of the new features of the client http stack in Silverlight 4 is the ability to supply network credentials. When I use this feature Windows shows a "Windows Security" message box that prompts the user for a login and password (text in the box is "The server xx at xx requires a username and password. Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection)."). I'm setting the login and password as shown below so I'm not sure why this is displayed. My code is:

var request = WebRequestCreator.ClientHttp.Create(new Uri("http://myserver:8080/gui/?list=1"));
request.Credentials = new NetworkCredential("login", "password");
request.BeginGetResponse(new AsyncCallback(OnRequestComplete), request);

If I enter the username and password into the messagebox the request completes successfully. For a number of reasons I'd rather prompt the user for the login and password so I'd like to avoid the messagebox if possible.

My setup is Silverlight 4 final, VS 2010 final, Windows 7 x86. The application is out of browser with elevated permissions.

Answer 1

The warning about 'requesting that your username and password be sent in an insecure manner' likely means that you are not sending the data over ssl (https) which would be by webbrowser standards, a secure connection.

You can't get past this because this prompt is showed or not showed depending on the users internet security settings. The only way you can fix it from your end is by using ssl.

Answer 2

If you call to the web server is a cross-site call you will have to specify a client access policy on the web server to enable the authorization header. You should either place the XAP file on http://myserver:8080 or add a clientaccesspolicy.xml file to the web site on http://myserver:8080.

Tim Heuer has some more information about how Silverlight 4 enables Authorization header modification.