To run WebDav queries against Exchange Folders from ASP.NET -use Kerberos .

I am using WebDav query to search e-mails and public folders from Exchange Server 2003. The code is based on the Visual Basic .NET sample  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/e2k3/e2k3/_exch2k_searching_folders_http.asp


However when I started to test the code with impersonation, I ve got a problem.The scenario was the following


I am using client on workstation running IE6 that login to ASP.NET web server using Windows Authentication with impersonation. The server ASP.NET page uses WebDav to access Exchange Server 2003.


The WebDav request failed with “The remote server returned an error: (401) Unauthorized“.


If the client is running IE browser on the Web Server , WebDav queries are succeded.
I’ve changed Web Server to “trust this computer to delegate”, but the error was the same.


The solution is to use “Negotiate” (or “Kerberos”) instead of NTLM when calling MyCredentialCache.Add



CredentialCache cache =new CredentialCache();


NetworkCredential

credential1 = (NetworkCredential) CredentialCache.DefaultCredentials;

// from http://blogs.msdn.com/buckh/archive/2004/07/28/199706.aspx

// Depending upon the IIS configuration, that may be negotiate, NTLM, Kerberos, basic, or digest authentication

//Negotiates with the client to determine the authentication scheme. If both client and server support Kerberos, it is used; otherwise NTLM is used.

string authType =”Negotiate”;//The authentication scheme used by the resource named in uriPrefix.

// if Kerberos is unavailable, it can be 15sec delay (from http://blogs.msdn.com/buckh/archive/2004/07/28/199706.aspx#217098)

cache.Add(

new Uri(strRootURI), authType, credential1);

It also important to ensure that both Web Server and impersonated user account are “Trusted for deilegation” (see ASP.NET and Exchange tips and samples and How To: Implement Kerberos Delegation for Windows 2000)


Related post: Configure Exchange Server 2003 for WebDav queries.