ASP.NET HttpWebRequest with Kerberos Authentication

Question

I am trying to connect to a web service that uses Kerberos Authentication to authorize the user, but all I get is a 401 unauthorized everytime I try to make the request. Below is the code that I am using. Thanks in advance for any help you can provide!

    public XPathNavigator GSASearch(string url, string searchString)
    {
        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + searchString);
        request.CookieContainer = new CookieContainer();
        request.Credentials = CredentialCache.DefaultCredentials;
        request.ContentType = "text/xml";
        request.Method = "POST";

        HttpWebResponse response = (HttpWebResponse)request.GetResponse();

        Stream receiveStream = response.GetResponseStream();

        XPathDocument doc = new XPathDocument(receiveStream);
        return doc.CreateNavigator();
    }

EDIT: I feel I should explain a bit more what I am attempting to do. I have been tasked with providing a new interface for my company's Google Search Appliance. I am using an ASP.NET page, which does some things like choose a Collection depending on where a user is located, etc. and then sends the appropriate search string the the GSA. This was all working well until they decided to turn authentication on, and now I can't get any results (I either get a 401 unauthorized, or a message stating that 'Data at the root level is invalid'). If I take the search string and provide it directly to the GSA, it authenticates fine, and displays the results, I just can't seem to get it through the HttpWebRequest.

EDIT 2: I did a little more looking (ran the request through Fiddler) and it looks like the request is only attempting Negotiate and not Kerberos. I set the credentials to use Kerberos explicitly as below, but it didn't help...

    public XPathNavigator GSASearch(string url, string searchString)
    {
        CredentialCache credCache = new CredentialCache();
        credCache.Add(new Uri(url), "Kerberos", CredentialCache.DefaultNetworkCredentials);

        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + searchString);
        request.CookieContainer = new CookieContainer();
        request.PreAuthenticate = true;
        request.Credentials = credCache;
        request.ContentType = "text/xml";
        request.Method = "POST";

        HttpWebResponse response = (HttpWebResponse)request.GetResponse();

        Stream receiveStream = response.GetResponseStream();

        //StreamReader readStream = new StreamReader(receiveStream);

        XPathDocument doc = new XPathDocument(receiveStream);
        return doc.CreateNavigator();
    }

EDIT 3: Ok, looking closer again, the CredentialCache.DefaultCredentials doesn't appear to have my network credentials in it...

Answer 1

1) Have you done a wireshark trace of a successful session to the GSA using the browser? Does that work?

2) If #1 works, what is the WWW-Authenticate header that is sent by the GSA on the first unauthenticated request?

3) Is the machine on which the ASPX app is running a part of the same AD domain that the GSA is in? AFAIK this is probably required for a successful auth.

4) Next, since it is the ASPX app that is doing the request, you cannot use the DefaultCredentials because you actually need the credentials of a user that is trusted by the GSA. For this you should either create a special user account for the app that is talking to the GSA, or have each user be a trusted user on the GSA and have the ASPX page authenticate the user first, then pass those credentials to the GDA using Delegation. For this you will also have to make the server running the ASPX app trusted for delegation.

In my opinion, you should first model your code into a console app that you run, and debug. Then port it to ASPX page. That way you will be able to know if the failure is due to the host (ASPX vs console) or something else.