Passing NTLM credentials to remote web service

Question

I would like to pass NTLM credentials to a remote web service.

I load my page from rm1.domain.com and in its Javascript, a web service on rm2.domain.com is called.

I would like the web service called to be able to read the NTLM credentials of the user doing the calling, but I am running into some issues.

Scenario A (won't work)

If I have the following in my config file:

 <webHttpEndpoint>
        <standardEndpoint name="" 
         automaticFormatSelectionEnabled="true" 
         crossDomainScriptAccessEnabled="true">
          <security>
            <transport clientCredentialType="Ntlm"></transport>
          </security>
       </standardEndpoint>
 </webHttpEndpoint>

and only Windows Authentication enabled in IIS, I get the expected:

Scenario B (won't work)

I have the following in my config file

<webHttpEndpoint>
  <standardEndpoint name="" automaticFormatSelectionEnabled="true">
      <security>
        <transport clientCredentialType="Ntlm"></transport>
      </security>
  </standardEndpoint>
</webHttpEndpoint>

and the following in my JavaScript:

jQuery.ajax({
    url: "http://rm2.domain.com/getInfo?name=bobsyouruncle,
    dataType: "json",
    async: false,
    success: function(data) {
        console.log('woot');
    },
    error: function(ex) {
        console.log(ex);
    }
});

and only Windows Authentication enabled in IIS, the browser throws:

• GET http://rm2.domain.com/getInfo?name=bobyouruncle 401 (Unauthorized) jquery-1.10.1.min.js:6
• XMLHttpRequest cannot load http://rm2.domain.com/getInfo?name=bobyouruncle. Origin http://rm1 is not allowed by Access-Control-Allow-Origin. jquery-1.10.1.min.js:6

If I change my JavaScript to JSONP, then I get nothing either, but that's not unexpected either as I removed crossDomainScriptAccessEnabled="true" from the web.config. But as you will see in scenario C, you can't have crossDomainScriptAccessEnabled="true" with an authentication scheme enabled.

Scenario C (won't pass credentials)

If mr2's web service's web.config is like scenario B, IIS authentication anonymous is enabled (and windows auth is disabled), and jQuery's request is JSONp then the service returns data, but the authentication information isn't passed.

Bottom Line (TL;DR) Is there a way to leave my web service as IIS anonymous, with the cross domain tag in its web.config, pass the domain (NTLM) credentials from the browser and parse them in my code-behind of my web service.

The documentation and sheer number of options is overwhelming and confusing.

Answer 1

Have a look at this, there are some interesting points made on the use of NTLM and Impersonation.

The HTTP request is unauthorized with client authentication scheme 'Ntlm'

I know your question is not WCF specific, but some of the points raised bare relevance to your scenario.

The Last comment saying "authenticationScheme and proxyAuthenticationScheme to "Ntlm" is an interesting one for you.