.Net 3.5 Breaks Webdav Authentication to exchange

Posted on 2009-04-21
Last Modified: 2013-12-17
I have an application coded in Microsoft Visual c# 2005 Express.  The application uses Webdav to access Outlook Calendars on an exchange 2003 server.  The application is installed on the exchange 2003 server.  The application has been in use without any problems for a number of years.  Recently I upgraded to Microsoft Visual c# 2008 express.  I compiled the application in c# 2008 wityhout making any changes to the code. It compiled OK and executed OK on my test machine.  However when I installed the updated version on my production server I was prompted to install .NET 3.5 SP1.  After installing this version of .NET the application is unable to access the outlook calendars. It returns a 401 not authorised error.  The application still works OK on a remote machine. I tried uninstalling .NET 3.5 SP1 and recompiling the application in Microsoft c# 2005 but I am still unable to access the outlook calendars when the application is executed on the local server.  It can however access the calendars OK when run on a remote server. I am sure this something that .NET 3.5 has broken on the exchange server.  Has anybody else experienced this issue when upgrading a server to .net 3.5 and has anybody any suggestions how to fix this.
Question by:DCMBS
    LVL 47

    Expert Comment

    Only issues I have heard with .NET 3.5 SP1 have been using Exchange Server 2007

    Perhaps there are some similar using 2003
    LVL 9

    Author Comment

    This is the section of code that seems to have been broken by the installation of .net 3.5 sp1.

    The exception is thrown at the call the line
               Response = (HttpWebResponse)Request.GetResponse();
    This returns the following reponse
              The remote server returned an error: (401) Unauthorized.
    This works OK when I run the routine on a remote server that has not had .net 3.5 sp1 installed, and used to work OK on this machine until .net 3.5 sp1 was installed so it seem that .net 3.5 sp 1 changes the way the (HttpWebResponse)Request.GetResponse() is processed, or perhaps it the way the credentials cache is handled??
    Any ideas would be appreciated.

    Code Extract.
                string strUserName = "XXXXXXXXX";
                string strPassword = "XXXXXXXX";
                string strDomain = "XXXXXXXX";
                byte[] bytes = null;

                System.Net.HttpWebRequest Request;
                System.Net.WebResponse Response;
                System.Net.CredentialCache MyCredentialCache;
                System.IO.Stream RequestStream;
                System.IO.Stream ResponseStream;
                System.Xml.XmlDocument ResponseXmlDoc;

                    // Build the SQL query.            

                    // Create a new CredentialCache object and fill it with the network
                    // credentials required to access the server.
                    MyCredentialCache = new System.Net.CredentialCache();
                    MyCredentialCache.Add(new System.Uri(strCalendarURI),
                       new System.Net.NetworkCredential(strUserName, strPassword, strDomain)

                    // Create the HttpWebRequest object.
                    Request = (System.Net.HttpWebRequest)HttpWebRequest.Create(strCalendarURI);

                    // Add the network credentials to the request.
                    Request.Credentials = MyCredentialCache;

                    // Specify the method.
                    Request.Method = "SEARCH";

                    // Encode the body using UTF-8.
                    bytes = Encoding.UTF8.GetBytes((string)OutlookQry);

                    // Set the content header length.  This must be
                    // done before writing data to the request stream.
                    Request.ContentLength = bytes.Length;

                    // Get a reference to the request stream.
                    RequestStream = Request.GetRequestStream();

                    // Write the SQL query to the request stream.
                    RequestStream.Write(bytes, 0, bytes.Length);

                    // Close the Stream object to release the connection
                    // for further use.

                    // Set the content type header.
                    Request.ContentType = "text/xml";

                    // Send the SEARCH method request and get the
                    // response from the server.
                    Response = (HttpWebResponse)Request.GetResponse();

                    // Get the XML response stream.
                    ResponseStream = Response.GetResponseStream();

                    // Create the XmlDocument object from the XML response stream.
                    ResponseXmlDoc = new XmlDocument();
                    return ResponseXmlDoc;
                catch (Exception ex)
                    // Catch any exceptions. Any error codes from the SEARCH
                    // method request on the server will be caught here, also.
                    Console.Out.WriteLine(DateTime.Now + "Exception Thrown in getOutlookCalendarItems()");

                    Console.Out.WriteLine(DateTime.Now + " Error accessing Outlook Calendar: " + strCalendarURI);
                    // Console.Out.WriteLine(ex.InnerException.Message);
                    return new XmlDocument();
                    // string temp = Console.In.ReadLine();
    LVL 9

    Accepted Solution

    I got the following response from Alan J Macfarlane on the Microsoft Developer Network > .NET Development Forums > .NET Framework Networking and Communication forum which fixed this issue

    That sounds like the documented side effect of MS08-068 on Windows authentication.  To stop authentication reflection attacks it will reject credentials that appear to come from the box, leave, and are reflected come back in -- which is how your request appears to it.  See
    The simplest workaround appears to be to change the hostname/URL you use from "scheme://thisservername/" to "scheme://".  Is that possible?
    There's new support in 3.5 SP1 for client connection to apply workarounds for this change in server behaviour, see
    There is also workarounds that can be applied to the server to disable some of the checks, that will likely solve this problem, but will return the server to the insecure state.

    LVL 9

    Author Comment

    To specify the host names that are mapped to the loopback address and can connect to Web sites on a local computer, follow these steps:

    1. Click Start, click Run, type regedit, and then click OK.

    2. In Registry Editor, locate and then click the following registry key:


    3. Right-click MSV1_0, point to New, and then click Multi-String Value.

    4. Type BackConnectionHostNames, and then press ENTER.

    5. Right-click BackConnectionHostNames, and then click Modify.

    6. In the Value data box, type the host name or the host names for the sites (the host name used in the request URL) that are on the local computer, and then click OK.

    7. Quit Registry Editor, and then restart the IISAdmin service and run IISReset.


    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
    This video discusses moving either the default database or any database to a new volume.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now