httplistener-examples

There are 5 projects here:

• HttpApiServer - A simple HTTP server adapted from an SDK sample for the HTTP Server 2.0 API in the Win7 SDK. It enables Negotate and listens for any incoming GET request on port 9002. It takes an optional argument. If specified, the WWW-Authenticate header in the final 200 response will be set to that value instead of letting http.sys insert the appropriate header for mutual auth. This can be used to demonstrate that (A) http.sys puts the right header in if you leave things alone and (B) HttpWebRequest does not actually perform mutual authentication checks, despite what it claims. If you have this server return "garbage", HttpWebRequest will still tell you that mutual auth succeeded, as long as Kerberos was used rather than NTLM for client authentication.
• HttpListenerServer - Simple HttpListener server in .NET Core, used to validate that proposed changes to HttpListener work as expected (set the right header value).
• TestHttpListenerNetCore - .NET Core test client that uses HttpClient to hit a url with default credentials.
• TestHttpListenerNetFx - .NET Framework test client that uses HttpWebRequest and HttpClient to hit a url with default credentials. HttpWebRequests are sent with all possible AuthenticationLevel values to show differences (or not) in behavior.
• TestHttpListenerPython - A short Python script using requests-kerberos to make hit a specified url using Kerberos (via Negotiate) for authentication. This script will fail against an unmodified HttpListener. It will work against confoming web servers and the modified HttpListener. This script works in UNIX or Windows, though you'll need to do a bit of legwork in UNIX to have a valid Kerberos config. You'll also need to pip install requests-kerberos.