WCF Authentication Error

4
votes

I'm accessing a third party WCF service (I have no access to the service configuration) We're using SSL certificates for the authentication.

I'm getting this error when trying to access to any of the provided methods

The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM

I checked many google links and no luck so far- No idea what else to check on my side.

EDIT

Here is the configuration

<system.serviceModel>
        <bindings>
            <wsHttpBinding>
                <binding name="wsHttpBinding" closeTimeout="00:01:00" openTimeout="00:01:00"
                    receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
                    transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
                    allowCookies="false">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <reliableSession ordered="true" inactivityTimeout="00:10:00"
                        enabled="false" />
                    <security mode="Transport">
                        <transport clientCredentialType="Windows" proxyCredentialType="None"
                            realm="" />
                        <message clientCredentialType="Windows" negotiateServiceCredential="true"
                            establishSecurityContext="true" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
      <client>
          <endpoint address="https://url"
              binding="wsHttpBinding" bindingConfiguration="wsHttpBinding"
              contract="IApiWS" name="wsHttpBinding">
          </endpoint>
      </client>
</system.serviceModel>
2
c#web-serviceswcf
could you show the code you are trying to access the service with, it looks like it is asking for NTLM authenticationPharabus
@Pharabus: What do you want me to paste? The client configuration or some c# code? I'd say my code for accessing the web service is irrelevant. I have nothing useful to show. Just calling a method of a class :-( No security settingsStackOverflower
you would need some security settings to pass through the authentication the WCF service is requesting.Pharabus
I have all settings I was requested to add on the web.config. But please, if you have any clue about what I have missed let me know.StackOverflower
can you show the client web.config at least?Pharabus

2 Answers

2
votes

Try setting your clientCredentialType="Windows" to clientCredentialType="Certificate" I usually use hard-coded WCF config, not config file, so I'm not really sure on this, but either way, take a look at the following link: Selecting a Credential Type on MSDN.

Good luck. I'm surprised what/whom you're connecting to didn't give explicit endpoint connection instructions, but hey, you deal with every kind when working with 3rd-party stuff.

1
votes

Ok, this may be a little vague so I aplogise in advance, essentially the server is telling you you are not authorised, normally for this you would add something like the below onto the proxy you generated

svc.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

where svc is your generated proxy. I have also seen this on a misconfigured IIS hosted endpoint where the virtual folder does not have allow anonymous set (though you say you cannot access the service configuration so that may not be to helpful). hope this helps

edit added more info,

It may be, depending on security, that a setting similar to below may be more usefull

svc.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Anonymous;

Edit 2 The config above shows that the wsHttpBinding you are using has Windows set as clientCredentialtype for the transport security and user authentication, this mean that you will be sending through the credentials of the currently logged on user to the service for authentication using NTLM (as negotiateServiceCredentials is true) have you confirmed that the user logged on has rights on the service?