Invoke REST Service with windows authentication

Jan 21, 2014 at 3:35 PM
I have a WCF REST Service for which I have enabled the "windows authentication".
I am trying to write REST Client which will invoke this service by passing the current logged in windows user credentials ( LoggedIn User Token).

I see , only "Credenticals" structure in HttpClient.h which takes basic user name and password. But I will not be having access to username and password for the already logged in current user and I want to achieve "single sign on".

Since I am new, I would need your help to get the required API to achive this.

Jan 21, 2014 at 6:45 PM
Hi jagsanand,

The currently logged in user credentials in some cases will automatically be used if challenged for authentication. What platforms are you running on.

For Windows desktop, WinHttp under the covers, if no credentials are explicitly specified we use the default auto logon security level medium. This means for requests which are on the local intranet the currently logged in user credentials will be used. If you want the currently logged in user credentials to be used for requests across the internet then you will either have to obtain the user credentials from somewhere and pass them in the http_client_config or set the underlying auto logon security level to low. This can be done by using the feature http_client_config::set_nativehandle_options(...) to access the underlying WinHttp handle for each request. Then you can call WinHttpSetOption with the WINHTTP_AUTOLOGON_POLICY low.

For Windows store/phone, IXMLHttpRequest2 underneath, does a similar thing for using the credentials of the current user. The documentation doesn't specify if it will use the current user credentials for all request including ones across the internet, but I'm sure it does at least for local intranet. Another option might be if you would like to have the user be prompted to provide credentials this could be done by using the set_nativehandle_options and calling SetProperty with the option XHR_PROP_NO_CRED_PROMPT.

In short :), first try out your scenario and the credentials of the current user will automatically be used if an intranet request. To force the default user credentials for requests going across the internet you probably will need to do more work using set_nativehandle_options or get the credentials and supply them to the http_client_config.

Jan 27, 2014 at 4:59 AM
Thanks Steve for the answer. I am using Windows.