c# – How to pass Windows Authentication credential from client to Web API service

Inside my corporate environment, I have IIS7.5 hosting both a Web API service and a separate website which makes calls into that service via the RestSharp library. Both are currently configured with Windows Authentication.

If I navigate to either one with a browser, I’m prompted to enter my windows credential, and everything works great… I get web pages that I want and the REST service spits out my data. The part I’m struggling to figure out is how to use a single credential to authentication both. I can’t figure out how to either pass the Website’s credential to the service (I tried impersonating but it didn’t work), or to manually prompt the user for username/password and then authenticate them with “Windows”.

Help a noob out?

asked Oct 17 ’14 at 17:07

Jim LastJim Last

14311 gold badge11 silver badge55 bronze badges

If you use impersonation on your web site and the API is running on the same server it should work.


However, if you would move the API to a different server from the site this will stop working. A two-server setup requires Kerberos delegation.

answered Oct 22 ’14 at 12:18

Settings for web API

  1. Enable Windows Authentication

Settings for web application

  1. Enable Windows Authentication
  2. Add <identity impersonate=”true” /> in <system.web> of web.config
  3. Add the following in the web.config:

    <validation validateIntegratedModeConfiguration=”false” />

  4. Enable Windows Authentication and ASP.NET Impersonation within IIS

You can use the following code to POST data to web API (and GET as well obviously)

using (var client = new WebClient { UseDefaultCredentials = true })
client.Headers.Add(HttpRequestHeader.ContentType, “application/xml; charset=utf-8”);
byte[] responseArray = client.UploadData(“URL of web API”, “POST”, Encoding.UTF8.GetBytes(XMLText));
string response = Encoding.ASCII.GetString(responseArray);

NOTE: If you’re still getting 401 errors you may need to use an IP address instead of a regular domain name for your URL (e.g.: instead of mycompany.com)

Omar Himada

2,10011 gold badge99 silver badges2525 bronze badges

answered Oct 20 ’15 at 13:07

Not the answer you’re looking for? Browse other questions tagged c# asp.net authentication windows-authentication asp.net-web-api or ask your own question.


Leave a comment

Your email address will not be published. Required fields are marked *