Frustration with System.Net.WebClient and NTLM Authenticated Proxies

Posted in Coding, IT, Rant by Will on September 10, 2007.

I’m currently working away on improving Smitter R3, and part of that is improving the way proxies are handled.

Currently, there’s four situations it supports quite fine:

- No Proxy
- Proxy, without Authentication
- Proxy, with BASIC Authentication (using specified username/password)
- Proxy, with NTLM Authentication using your current Windows Account (aka Windows Integrated Authentication).

The problem comes you’re in this fifth situation:
- Proxy, with NTLM Authentication using a specified username, password and domain.

Initially, I was using code like:

WebClient client = new WebClient(url);
client.Proxy = new WebProxy(proxyurl, true);
// if proxy-auth required:
client.Proxy.Credentials = new NetworkCredential(proxyusername, proxypassword, domain);
// ...etc

But, this fails with “407 Proxy Authentication Required”
The crazy part is that it actually is doing NTLM authentication, but it appears to be attached in the headers for twitter.com (!?).

So, I tried using WebRequest, and also HttpWebRequest and specifying proxy-keep-alive.
I also tried setting the .NET Default proxy to my specified proxy or just adding authentication credentials.
But, still nothing appears to be working.

Almost all the solutions online are using the DefaultCredentialCache - but that really doesn’t help (I tried), because I’m not logged in as the user that I want to authenticate as. Cretaing a new CredentialCache and adding the details to that - still no help.

All in all, very frustrated!

If you want to have a crack at solving it - download the SmitterR2 source and check out Smitter.Core.TwitterService.GetStatuses (in SmitterClasses\SmitterCore.cs).

There’s currently a line like:
using (WebClient client = BuildWebClient())
Ignore/remove it and create your own WebClient/WebRequest/etc to test on. That’s the first (network) function called when Smitter starts up, and is pretty quick to return a result one way or another.

Just make sure you’re using a proxy which requires NTLM / Kerberos Auth, and isn’t on the same domain as your current account. Any other situation seems to work A-OK.

If you can solve this, I’d be much in your debt.