Unauthorized HTTP request with Anonymous authentication of SAP PI service

5
votes

I have a .WSDL file from our client company, for which I need to use to call a web service. Their system is SAP (SAP PI). My application is a C# .NET 3.5 client developed in VS 2008. I added a Service Reference in Visual Studio using their provided .WSDL file. This created a reference class for me to use to call their service, and set up several bindings in the app.config file for me.

I did not change anything in the app.config file, but did create code to call their web service. However, when I call their webservice, I receive the following exception:

The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Basic realm="SAP NetWeaver Application Server ..."'.

(I modified slightly the string used in the 'Basic realm' section so as to not give it out.)

Did the app.config not get built correctly from the WSDL? Am I supposed to modify the app.config file somehow?

Things I've tried:

  • changed authenticationScheme in app.config from Anonymous to Basic
    (as well as all the other authentication types)
  • changed realm string in app.config to match the realm in the exception message
  • set username/pw fields in the ClientCredentials.Username object in my code

Any pointers or help would be appreciated.

Edit: After some more investigation, I found that Visual Studio has several warnings about the extension element Policy and Policy assertions:

  • Custom tool warning: The optional WSDL extension element 'Policy' from namespace 'http://schemas.xmlsoap.org/ws/2004/09/policy' was not handled.
  • Custom tool warning: The following Policy Assertions were not Imported:
    XPath://wsdl:definitions[@targetNamespace='urn:sap-com:document:sap:rfc:functions']/wsdl:binding[@name='Binding_FieldValidation'] Assertions: ...

I wasnt able to find out if this was related or not to my current issue with the authentication scheme. It does seem to be related, but I havent been able to find any solutions to getting these policy warnings resolved either. It seems WCF doesnt handle the statements in the wsdl very well.

3
web-serviceswsdlsapsap-xisap-pi

3 Answers

0
votes

Most SAP services dont support anonymous. So pass some form of authentication data with the call. User and password / X.509 Ticket...

If you are sending auth data with the call the try this

Ask the SAP guy to regenerate the WSDL with No SAP assertions, No policy, SOAP 1.1. You can also try and edit the WSDL by hand to remove the extra guff...

0
votes

As a starting point, I'd verify that you can call the service successfully with the provided username and password. Use something like SoapUI to test that everything works correctly - just create a new project, import the WSDL provided by SAP PI, set the username and password and execute the call. You'll probably get some form of exception with an empty payload, but at least that'll verify that the username and password are correct.

Once you've verified that's working, check that your application is calling the service correctly and that the http basic authentication headers are being sent. You can confirm this by using a network monitoring tool and checking that the http request is being generated correctly. Something like netcat for Windows can do it - just make it listen to a port on your local machine and then specify localhost and the port as your SOAP endpoint.

Once you've verified both of those are correct, your call should succeed.

0
votes

There must be the Basic authentication header missing or something wrong with the credentials.

SAP PI always defaults to Basic Authentication if a Service is published via it's SOAP Adapter. I would investigate if WCF really does send out that header (e.g. Point your client endpoint to TCP Gateway and let TCP Gateway point to the SAP PI Endpoint from the WSDL).

About the Warnings: AFAIK the WSDL generated by SAP PI will always contain these Policy Tags, you can't really ommit it. What you can do is simply throw them out as they are not really validated