This may be stupid/not possible. However, what I am trying to achieve is as follows:
- I have a VM hosting WCF web services in IIS 7 on Windows Server 2008
- I am using the basichttp binding
- The client code runs perfectly on other machines
- This server VM also needs to perform batch processing so I need to use the client access to these WCF services on it
When run on the actual box hosting the WCF services I get...
System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate,NTLM'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) --- End of inner exception stack trace ---
Server stack trace: at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory factory) at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory, WebException responseException) at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
What I am wondering is whether what I am attempting is actually possible - I see no reason why I shouldn't be able to connect to a service from the hosting machine but the specifics may prevent me - and if it is, what changes do I need to make to my settings to achieve it?
The dll concerned sets up the binding as follows...
BasicHttpBinding binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
binding.TransferMode = TransferMode.Buffered;
binding.MaxBufferPoolSize = int.MaxValue;
binding.MaxReceivedMessageSize = int.MaxValue;
binding.ReaderQuotas.MaxArrayLength = int.MaxValue;
binding.ReaderQuotas.MaxStringContentLength = int.MaxValue;
binding.OpenTimeout = openTimeout;
binding.SendTimeout = sendTimeout;
binding.ReceiveTimeout = receiveTimeout;
binding.CloseTimeout = closeTimeout;
return binding;
Output of cscript authentication is...
NTAuthenticationProviders : (STRING) "Negotiate,NTLM"
The service is set to demand membership of a network group for which the user connecting is a member (PrincipalPermission).
As indicated in the comments below, I have viewed the security event log and found that when the user (network account) connects as a client to the WCF service on the host machine there is an entry complaining that the account failed to logon - a Null SID is passed.
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: *<network account>*
Account Domain: *<account domain>*
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006d
Sub Status: 0x0
The question is, why is this happening?
