Unnie Ayilliath

Microsoft 365 | Azure | Identity Solutions

SharePoint 2013/2016/2019: Use CSOM in SharePoint Site with multiple authentication schemes


I have a SharePoint site collection which has multiple authentication schemes (say Windows NTLM, Azure AD, Okta, ADFS or any other 3rd party Identity provider) on same URL. Now when I try to connect to that site using CSOM, I will get below 403 forbidden error from SharePoint:

The remote server returned an error: (403) Forbidden.

at System.Net.HttpWebRequest.GetResponse()
    at Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute()
    at Microsoft.SharePoint.Client.ClientContext.GetFormDigestInfoPrivate()
    at Microsoft.SharePoint.Client.ClientContext.EnsureFormDigest()
    at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery()


A simple resolution is to force the request to use Windows authentication. This works well for scenarios where you want to run a tool for provisioning or do some house keeping stuff for SharePoint.

In order to force CSOM to use windows authentication you need to add below header into all requests.


Here value f, denotes windows auth.

Below is a sample code on how to configure this for a sample csom console application.

Create a new Class called “WindowsClientContext” which inherits CSOM ClientContext class.

Register a web request event handler for the ClientContext, and in this handler add the above request header.

class WindowsClientContext : ClientContext
         public WindowsClientContext(string webUrl) : base(webUrl)
             this.ExecutingWebRequest += new EventHandler<WebRequestEventArgs>(AddWindowsAuthRequestHeader); //  register a 
         private void AddWindowsAuthRequestHeader(object sender, WebRequestEventArgs e)
                 if (!e.WebRequestExecutor.RequestHeaders.AllKeys.Contains("X-FORMS_BASED_AUTH_ACCEPTED"))
                     e.WebRequestExecutor.RequestHeaders.Add("X-FORMS_BASED_AUTH_ACCEPTED", "f"); // f to denote that use windows auth
             catch (Exception ex)

Now in your solution use WindowsClientContext instead of ClientContext.

using (var context = new WindowsClientContext(url))
                     Web web = context.Web;
                 catch (Exception exception)


Retrieving Data from a Multi-Authentication Site Using the Client Object Model and Web Services in SharePoint 2010

Known issue if you are using PnP : PnP clones ClientContext Object for few operations and this cloning process does not clone any web request handler attached to it.

Published by

2 responses to “SharePoint 2013/2016/2019: Use CSOM in SharePoint Site with multiple authentication schemes”

  1. Hi Unnie Ayilliath, I have a SP-Online(M365) site that uses Okta SSO. Do you have any suggestions/posts on how to use CSOM with Okta SSO enabled SPO site?

    1. Hi Sarat, If you want to use CSOM and user based logon process, then you will need to use browser based authentication for that scenario. PnP has already implemented it and you can use that implementation. See here => https://gist.github.com/vman/37bab1e1d700be238011f1de23a3e275 . I have not tested out this process myself, but I think it should work for federated authentication in Azure AD.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Website Powered by WordPress.com.

%d bloggers like this: