Home/ Questions/Q 5931861
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T14:45:16+00:00

I have a test WCF 4 service running on an Windows 2008 / IIS

  • 0

I have a test WCF 4 service running on an Windows 2008 / IIS 7.5 in a domain.

I am using Windows authentication on the binding.

When I access this service from a .net windows client :

var b = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
EndpointAddress a = new EndpointAddress("http://server/TestService.svc");
TestServiceClient tsc = new TestServiceClient(b, a);

It works if I use:

 tsc.ChannelFactory.Credentials.Windows.ClientCredential = new NetworkCredential("bob.jones", "password", "DOMAIN");

It fails if I use:

tsc.ChannelFactory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;

When it fails I see a 401 in Fiddler :
“401 – Unauthorized: Access is denied due to invalid credentials.”

Whe it succeeds I see the same 401 but then a 200 and I can see a kerboros ticket in the request and response.

Here is my service config:

<system.serviceModel>

<bindings>
  <basicHttpBinding>
    <binding>
      <security mode="TransportCredentialOnly">
        <transport clientCredentialType="Windows" proxyCredentialType="Windows"/>
      </security>
    </binding>
  </basicHttpBinding>
</bindings>

<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Seeing that no one else seems interested, I guess I’ll have to answer this myself.

    There were many little parts to the problem, but I’ll just give an overview of what I found :

    1. I had to use the provider “Negotiate:Kerberos” and not “Negotiate”.

    2. I had to configure the server principle name (spn) for the domain account I was using for the application pool :

      setspn -A HTTP/ServerName:port Domain\UserName

      setspn -A HTTP/FQDN:port Domain\UserName

    3. Another thing I noticed later on a different service, where the client app didn’t specify the exact BasicHttpSecurityMode.TransportCredentialOnly and ClientCredentialType = HttpClientCredentialType.Windows, was that different client machines required “Negotiate” and others required “Negotiate:Kerberos”. I haven’t figured out if I can control that yet.

    • 0