I have a WCF web service using basicHttpBinding with NTLM hosted on IIS 7 (anonymous authentication disabled and Windows authentication enabled). AppPool using pass-through authentication. I have a console application remotely connecting to the web service.
If I connect using my domain user, the process connects successfully. If I connect using a new service account created on the domain, I get the following error:
The HTTP request is unauthorized with client authentication scheme
‘Ntlm’. The authentication header received from the server was ‘NTLM’.
The inner exception is:
The remote server returned an error: (401) Unauthorized.
Is this a problem with the domain account or my authentication scheme? The error message implies it is the authentication scheme, but why would it work under my account and not a service account created on the same domain?
Server Config
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" proxyCredentialType="None" realm="" />
</security>
Client Consumption
public static WMServiceClient CreateWMServiceProxy()
{
var proxy = new WMServiceClient();
proxy.Endpoint.Address = new EndpointAddress( ConfigurationCache.WMServiceEndpoint );
proxy.Endpoint.Binding = new BasicHttpBinding( BasicHttpSecurityMode.TransportCredentialOnly )
{
MaxBufferSize = 2147483647,
MaxReceivedMessageSize = 2147483647
};
( (BasicHttpBinding) proxy.Endpoint.Binding ).Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
return proxy;
}
Solution: This wasn’t actually a WCF error like I was initially thinking. When I logged the Inner Exception, I discovered I was getting a ‘401 – Unauthorized’ error. Turns out the service account I created was not given remote connection access to the service host machine. Once we granted access and added the service account as a user, the process connected correctly.