CAtlHttpClient and NTLM authentication
I’m working on a customer problem that revolves around NTLM authentication. To cut a long story short, it seems that customer’s client (which builds on ATL Server*) stopped authenticating its requests with IIS. While the actual cause of customer’s problem is still being investigated, I’ve already found one possible reason for such a behavior.
This is a breaking change in ATL Server that dates back to Visual Studio 2005. It makes CAtlHttpClient refrain from authentication if the Internet Explorer security zone policy does not allow sending user credentials silently to the remote host, determined by its URL. Following is the identical code snippet from latest CodePlex version, atlhttp.inl @ line 1259:
DWORD dwPolicy=0xFFFF;
hr=spSecurityMgr->ProcessUrlAction(strUrlW.GetString(),
URLACTION_CREDENTIALS_USE,
reinterpret_cast<BYTE*>(&dwPolicy),
sizeof(dwPolicy),
NULL,
0,
PUAF_NOUI,
NULL);
if (FAILED(hr) || dwPolicy != URLPOLICY_CREDENTIALS_SILENT_LOGON_OK)
{
return false;
}
This code essentially queries IInternetSecurityManager::ProcessUrlAction for security policy that applies to the URL. This is the same policy system that Internet Explorer uses. If the policy doesn’t allow silent logon using the current user’s credentials, we don’t authenticate.
The solution here is to add the URL to a privileged zone and in Internet Explorer, and enable “User Authentication – Logon – Automatic Logon with current username and password” in custom level for that zone. Note that the zone could be either Intranet or Trusted sites, but the default “Anonymous logon only in Intranet zone” doesn’t appear to be sufficient.
* Beginning with Visual Studio 2008, ATL Server and Tools is not part of the product any more. Instead, it became an open-source project on CodePlex. This also means that there’s no support for ATL Server and Tools versions that you can download from CodePlex. Of course, the previous version of ATL Server and Tools is supported within the timeline of Visual Studio 2005 life cycle.