How do I authenticate a console application with a WCF web service using NTLM?

4
votes

I have a WCF web service using basicHttpBinding with NTLM hosted on IIS 7 (anonymous authentication disabled and Windows authentication enabled). AppPool using pass-through authentication. I have a console application remotely connecting to the web service.

If I connect using my domain user, the process connects successfully. If I connect using a new service account created on the domain, I get the following error:

The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'.

The inner exception is:

The remote server returned an error: (401) Unauthorized.

Is this a problem with the domain account or my authentication scheme? The error message implies it is the authentication scheme, but why would it work under my account and not a service account created on the same domain?

Server Config

<security mode="TransportCredentialOnly">
    <transport clientCredentialType="Ntlm" proxyCredentialType="None" realm="" />
</security>

Client Consumption

public static WMServiceClient CreateWMServiceProxy()
{
    var proxy = new WMServiceClient();

    proxy.Endpoint.Address = new EndpointAddress( ConfigurationCache.WMServiceEndpoint );
    proxy.Endpoint.Binding = new BasicHttpBinding( BasicHttpSecurityMode.TransportCredentialOnly )
    {
        MaxBufferSize = 2147483647,
        MaxReceivedMessageSize = 2147483647
    };

    ( (BasicHttpBinding) proxy.Endpoint.Binding ).Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;

    return proxy;
}
1
wcfauthenticationntlm
These messages tend to have inner exceptions that explain what is going on under the hood. My first thought is that the service account doesn't have the appropriate AD permissions to verify your identity.Sean
Good point - I'll snag the inner exception and post back what I find.Jordan Parmer
Updated post with inner exception. Looks like a 401. I'll get with the security team.Jordan Parmer

1 Answers

1
votes

Solution: This wasn't actually a WCF error like I was initially thinking. When I logged the Inner Exception, I discovered I was getting a '401 - Unauthorized' error. Turns out the service account I created was not given remote connection access to the service host machine. Once we granted access and added the service account as a user, the process connected correctly.