Web Service over HTTP with NTLM Authentication

3
votes

We are trying to create a Web Service which will be consumed over HTTP (not HTTPS), and using NTLM/Windows authentication. Unfortunately, we can't seem to find that "perfect" combination. No matter what we try, using Windows authentication always seems to want to force us to use HTTPS; and using HTTP seems to ignore all attempts at Windows authentication.

Here is our app.config thus far:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="wsSoap" closeTimeout="00:01:00" openTimeout="00:01:00"
            receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
            bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
            maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
            messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
            useDefaultWebProxy="true">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
              maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <security mode="Message">
                    <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
                    <message clientCredentialType="UserName" algorithmSuite="Default" />
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://xyz/xyz/xyzws.asmx" binding="basicHttpBinding"
            bindingConfiguration="xyzwsSoap" contract="xyzws.xyzwsSoap"
            name="xyzwsSoap" />
    </client>
</system.serviceModel>
</configuration>

We've also tried creating a new binding using wsHttpBinding instead of basicHttpBinding, but that didn't work either. Can anyone point us in the right direction?

2
c#web-servicesasmx
I retagged this since you mentioned that you are trying to consume .asmx webservices.Tung
Were you aware that ASMX is a legacy technology that shouldn't be used for new development? You should use WCF to create your service, as you are already using WCF to consume it.John Saunders
No, I was not aware. We're switching over to WCF now, and it works using the development server with Visual Studio, but can't make it work with IIS.Jake Wood

2 Answers

1
votes

For Windows Authentication, your security mode needs to be set to TransportCredentialOnly:

<security mode="TransportCredentialOnly">
    <transport clientCredentialType="Windows"/>
</security>

Also make sure that your server and client configurations are in sync.

0
votes

On your server application (one that hosts service) in Web.config system.serviceModel/behaviors/serviceBehaviors you need to create new behavour.

<system.serviceModel>
<behaviors>
  <serviceBehaviors>
    <behavior name="internalBehaviour">
      <serviceAuthenticationManager authenticationSchemes="Ntlm"/>
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
      <serviceDebug includeExceptionDetailInFaults="true" />
    </behavior>
  </serviceBehaviors>
</behaviors>

then in same <system.serviceModel> in <bindings> section create 

<bindings>
  <basicHttpBinding>
    <binding name="internal" >
        <security mode="TransportCredentialOnly">
          <transport clientCredentialType="Ntlm"/>
        </security>
    </binding>
  </basicHttpBinding>
</bindings>

Then in same <system.serviceModel> in <services> section (where you are configuring service you are trying to expose)

<services>
       <service behaviorConfiguration="internalBehaviour" name="Corp.WebServices.CorePricingService">
    <endpoint address="" binding="basicHttpBinding" bindingConfiguration="internal" name="ConveyancingEndpoint" contract="Corp.Core.Interfaces.ICorePricingService" />
  </service>

(Change contract obviously)

then if you are running it from IIS Express in Visual Studio (or IIS), go to applicationhost.config

on Win7:
IISExpress C:\Users\[username]\Documents\IISExpress\config
IIS %WINDIR%\System32\inetsrv\config\applicationHost.config

find <authentication> section for your website set everything (but <windowsAuthentication enabled="true">) to false and Comment out <!--<add value="Negotiate" />--> (or delete)

<authentication>
            <anonymousAuthentication enabled="false" />
            <basicAuthentication enabled="false" />
            <clientCertificateMappingAuthentication enabled="false" />
            <digestAuthentication enabled="false" />
            <iisClientCertificateMappingAuthentication enabled="false">
            </iisClientCertificateMappingAuthentication>
            <windowsAuthentication enabled="true">
                <providers>
                    <!--<add value="Negotiate" />-->
                <add value="NTLM" />
                 </providers>
            </windowsAuthentication>
        </authentication>

Then in your client app in Web.config

<system.serviceModel>
<bindings>
  <basicHttpBinding>
    <binding name="ConveyancingEndpoint">
      <security mode="TransportCredentialOnly" >
        <transport clientCredentialType="Ntlm"/>
      </security>
    </binding>
  </basicHttpBinding>
</bindings>
<client>
  <endpoint address="http://localhost:53769/CorePricingService.svc" binding="basicHttpBinding" bindingConfiguration="ConveyancingEndpoint" contract="ServiceReference2.ICorePricingService" name="ConveyancingEndpoint"> 
  </endpoint>
</client>

You might need to set up windows authentication on your local machine.

Hope this saves you some time.