HttpWebRequest..::.PreAuthenticate Property
This page is specific to:.NET Framework Version:1.12.03.03.54.0
.NET Framework Class Library
HttpWebRequest..::.PreAuthenticate Property

Gets or sets a value that indicates whether to send an authenticate header with the request.

Namespace:  System.Net
Assembly:  System (in System.dll)
Syntax
Copy to ClipboardPrint
'Usage

Dim instance As HttpWebRequest
Dim value As Boolean

value = instance.PreAuthenticate

instance.PreAuthenticate = value

'Declaration

Public Overrides Property PreAuthenticate As Boolean

Property Value

Type: System..::.Boolean
true to send a WWW-authenticate HTTP header with requests after authentication has taken place; otherwise, false. The default is false.
Remarks

After a client request to a specific Uri is successfully authenticated, if PreAuthenticate is true and credentials are supplied, the WWW-authenticate header is sent with each request to that Uri; otherwise, the request uses standard authentication procedures.

With the exception of the first request, the PreAuthenticate property indicates whether to send authentication information with subsequent requests to the specific Uri without waiting to be challenged by the server.

The following dialog between client and server illustrates the effect of this property. The dialog assumes that basic authentication is in use.

PreAuthenticate is false :

Client: GET someUrl

Server: 401 WWW-Authenticate Basic

Client: GET with Authorization headers

Server: 200 OK

Client: GET someUrl

Server: 401 WWW-Authenticate Basic

Client: GET with Authorization headers

Server: 200 OK

PreAuthenticate is true :

Client: GET someUrl

Server: 401 WWW-Authenticate Basic

Client: GET with Authorization headers

Server: 200 OK

Client: GET someUrl with Authorization headers

If the authentication scheme does not support preauthentication, the value of this property is ignored.
Platforms

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98, Windows CE, Windows Mobile for Smartphone, Windows Mobile for Pocket PC

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.
Version Information

.NET Framework

Supported in: 3.5, 3.0, 2.0, 1.1, 1.0

.NET Compact Framework

Supported in: 3.5, 2.0, 1.0
See Also

Reference

HttpWebRequest Class
HttpWebRequest Members
System.Net Namespace
Community Content

Client sends Authorization not WWW-authenticate header
Added by:Atif Aziz
The documentation incorrectly states that the client sends WWW-authenticate header if PreAuthenticate is set to true. The server sends WWW-authenticate but the client always responds or sends the Authorization header.
More info on PreAuthenticate
Added by:ChrisLaMont

See this blog entry: http://blogs.msdn.com/feroze_daud/archive/2004/07/12/180856.aspx

The topic of this post is PreAuthentication.

HTTP Webservers support multiple authentication options. On Windows, IIS supports Basic, NTLM, Digest, Negotiate (a.k.a Integrated Windows Authentication). Of these, Basic & Kerberos support PreAuthentication.

"PreAuthentication" is sometimes misunderstood to mean "Send credentials on the very first request". That is not the way it works. For Preauthenticate to work, the following things have to happen:

1) You make a webrequest to a server. You might (or might not) have specified credentials on the first request.

2) The server want to authenticate the request you are making. So it replies with a 401.

3) The client does the authentication handshake with the server, and sends your credential.

4) If "Basic" was chosen as the authentication scheme by the client, then Pre-Authentication is enabled for this request. So, every subsequent request from now on to the same Uri-Prefix will result in the credentials being sent preemptively.

The main thing to note here is: It requires atleast one request before the client can do pre-authentication. Credentials are not automatically sent on the first request if PreAuthenticate is true.

If you want to force credentials to be sent on the first request (and thus avoid the first auth handshake), you can set credentials manually on the request:

WebRequest req = WebRequest.Create("http://....");

string cre = String.Format("{0}:{1}", username, password);

byte [] bytes = Encoding.ASCII.GetBytes(cre);

string base64 = Convert.ToBase64String(bytes);

req.Headers.Add("Authorization", "basic " + base64);

WebResponse resp = req.GetResponse();

This will set the authorization header on the request, and send it on the first request itself. If the credentials are correct, the first handshake will not happen.

However, remember that you have to use this code to set the authorization header on every request. This is because we bypassed the authentication handshake, and HttpWebRequest has no knowledge that the server requires authentication. So it wont do pre-authentication by itself anymore.

The recommended way to get preauthentication is to set the credentials on the request, set PreAuthenticate=true, and send the request. Once the first authentication handshake happens, and credentials are accepted by the server, preauthentication will happen behind the scenes for every request to the same Uri-Prefix.

© 2009 Microsoft Corporation. All rights reserved.   Terms of Use | Trademarks | Privacy Statement
Page view tracker
Rate the Lightweight library
x
Lightweight builds on ScriptFree (loband) by adding features you've requested: a SearchBox and default code language selection.
Do you like the SearchBox?
Do you like the tabbed code blocks?
How useful is this topic?
Tell us more.
Thanks
x
You're helping to improve MSDN Online.
Feedback
Switch View
x
Classic
Lightweight Beta
ScriptFree
Switch View