Accessing on-premise Dynamics v8 via OData using RestSharp/System.Net.Http

grinsehinze 96 Reputation points
2020-12-08T14:20:34.863+00:00

Hi there!

I'm trying to access data from our on-premise Dynamics (v8) via OData WebService using RestSharp / System.Net.Http but in this case i'm kind of stuck. I fiddled around a couple of days now and the problem seems to be somewhere around the authentication but I don't know what I'm doing wrong. The URL I'm sending a GET-Request to is

https://host.fqdn/systemenv01/api/data/v8.2/$metadata

using a valid windows domain user account which is able to log on to the dynamics normally.
When I try this in Firefox or the latest version of Postman (v7.36) using NTLM-Auth I get a proper metadata xml as the result. But when I try the same using RestSharp or simply System.Net.Http I only get a HTTP401-Unauthorized as response. What I tried to do is setting the user credentials as NetworkCredentials like

var client = new RestClient(Url);
var request = new RestRequest(Method.GET);
client.FollowRedirects = true;
client.Timeout = -1;
client.PreAuthenticate = true;
request.Credentials =
new NetworkCredential(User, Password);

but this doesn't seem to make any difference at all. Interestingly the response contains a Header with name "WWW-Authentication" and value "Negotiate some.encrypted.string" but I don't know what I should use this for. Would be great if someone could help me get this solved!

Thanks in advance!
regards

Markus

.NET Runtime
.NET Runtime
.NET: Microsoft Technologies based on the .NET software framework.Runtime: An environment required to run apps that aren't compiled to machine language.
1,125 questions
Accepted answer
  1. grinsehinze 96 Reputation points
    2020-12-09T11:15:34.657+00:00

    Hi folks,

    after another couple of hours of googling through the internet and fiddling around this problem I found something very interesting.
    The authentication works perfectly when I replace the domain name of the Dynamics system by its IP address. I do not know this for sure but this domain is below the TLD .dev which has HSTS activated by default (thanks google!). I even tried connecting using another FQDN from another TLD (which was .net) and this worked perfectly as well.
    Therefore I conclude the issue is originated in the configuration and handling of HSTS.

    Thanks to all!

    Kind regards
    Markus

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jerry Cai-MSFT 986 Reputation points
    2020-12-09T09:15:04.63+00:00

    Hi,grinsehinze-6718

    The HTTP 401 Unauthorized client error status response code indicates that the request has not been applied because it lacks valid authentication credentials

    for the target resource.

    To authenticate through the server, you can add credentials in the Authorization request header (Using RestSharp (also this link) or HttpClient): 

    RestSharp:
var client = new RestClient("http://example.com");
client.Authenticator = new SimpleAuthenticator("username", "foo", "password", "bar");
var request = new RestRequest("resource", Method.GET);

    Or 

    HttpClient:
client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic",Convert.ToBase64String(byteArray));

    About why you can work on firefox, you could have already authenticated on firefox while you didn't do the same on the other browsers.

    Best Regards,
    Jerry Cai

    If the answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. grinsehinze 96 Reputation points
    2020-12-09T09:41:01.67+00:00

    Hi JerryCai-MSFT,

    for starters, thank you very much for your answer!
    I tried applying the Authentication using the SimpleAuthenticator or setting the AuthHeaderValue directly but that doesn't help. As I stated in my initial question, the server response includes a header value "WWW-Authenticate = Negotiate".
    After some googling I came across this article which describes this kind of response as the server requires a Kerberos ticket for authorization. Sadly, implementing this in a prototype program using Nuget-Package Kerberos.NET did not lead to success.

    The difference between the browsers is somewhere way deeper in their code. I tried monitoring them through their build-in dev-tools.
    In Firefox I see three requests that are kind of bundled to one. I can only watch details of the last request which contains a request-header "Authorization = NTLM encryptedtoken". This request is honored with a HTTP200 with valid metadata by the server.
    Whereas in Edge Chromium there is just one request reoccuring every time I provide the user credentials the browser is prompting for.

    Thank you for you assistance!

    Best regards
    Markus

    0 comments