I’ve got a WCF service that’s running on IIS 6, with integrated authentication and impersonation using NTLM.

Relevant portions of Web.Config

  <system.web>
    <identity impersonate="true"/>
    <customErrors mode="Off"></customErrors>
  </system.web>
    <system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
    ...
  </system.web>
  ...
  <wsHttpBinding>
    <binding name="wsHttpEndpointBinding">
      <security mode="Transport">
        <transport clientCredentialType="Ntlm" />
      </security>
    </binding>
   </wsHttpBinding>

I just added the aspNetCompatibility because I want to know who the user is that’s logged in (at least as far as IIS is concerned). From the few searches I’ve done that’s how you get the user.

Well, after adding that line and publishing my server I get what’s possibly the stupidest error I’ve seen:

The HTTP request is unauthorized with client authentication scheme ‘Ntlm’. The authentication header received from the server was ‘NTLM’.

I thought, “Well obviously they’re doing a very case-sensitive comparison.” So I searched my entire client solution for Ntlm and replaced all non-variable occurrences with NTLM. No luck.

My primary goal, of course is to get whatever user was authenticated through IIS+NTLM. If I’m going about it the wrong way, I’d be happy to know of an easier/better way. Otherwise, how do I tell my client (or my server) that it’s OK to go ahead and authenticate?