9

I'm building a web service with Asp.net web api, and I have to fetch an image from an AXIS IP Camera. The camera, however, uses Digest authentication. So my C# code looks something like this:

            WebClient webClient = new WebClient();
            webClient.UseDefaultCredentials = true;
            webClient.Credentials = new NetworkCredential("***", "***");
            byte[] imageStream = webClient.DownloadData("http://192.168.0.90/axis-cgi/jpg/image.cgi");

This all works, but when looking at Fiddler, I found that the client sends one request without authentication, and a 401 error returns. After that it sends the one with digest security.

I've found a solution with manual credentials injection here:

http://kristofmattei.be/2013/02/20/webclient-not-sending-credentials-heres-why/

But this looks wrong. It uses basic authentication, which I don't want really and looks a bit unprofessional.

Is there any way to send the signed request immediately or is this how that works because I'm noticing that the camera is returning the nonce in the first request?

Aleksandar Stojadinovic
  • 4,851
  • 1
  • 34
  • 56
  • Have you tried [HTTPS & Digest Authentication](http://stackoverflow.com/a/1970990/580951) – Dustin Kingen Jun 10 '13 at 13:05
  • Well yeah that link is similar, I think you are telling it to use default credentials and then setting explicit credentials, try setting that to false first and then see if it works – Bearcat9425 Jun 10 '13 at 13:07
  • No change, after both advices. – Aleksandar Stojadinovic Jun 10 '13 at 13:11
  • Does this work if you run same code from non-web application, for instance console applocation? My suggestion is that since web application runs under IIS, it may have other than your user's default credentials. – Vitali Kaspler Jun 10 '13 at 13:17
  • Just to be clear, this works this. First it sends the request with no authentication, and then with. I tried this with the browser, just going to this URL. After that it showed me the login window, I've entered them, and I got my image back. When I debugged that, I've saw the same as with my app. The request with 401 response first, and then after me logging in the correct one. This really seams like it should work like that since the first response carries some security information,nonce and realm. Is there any book where can I read more about this security protocols for deeper understanding? – Aleksandar Stojadinovic Jun 10 '13 at 13:32

1 Answers1

8

You can't avoid the first anonymous request because the WebClient has to figure out which authentication scheme is used, based on the 401 response he's getting, it could be basic, digest, etc... See that question.

With digest you can't avoid 2 requests anyway because the first 401 response contains a nonce (a value that is needed for the client authentication request), see Digest access authentication, Wikipedia.

If it was basic authentication you could have avoided the first request by setting the needed header manually with your credentials.

Community
  • 1
  • 1
argaz
  • 1,458
  • 10
  • 15
  • That was very helpful. Indeed, for basic auth WebClient does not send the credentials on the first request, it waits for a 401 before doing so. Therefore if your server is not compliant (e.g. returns 407 instead of 401 as in the case of some mailgun APIs), it will never send credentials. Boo! The way to fix this is to set the Authorization header manually, as you suggested - http://stackoverflow.com/a/9699211/118878 Thanks! – DenNukem Oct 15 '13 at 20:06