SharePoint 2013/2016/2019: Use CSOM in SharePoint Site with multiple authentication schemes

Scenario

I have a SharePoint site collection which has multiple authentication schemes (say Windows NTLM, Azure AD, Okta, ADFS or any other 3rd party Identity provider) on same URL. Now when I try to connect to that site using CSOM, I will get below 403 forbidden error from SharePoint:

The remote server returned an error: (403) Forbidden.

at System.Net.HttpWebRequest.GetResponse()
    at Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute()
    at Microsoft.SharePoint.Client.ClientContext.GetFormDigestInfoPrivate()
    at Microsoft.SharePoint.Client.ClientContext.EnsureFormDigest()
    at Microsoft.SharePoint.Client.ClientContext.ExecuteQuery()

Resolution:

A simple resolution is to force the request to use Windows authentication. This works well for scenarios where you want to run a tool for provisioning or do some house keeping stuff for SharePoint.

In order to force CSOM to use windows authentication you need to add below header into all requests.

“X-FORMS_BASED_AUTH_ACCEPTED” : “f”

Here value f, denotes windows auth.

Below is a sample code on how to configure this for a sample csom console application.

Create a new Class called “WindowsClientContext” which inherits CSOM ClientContext class.

class WindowsClientContext : ClientContext
     {
         public WindowsClientContext(string webUrl) : base(webUrl)
         {
             this.ExecutingWebRequest += new EventHandler<WebRequestEventArgs>(AddWindowsAuthRequestHeader); //  register a 
         }
         private void AddWindowsAuthRequestHeader(object sender, WebRequestEventArgs e)
         {
             try
             {
                 if (!e.WebRequestExecutor.RequestHeaders.AllKeys.Contains("X-FORMS_BASED_AUTH_ACCEPTED"))
                     e.WebRequestExecutor.RequestHeaders.Add("X-FORMS_BASED_AUTH_ACCEPTED", "f"); // f to denote that use windows auth
             }
             catch (Exception ex)
             {
                 Console.WriteLine(ex.Message);
                 Console.WriteLine(ex.StackTrace);
             }
         }
     }

Now in your solution use WindowsClientContext instead of ClientContext.

using (var context = new WindowsClientContext(url))
             {
                 try
                 {
                     Web web = context.Web;
                     context.Load(web);
                     context.ExecuteQuery();
                     Console.WriteLine(web.Title);
                 }
                 catch (Exception exception)
                 {
                     Console.WriteLine(exception.Message);
                     Console.WriteLine(exception.StackTrace);
                 }
             }

References:

Retrieving Data from a Multi-Authentication Site Using the Client Object Model and Web Services in SharePoint 2010

Known issue if you are using PnP : PnP clones ClientContext Object for few operations and this cloning process does not clone any web request handler attached to it.

2 responses to “SharePoint 2013/2016/2019: Use CSOM in SharePoint Site with multiple authentication schemes”

Sarat

January 28, 2021 at 6:27 pm

Hi Unnie Ayilliath, I have a SP-Online(M365) site that uses Okta SSO. Do you have any suggestions/posts on how to use CSOM with Okta SSO enabled SPO site?

1. Unnie Ayilliath
  
  February 3, 2021 at 9:33 am
  
  Hi Sarat, If you want to use CSOM and user based logon process, then you will need to use browser based authentication for that scenario. PnP has already implemented it and you can use that implementation. See here => https://gist.github.com/vman/37bab1e1d700be238011f1de23a3e275 . I have not tested out this process myself, but I think it should work for federated authentication in Azure AD.