Fiddler and the 401 (Unauthorized) error with ASP.NET Web API using Integrated Windows Authentication (WIA)
January 25, 2013
A few days ago I had a real strange problem while using HttpClient in combination with ASP.NET Web API and integrated windows authentication (IIS Express). To keep it simple, I always got a 401 (Unauthorized) error returned from the localhost website, even though I was setting up the HttpClient correctly (see screenshots) and the HttpClient was sending the authorization header (negotiate).
In my code is was using the URI http://localhost.fiddler:51275/api/values to access the REST API. The .fiddler part in the URI allows Fiddler to monitor the HTTP traffic between the website and the console application. For more details about this setting take a look at Fiddler’s homepage: http://www.fiddler2.com/fiddler/help/hookup.asp.
After researching a while I found out, that exactly the .fiddler URI addition is part of the problem for the 401 error I always received. Microsoft changed the logic of the NTLM authentication for some of the security classes in .NET version 3.5 SP1 (see link below) in order to avoid relefection attacks. A reflection attack is a method of attacking a challenge-response authentication system. The HttpClient uses those changed classes internally to connect to the website.
So, the solution is quite simple. We just need to add the registry key BackConnectionHostNames (important: Multi-Value String) to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Lsa\MSV1_0 section in the registry with the value localhost.fiddler. A full explanation about the security concepts in WIA you will find at Microsoft’s site: Changes to NTLM authentication for HTTPWebRequest in Version 3.5 SP1
You can easily reproduce this error by creating a standard MVC4 web application with a Web API controller using windows authentication (see screenshot for settings). Then you add a console application to the project from which access the REST API (ValuesController).