I am using .Net 3.5 and attempting to configure a WCF service and am receiving the exception, The HTTP request is unauthorized with client authentication scheme ‘Negotiate’. The authentication header received from the server was ‘Negotiate,NTLM’. I have attached my server-side and client-side .config files below.
Just a couple of notes. The application and service are both using impersonation due to network access requirements. The web application resides on a different server than the WCF service. Both also have the following specified in their respective web.config files.
<authentication mode="Windows"/>
<identity impersonate="true" userName="userName" password="password"/>
Web Application (on server1)
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IReports" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="false" proxyAddress="http://server2/Services/ReportService">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint name="BasicHttpBinding_IReports" address="http://server2/Services/ReportService/Reports.svc"
binding="basicHttpBinding" contract="WCFServiceRef.IReports" bindingConfiguration="BasicHttpBinding_IReports"
behaviorConfiguration="ClientBehavior"/>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ClientBehavior" >
<clientCredentials supportInteractive="true" >
<windows allowedImpersonationLevel="Impersonation" allowNtlm="true" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
WCF Service (on server2)
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
<bindings>
<basicHttpBinding>
<binding name="default" maxReceivedMessageSize="200000">
<readerQuotas maxStringContentLength="200000" maxArrayLength="200000"/>
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ReportService.ReportsBehavior" name="ReportService.Reports">
<endpoint address="" binding="basicHttpBinding" contract="ReportService.IReports" bindingConfiguration="default">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<endpoint name="mex" address="mex" binding="basicHttpBinding" contract="IMetadataExchange" bindingConfiguration="default"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ReportService.ReportsBehavior">
<serviceAuthorization impersonateCallerForAllOperations="false"/>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
I thought that if I were to apply the allowNtlm="true" directive in the application that this would be fixed. It seems to me that the server is expecting Windows authentication but is not receiving it? Due to the application and service residing on different servers do I need to use the proxy values? I feel that I’m not understanding something basic but whether it’s on the server-side IIS configuration or simply in my application I don’t know.
Thanks for any help!
This sample from MSDN for basicHttpBinding with TransportCredentialOnly shows how to set it up. Your config is very similar except that it is also setting message level security. I’d try removing the message element from the config to see if that is the cause of the problem.
I don’t believe the problem is passing the impersonation credentials themselves but the TransportCredentialOnly configuration. Also, make sure IIS is configured to support Windows authentication on the WCF server.