Preventing negotiation handshake on subsequent service calls

Question

I'm calling out to a SOAP service which uses Windows authentication. This is my configuration:

new BasicHttpBinding
{
    Security = new BasicHttpSecurity
    {
        Mode = BasicHttpSecurityMode.TransportCredentialOnly,
        Transport = new HttpTransportSecurity
        {
            ClientCredentialType = HttpClientCredentialType.Windows
        }
    },
};

And I'm setting up the credentials manually here, as the user is on a different domain:

client.ClientCredentials.Windows.ClientCredential.Domain = "...";
client.ClientCredentials.Windows.ClientCredential.UserName = "...";
client.ClientCredentials.Windows.ClientCredential.Password = "...";

I've noticed that every call I do through the client proxy is resulting in three trips:

Request: POST /EndPoint (no auth)
Response: 401 Unauthorized, WWW-Authenticate: Negotiate

Request: POST /EndPoint, Authorization: Negotiate
Response: 401 Unauthorized, WWW-Authenticate: Negotiate <gunk>

Request: Post /EndPoint, Authorization: Negotiate <gunk>
Response: 200 OK

If this only happened on the first call it wouldn't be so terrible, but it happens on all subsequent calls to the same client proxy instance.

The server I'm calling out to isn't under my control and has a not insignificant amount of latency, so I'd love to find a way to remove these redundant trips. Is it possible?

Answer 1

I've just created dummy client with WCF service using your binding settings and manual un+pwd authentication. WCF service is set up to accept Windows Authentication.

However, in my case all subsequent calls are automatically authenticated.

Request: Post /Service1.svc

Response 1:

HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

Response 2:

HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate xxxxxxxxxxxxxxxxxxxxxxxxxx.....

Response 3:

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 202
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Persistent-Auth: true
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate xxxxxxx....

In the response header, I have Persistent-Auth: true . Is this the same for you? If no - there are settings in IIS which can force a client to authenticate after each request - See this MSDN post.

Basically, I guess you have to have on the server:

authPersistSingleRequest =  False
authPersistNonNTLM = True

then it works.