HttpClient 401 Unauthorized exception 'The system cannot contact a domain controller to service the authentication request.'

Question

I get 401 Unauthorized error with exception when attempting to connect to a remote ASP.NET web api using HttpClient:

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The system cannot contact a domain controller to service the authentication request. Please try again later
at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode)
at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob)
at System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate)
at System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials)
at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials)
at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo)
at System.Net.HttpWebRequest.CheckResubmitForAuth()
at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task`1.get_Result()
at eNett.Contracts.Client.ClientApiProxy.<GetUsers>b__26_0(Task`1 response) in C:\eNett\Git\sl-ct\Client\eNett.Contracts.Client\ClientApiProxy.cs:line 361
at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task`1.get_Result()

I have the following setup:

1. ASP.NET Web API hosted on server A

i.e.

HttpListener listener = (HttpListener)app.Properties["System.Net.HttpListener"];
            listener.AuthenticationSchemes = 
AuthenticationSchemes.IntegratedWindowsAuthentication;

2. ASP.NET Windows service hosted either on server A/ localhost connecting to the web API:

i.e.

     var httpClient = new HttpClient(new HttpClientHandler() 
     { 
     UseDefaultCredentials = true 
     }) 
     { 
        BaseAddress = new Uri(baseUri) 
     };
     var request = new HttpRequestMessage
     {
            Method = HttpMethod.Get,
            RequestUri = BuildUri(relativeUri, parameters),
     };
    httpClient.SendAsync(request, cancellationToken);

The authentication works when:

• I host the web api on my local PC and call using local client

• web api on server A is called from a web browser on my local PC

The server A and my local PC are using:

• same domain
• same AD credentials for web api and the client
• HTTPS/SSL connection

I tried a lot of things so far but any suggestion would be great.

UPDATE: Found out that loopback check was the issue https://blogs.technet.microsoft.com/scottstewart/2014/09/15/disableloopbackcheck-when-routing-through-a-load-balancer-powershell-sample-included/ Requesting via the server A's FQDN caused error but using its IP worked. Looking into setting up SPN for server A to solve this issue now.

Answer 1

Found out that loopback check was the issue https://blogs.technet.microsoft.com/scottstewart/2014/09/15/disableloopbackcheck-when-routing-through-a-load-balancer-powershell-sample-included/ Requesting via the server A's FQDN caused error but using its IP worked. Looking into setting up SPN for server A to solve this issue now.