Disclaimer: I'm still getting acquainted with Windows Store Apps, so I could be totally wrong; proceed with caution.

It's been a while since I last wrote a blog post, and it's 4 AM right now, this may give you an idea why I had to get this out. Hopefully I may save poor souls that are destined to fall into the same pit.

I've been writing a small app for fun, and I have a client that uses NTLM to connect to a WCF endpoint using the default network credentials:

client.ClientCredentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;

Looks good, right? It didn't work; it throw an exception with the following message:

The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'

As you can see, the message is not very useful, and I binged and binged, but all attempts to fix the issues were in vain. Then, for some reason, I stumbled upon this post which had a screenshot of app capabilities (which was news to me), the moment I saw "Enterprise Authentication", I knew it's the key to my issue.

One click and I was good to go. Sadly, the documentation of CredentialCache.DefaultNetworkCredentials doesn't mention that dependency (I sent feedback to add more details about this).

Here's the relevant excerpt from the MSDN article about app capabilities:

Special use capabilities

Special use capabilities are intended for very specific scenarios. Use of these capabilities is highly restricted and subject to additional Windows Store onboarding policy and review. There are cases where such capabilities are necessary and appropriate, such as banking with two-factor authentication, where users provide a smart card with a digital certificate that confirms their identity. Other apps may be designed primarily for enterprise customers and may need access to corporate resources that cannot be accessed without the user’s domain credentials.

Apps that apply the special use capabilities require a company account to submit them to the Windows Store. For more information about company accounts, see Registering for a Windows Store developer account.

Enterprise authentication

Windows domain credentials enable a user to log into remote resources using their credentials, and act as if a user provided their user name and password. The enterpriseAuthentication capability is typically used in line-of-business apps that connect to servers within an enterprise.

You don't need this capability for generic communication across the internet.

The enterpriseAuthentication capability is intended to support common line-of-business apps. Don't declare it in apps that don't need to access corporate resources. The file picker provides a robust UI mechanism that enables users to open files on a network share for use with an app. Declare the enterpriseAuthentication capability only when the scenarios for your app require programmatic access, and you cannot realize them by using the file picker.