I have local Web API project which is NOT running through local IIS. To run the project I use F5 in Visual Studio 2013.
Using Fiddler, I keep getting:
HTTP/1.1 401 Unauthorized
# Result Protocol Host URL Body Caching Content-Type Process Comments Custom 88 401 HTTP localhost:52787 /api/values 6,180 private text/html; charset=utf-8 fiddler:10724
I know I am supposed to get 200 but I am not. Where should I check what I am doing wrong?
Here is a screenshot from a browser. I am getting this when I go back to Fiddler to see the results, I just type http://localhost:52787/api/helloapi into URL (in a browser) and press enter:
And here is what I get when I go through Fiddler manually composing GET:
I have the option Automatically Authenticate checked.
ekad
14.4k26 gold badges44 silver badges46 bronze badges
asked Oct 13, 2014 at 22:40
5
When you say «using Fiddler», what exactly do you mean?
If you are manually composing the request using Fiddler’s Composer, either add an Authorization header yourself, or click the Composer’s Options tab and check the Automatically Authenticate box.
answered Oct 14, 2014 at 14:30
EricLawEricLaw
56.4k7 gold badges150 silver badges195 bronze badges
2
I just had the same Problem. In my case it was caused by a deny clause in the web.config that forced all users to be authenticated. This works well in a browser because this handles the authentication behind the scenes and sends an appropriate authorization Cookie. In Fiddler this handshake does not take place and hence the 401. In the development environment add this to your web.config and it should work.
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
answered Jan 31, 2015 at 7:14
I know this is an older post but if someone is still looking for an answer (like me) and the above answers did not resolve the problem then try this solution —
The above answers didn’t work in my dev env which consists of VS 2017 and VSTS as I already had the <authorization> element set correctly in my web.config file. After a few hit and trials I figured that the source of the problem was somewhere else.
I needed to make the following change to «applicationhost.config» file which can be usually found under the path «C:UsersxxxSourceReposyyyyyy.vsconfig» —
Locate the <anonymousAuthentication> element and make sure the «enabled» attribute is set to «true» as under:
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
answered Sep 26, 2018 at 17:20
AV2000AV2000
4595 silver badges5 bronze badges
It happens because you have an Authorize attribute on your ValuesController
[Authorize]
public class ValuesController : ApiController
Just remove [Authorize] attribute on ValuesController
answered Nov 22, 2019 at 6:57
I am requesting this url with fiddler: http://sitecollectionUrl/_api/web
With the header of:
Accept: application/json;odata=verbose
But I am getting 401 error code when doing so. I am on SharePoint Server 2013.
- rest
asked Dec 15, 2015 at 23:54
3
-
Have you checked Automatically Authenticate option or you have key in the Authorization in header?
Dec 16, 2015 at 2:21
-
How do I check the authentication automatically? No I don’t have a header for authentication.
Dec 16, 2015 at 6:06
-
Thank you Mark, I found the automate authentication, and it worked. Please add it as answer so I can mark it
thank you a lotDec 16, 2015 at 6:11
thank you a lot1 Answer
You can enable the Automatically Authenticate option in Fiddler. It will use your current Windows logon account to send the request.
The option can be found under Composer tab > Options tab
answered Dec 16, 2015 at 6:15
Mark LMark L
4,0687 gold badges61 silver badges123 bronze badges
0
A few days ago I had a real strange problem while using HttpClient in combination with ASP.NET Web API and integrated windows authentication (IIS Express). To keep it simple, I always got a 401 (Unauthorized) error returned from the localhost website, even though I was setting up the HttpClient correctly (see screenshots) and the HttpClient was sending the authorization header (negotiate).
In my code is was using the URI http://localhost.fiddler:51275/api/values to access the REST API. The .fiddler part in the URI allows Fiddler to monitor the HTTP traffic between the website and the console application. For more details about this setting take a look at Fiddler’s homepage: http://www.fiddler2.com/fiddler/help/hookup.asp.
After researching a while I found out, that exactly the .fiddler URI addition is part of the problem for the 401 error I always received. Microsoft changed the logic of the NTLM authentication for some of the security classes in .NET version 3.5 SP1 (see link below) in order to avoid relefection attacks. A reflection attack is a method of attacking a challenge-response authentication system. The HttpClient uses those changed classes internally to connect to the website.
So, the solution is quite simple. We just need to add the registry key BackConnectionHostNames (important: Multi-Value String) to HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ControlLsaMSV1_0 section in the registry with the value localhost.fiddler. A full explanation about the security concepts in WIA you will find at Microsoft’s site: Changes to NTLM authentication for HTTPWebRequest in Version 3.5 SP1
You can easily reproduce this error by creating a standard MVC4 web application with a Web API controller using windows authentication (see screenshot for settings). Then you add a console application to the project from which access the REST API (ValuesController).
- Veröffentlicht von in ASP.NET (MVC), ASP.NET (Web API), Development
- Schlagwörter: 401, 401 (Unauthorized), 401 error, ASP.NET Web API, Fiddler, HttpClient, Integrated Windows Authentication, NTLM authentication, REST API, WIA
Hi nssrsaran,
I’m agree with what Stuart Starrs have said.
First , let’s have a look at the definition of HTTP200 and 401.
401 Unauthorized:
The request requires user authorization (such as through htaccess) but the authorization codes sent were invalid or the user was not recognized in the system. This
error is sent when the username sent is not recognized and when the username and password combination are incorrect.
200 OK:
This is the most common HTTP status message. It indicates that the request was successful and the server was able to deliver on the request.
So, as what Stuart Starrs said, the HTTP 200 is not an error. Then I want to explain why the 401 error is also necessary.
The Orders of precedence of Authentication :
1.
When the browser make a request, it always considers the first request to be Anonymous. If the server does not Accept Anonymous the IIS sever response with an “Access
Denied” error message . So you get the first 401 error. In the fiddler, you also can see the message like this : Cookie:MSOWebPartPage_AnonymousAccessCookie=2010 and Login: WWW-Authenticate.
2.
The browser will try to communicate with the server using NTLM. The server sends an NTLM challenge to the client, there is no credentials for the client at this time, So you
get the second 401 error message. The Response headers which you see in fiddler is “Unauthorized” and the content of Login is “ NTLM ****.”
3.
IE will automatically passes the credentials for every new request during the duration of session. So, after you login on SharePoint, the HTTP 401 isn’t happened until
the session expired.
More information about NTLM Authentication and SharePoint,:
http://sharepoint2007.microsoft.com/blogs/cgideon/Lists/Posts/Post.aspx?List=515f50ff%2Ddb1e%2D4f44%2D8cf5%2D31283fcb1f08&ID=2
Hope it’s helpful to you.
I think I can.
-
Marked as answer by
Aaron Han — MSFT
Tuesday, June 1, 2010 9:42 AM
Hi nssrsaran,
I’m agree with what Stuart Starrs have said.
First , let’s have a look at the definition of HTTP200 and 401.
401 Unauthorized:
The request requires user authorization (such as through htaccess) but the authorization codes sent were invalid or the user was not recognized in the system. This
error is sent when the username sent is not recognized and when the username and password combination are incorrect.
200 OK:
This is the most common HTTP status message. It indicates that the request was successful and the server was able to deliver on the request.
So, as what Stuart Starrs said, the HTTP 200 is not an error. Then I want to explain why the 401 error is also necessary.
The Orders of precedence of Authentication :
1.
When the browser make a request, it always considers the first request to be Anonymous. If the server does not Accept Anonymous the IIS sever response with an “Access
Denied” error message . So you get the first 401 error. In the fiddler, you also can see the message like this : Cookie:MSOWebPartPage_AnonymousAccessCookie=2010 and Login: WWW-Authenticate.
2.
The browser will try to communicate with the server using NTLM. The server sends an NTLM challenge to the client, there is no credentials for the client at this time, So you
get the second 401 error message. The Response headers which you see in fiddler is “Unauthorized” and the content of Login is “ NTLM ****.”
3.
IE will automatically passes the credentials for every new request during the duration of session. So, after you login on SharePoint, the HTTP 401 isn’t happened until
the session expired.
More information about NTLM Authentication and SharePoint,:
http://sharepoint2007.microsoft.com/blogs/cgideon/Lists/Posts/Post.aspx?List=515f50ff%2Ddb1e%2D4f44%2D8cf5%2D31283fcb1f08&ID=2
Hope it’s helpful to you.
I think I can.
-
Marked as answer by
Aaron Han — MSFT
Tuesday, June 1, 2010 9:42 AM