SharePoint 2007 Web Services and Forms Authentication

It is probably no secret to most SharePoint developers that Microsoft provides web services to access SharePoint services. Unlike the traditional, object model approach, these web services provide a level of flexibility – client code does not have to execute on the same server as the queried SharePoint site. Client code can query SharePoint services from anywhere remote as long as the /_vti_bin/ relative URL of the SharePoint site is accessible.

Accessing a SharePoint web service usually involves an authentication step because some of the queried objects (lists) are not accessible to anonymous users, regardless of the access permissions of the web service.

When using the default NTLM/Windows authentication scheme, assigning a new System.Net.NetworkCredential object to the Credentials property of the service proxy object is enough to get you on the road. Thus so (C#):

proxyObj.Credentials = new NetworkCredential(“username”, “password”, “domain”);

However, if your site used forms-based authentication you need to do a little more work:

   1: // Authenticate
   2: Authentication auth = new Authentication();
   3: auth.CookieContainer = new CookieContainer();
   4: LoginResult result = auth.Login("username", "password");
   5: if (result.ErrorCode == LoginErrorCode.NoError)
   6: {
   7:     // No error, so get the cookies.
   8:     CookieCollection cookies = auth.CookieContainer.GetCookies(new Uri(auth.Url));
   9:     Cookie authCookie = cookies[result.CookieName];
  10:     Lists lists = new Lists();
  11:     lists.CookieContainer = new CookieContainer();
  12:     lists.CookieContainer.Add(authCookie);
  13:     lists.GetListCollection();
  14: }

In the example code above, Authentication is the proxy object to the /_vti_bin/Authentication.asmx service and Lists is the proxy object to

/_vti_bin/Lists.asmx service.

The authentication service passes the supplied credentials to SharePoint, which in turn uses the current membership provider tied to the forms-authentication scheme. Upon successful authentication, the code above extracts the returned cookie (containing the security ticket) and passes it to the lists web service as part of the subsequent call.

7 thoughts on “SharePoint 2007 Web Services and Forms Authentication

  1. Chris Poteet

    Thanks for this. My SP provider recently switched to forms-based authentication, and it bugs me to no end with the lack of office integration. Namely, the cookie keeps expiring and I have to keep logging in. There are other problems with checking in, etc.

    Is the only way to truly make this persistent is to have the cookie expire at a much later date? When it used active directory I didn’t have these problems.

  2. http://

    i am getting error:
    Exception of type ‘Microsoft.SharePoint.SoapServer.SoapServerException’ was thrown.

    while trying AddUserToGroup() method of UserGroups service for a forms authentication based sharepoint site. I followed the procedure explained here.
    auth.Login() method is working fine with condition
    if (result.ErrorCode == LoginErrorCode.NoError) satisfied.
    but when it comes to AddUserToGroup() its giving me above error.
    I am trying all hardcoded parameter for test. all are very fine. but could not escape from this error.
    Can you please guide me for this.


  3. http://

    the moment it comes to the following line, it says “Cannot connect to server. Access denied”.

    LoginResult result = auth.Login(“username”, “password”);

    I am passing correct credentials, but dont know why it gives error?
    Do you have any idea why is it happening??

Comments are closed.