self hosted webapi basic authentication no 401 returned on windows 2008

Topics: ASP.NET Web API
Feb 12, 2013 at 4:06 PM
I have developed a self hosted webapi service that uses basic authentication using message handlers (similar to this: When I run this from my workstation (win 7 x64), the client consumes as expected. When I run this on the intended server (win 2008), the client fails with error code 500. After a bit of digging and network tracing, it looks like the (working) win 7 box initially responds with 401 as expected, but the win 2008 box doesn't respond at all, it just drops the connection (the client reports this as 500).

I've setup a remote debug on the server, and there's not even a stack track to go on. It looks to me like maybe I'm missing some component on the server that is causing an exception somewhere deep in the webapi code, but I can't tell for sure.

I tried adding Tracing, but no traces are generated from within the authentication itself - not until the controller is getting called.

I'm not quite sure where to go from here. I even tried running procmon looking for anything out-of-the-ordinary, but no luck there.
Feb 12, 2013 at 6:07 PM
Hi Justin,

To Basic auth in self host mode, you will need to write a custom UsernamePasswordValidator and register on the HttpSelfHostConfiguration.

public class CustomUsernamePasswordValidator : UsernamePasswordValidator
 protected override void Validate(string username, string password) { // add your own logic here, throw if they are wrong }

httpSelfHostConfiguration.UsernamePasswordValidator = new CustomUsernamePasswordValidator();

You still need to turn the username and password to some IPrincipal for authorization, you can register a custom message handler to do that.
Feb 12, 2013 at 6:54 PM

Thanks for your reply, but as I said in the initial post this is all up and working as expected on my windows 7 dev box. I do have a custom password validator, and it works as expected on win7.
Feb 12, 2013 at 8:19 PM
That is intriguing. Is your custom password validator actually validating the username/password, or you have your message handler validating the credential. It will really helpful if you could share your code snippet of custom username password validator and your message handler so that we can repro the issue on our side.

Also which version of web api are you using?
Feb 12, 2013 at 9:15 PM
Okay, I understand your initial question now. No, I am not setting httpSelfHostConfiguration.UsernamePasswordValidator, it is using a custom message handler (exactly like the link in my initial post). I was using the NuGet package 'Microsoft ASP.NET Web API Self Host'. Since then, I am attempting to switch over to using the nightly builds (per to see if I can track down the problem, but that is proving to be more difficult than I anticipated.
Feb 13, 2013 at 9:01 PM
I got the nightly builds to work and have now been able to get the actual error that is occurring. There is a System.ArgumentException being thrown with text "The 'WWW-Authenticate' header cannot be modified directly.\r\nParameter name: name". Google has some interesting leads, so I'm going to research those. I'm not sure why this is only a problem on 2k8 and not on win7, but not much I can do about it. For reference, the stack at the time looks like this:

....(more System.ServiceModel...
Feb 13, 2013 at 9:17 PM
Edited Feb 13, 2013 at 10:23 PM
Feb 13, 2013 at 10:45 PM
cool. The error you posted above was coming from WCF, and it has been fixed in 4.5. I tried the message handler approach, and I was able to getting it working end to end. The UsernamePassworkValidator approach should also work.