Friday, October 2, 2009

NTLM auth fails with HttpWebRequest/WebClient, but passes with IE

On public newsgroups, I have seen a lot of postings where people complained that their managed code application, written with HttpWebRequest, and using NTLM auth to talk to a server, would fail. However, Internet explorer running on the same machine would work fine.

Here are some of the threads that show this problem:

In order to root cause this issue, you need to enable logging using System.Net tracelog ( and see the trace. If you see that the client fails with a NotSupported error, when trying to compose a Type2 message (using the response to the previous Type1 message sent by the client).

The second variable here is the operating system on both the client and server. If the OS on the client is >= Vista (for eg, any flavor of Vista or Windows7) and the OS on the server is a version before Vista, then there was a change in the way NTLM works. In vista and later operating systems, NTLM by default now requires 128bit encryption, whereas the prior OS did not.

Ok. So why does IE work on the same machine, and NTLM doesnt?

The difference is the way in which both use the NTLM SSPI package.

When HttpWebRequest uses the package, it asks for NTLMSSP_NEGOTIATE_SEAL and NTLM_NEGOTIATE_SIGN capabilities. This requres encryption. Since 128bit encryption is now required by the OS, this means that the server also has to support 128bit. If the server doesnt, then the authentication will fail.

IE does not ask for SEAL|SIGN capabilities when composing the Type2 message. So, even if the server does not support 128bit encryption, the authentication can still work.

For more details, refer to this thread on stackoverflow:

Note, that even WindowsXP/Server2003 supports 128bit encryption, just not out of the box. And on Windows7/Vista, even though 128bit is default, it can be changed by modifying the security policy. However, that might now always be possible, esp if the machine is on a domain where the policy is administered by the Domain Admin.


  1. Hi Feroze,

    nice article. I have two questions:
    Where did you get the information that Vista requires 128-bit encryption by default? And where did you get the information that Win2003 doesn't support 128-bit encryption out-of-the-box?

    AFAIK 128-bit encryption is only required by default in Win 7
    ( Also, I connected successfully from Win7 to Win2003 using HWR. I couldn't find any information about Win2003 not supporting 128-bit by default.


  2. Hi Feroze:

    I'm not one to usually complain; however, you did such a good job of explaining the problem but you gave no solution. I still need to request a page from an IIS6 server while running my application on win7. I cant change the setting on my win7 box, thank you cyber Security. Is there a workaround I just cant find?