


I'm experiencing some odd behaviour (meaning I don't understand what's happening) and I'd like some help fixing it if possible.

我们有一些Dynamics 365 NAV商业中心Web服务公开了带有SSL证书的安全性,我们正在使用某些标准C#代码进行访问.

We have some Dynamics 365 NAV Business Central web services exposed an secure with an SSL ceritificate, which we're accessing using some standard C# code.

我们已经将SOAP代理添加到ASP .NET Webforms应用程序中,并且一切正常.

We've added the SOAP proxy to an ASP .NET Webforms application and this is all working as expected.


We then declare an instance of the web service, set the credentials using a new NetworkCredential instance, and set the web service to use PreAuthenticate, then call the method on our service.

public static bool CheckServiceStatus()
    bool returnValue = false;
        svcWebServiceServer webService = new svcWebServiceServer();
        webService.Credentials = new NetworkCredential(Globals.WebServiceUsername, Globals.WebServicePassword, Globals.WebServiceDomain);
        webService.PreAuthenticate = true;
        webService.FncServiceStatus(ref returnValue);
    catch (Exception ex)
        LoggingFunctions.WriteMessageToDisk("CheckServiceStatus error : " + ex.Message);
    return returnValue;


When we look at the logs for this in Fiddler, we se that the service is called twice. The first time the call is made, we get a 401 error which responds telling us we must use NTLM, the second call is then made with a longer NTLM key and the call succeeds and we get our data...




Can anyone tell me how to make the web service call so it authenticates first time? The 401s are being picked up as a DDOS style attack and then traffic is being blocked.


I have tried changing the way the credentials are passed, but this has made no difference...

public static bool CheckServiceStatus()
    bool returnValue = false;
        svcWebServiceServer webService = new svcWebServiceServer();
        CredentialCache credCache = new CredentialCache();
        credCache.Add(new Uri(webService.Url), "NTLM", new NetworkCredential(Globals.WebServiceUsername, Globals.WebServicePassword, Globals.WebServiceDomain));
        webService.Credentials = credCache;
        webService.PreAuthenticate = true;
        webService.FncServiceStatus(ref returnValue);
    catch (Exception ex)
        LoggingFunctions.WriteMessageToDisk("CheckServiceStatus error : " + ex.Message);
    return returnValue;


根据本文- https://docs.microsoft.com/zh-CN/archive/blogs/chiranth/ntlm-want-to-know-how-it-可行-NTLM以挑战响应的方式工作.

As per this article - https://docs.microsoft.com/en-gb/archive/blogs/chiranth/ntlm-want-to-know-how-it-works - NTLM works in a challenge response manner.


The first time the web service is called (even if you specify NTLM in a credentialCache object), it seems as though the first request is sent anonymously.


The server then responds with a 401, and some WWW-Authenticate headers specifying that the service requires authentication details via NTLM. This is the first 401.


The client (C# application) then sends a new request that includes the NTLM header which includes an encoded value representing the Username, computername and domain.


The server passes the request on to the authenticating server which generates a challenge and this is sent back to the client, in another 401 response. This is the second 401.


Once the challenge is received by the client, it calculates a hash value based on the challenge and the password, which is sent back to the web service. The authenticating server compares this hash with its own hash, and - so long as the credentials are correct - passes authentication, and a 200 response is returned, along with the results of the web service call the client made initially.

当我们在代码中添加PreAuthenticate = true时,我们只需绕过第一步就直接传递NTLM用户名,计算机名和域.这样会将401的数量从2个减少到1个.

When we add PreAuthenticate = true to our code, we simply pass the NTLM username, computername and domain up front, bypassing the first step. This reduces the number of 401s from 2 to 1.


I do not claim to be an expert in the field of authentication, but after reading the page linked above and carrying out a number of tests, this is what we have found. If anyone would like to comment/correct me, please feel free.

出于完整性考虑,我们已开始调查"UserName"Dynamics 265设置中的身份验证方法可访问Dynamics NAV 2018 Web服务,该身份验证将此身份验证传递到Dynamics NAV 365的控件,这意味着我们不会收到401s.但是,由于使用Digest,我们现在无法在浏览器中访问Web服务,并且我们似乎无法通过浏览器进行身份验证,并收到400个错误.

For completeness, we have started to investigate the "UserName" authentication method in the Dynamics 265 setup to access Dynamics NAV 2018 web services, which pass this authentication to the control to Dynamics NAV 365, which means we get no 401s. However, we are now unable to access the webservices in a browser as this uses Digest, and we seem to be unable to authenticate with the browser, and get 400 errors.


08-04 06:46