I am trying to call a WCF web service from my .net application which is a web api. I get the error below:
The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.
This error is seen until I open IE on the same server where my web api is hosted through IIS, and then I browse to the WCF service URL, it prompts me with the certificate name that I have for the WCF service in my trusted certificate store. Once I click OK on the certificate popup in IE, it goes successfully to the wsdl of the service. After that if I make a call from my webapi it proceeds successfully. But every day it fails until I do that. I know there is something wrong with my certificate setup, but I am not sure how to fix it. Any help is appreciated.
Related
We have a client that connects to a web service (service1.svc) with the URL https:\destination.domain\Service1.svc. This web service connects to a second web service (service2.asmx) with the URL https:\localhost.domain\service2.asmx. Both service are hosted on the same webserver. The DNS on the Domain controller sets destination.domain to point to the IP of webserver and localshost.domain to 127.0.0.1. The application pool account is a global service managed account that is configured to allow delegation and is called webserveraccount. The application pool is configured to use the appPoolIdentity.
We see a 401 autherisation error connecting to the second webservice (service2.asmx). I have also see the a KDC_ERR_BADOPTION which makes me this our SPN configuration is incorrect. What would the correct format for SPN in the above scenario? Or is this not a kerberos related issue?
I'm having a .net core API and an EmailService as a connected service (WCF)
The EmailService is hosted on IIS (HTTPS); I'm trying to connect to the emailService with a Client Certificate. Everything is fine but i'm getting the
The HTTP request was forbidden with client authentication scheme 'Anonymous' error;
On the EmailService side:
The SSL Settings are on Require SSL (Require), the IIS Binding is on HTTPS
On the API side:
When i'm trying to access the emailservice by chrome browser, i'm getting a prompt for a client certificate, i'm picking the cert and everything works alright;
Any suggestions?
Thanks
I am not sure if you can call the service properly since WS-security is not supported in DotNet Core. Anyway, this error typically indicates that the client’s certificate cannot be recognized by the server-side when establishing the Https communication. Also, if your client communicates with the server over HTTP and the server requires SSL, this kind of error also occurred.
The Https secure communication between the client-side and the server-side can not be established properly. As you know, the https secure communication requires the procedure of exchanging each other’s public key of the certificate. Therefore, the server-side and the client-side should establish mutual trust. In other words, the server’s certificate must be trusted by the client and the client’s certificate must be trusted by the server. The specific operation is to install the certificate in the local Trusted Root Certification Authorities.
Please refer to the below link.
https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication
Besides, the client-side should have access to the private key of the certificate provided by the client so that the https secure communication is valid. The specific operation is to add the current user to the private key management group of the certificate.
Feel free to let me know if there is anything I can help with.
Configuration:
Iis web app with require ssl and accept client certificates.
Web app contains wcf service.
Requesting a page from web app works as wel as requesting the wcf svc
Calling wcf from wcf client give 406.13 with same client certificate send.
Same setup works on development and several other production servers.
Checked cert store trusted root for illegal certificates. ( issued by <> issued to )
Applied reg setting schannel (from MS solutions).
How is this possible that browser requests do not fail but wcf requests do?
Must be something iis or windows related as same code works on other machines.
Any way to get more info why it thinks the client certificate is not trusted.
P.s. the wcf service method is never entered ( as my own tracing shows nothing)
Maybe this SO answer might be of some help. CAPI2 event log is the place where you should find more information why WCF considers the client certificate not trusted. Enable it both on the client side and also on the server side.
I have a web app running on Server A that calls a WCF service (K2 Workflow) on Server B that requires impersonation/delegation to run as the calling user. If I run the web app from Server A, the app works great. If I run the app from my local PC in debug, it also works great. If I hit the app from a browser on my PC to Server A, I get the following error:
The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Ntlm,Negotiate'. System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout).
I use the following code to run the service:
SvcWorklist.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegation;
SvcWorklist.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;
I feel like I've done everything, here is a list of what I've tried:
Setup a SPN (including port) with by Server A App pool domain user to Server B
(NETBIOS and FQDN)
Set the same domain user as the app pool user on Server A and B
Ensure the app pool user is allowed to delegate in Active directory
Ensure both servers are allowed to delegate in AD
Set authentication to windows and impersonate=true in web.config on Server A
Ensured Thread.CurrentPrincipal.Identity.Name has my user ID
Ensured IIS is set for windows and impersonation
Tried restricting the IIS configuration on server A and B to only Ntlm and/or Negotiate
Any help or ideas are truly appreciated.
For the dude who had the same issue - I figured it out. I had the SPN set on the target service, not the service it's hosting. I also needed to set sharepoint to use negotiate versus ntlm.
I have an api (running in a jetty instance) where I use two-legged oauth protocol to give access to the clients. I wrote a simple java client (using oauth-signpost) to connect to the api and the connection is successful.
I would like to put the api behind an apache http server. The apache http server is configured to forward request to api.
The following works:
(without oauth) Client ---> Apache HTTP Server --> Jetty
(with oauth) Client ---> Jetty
The following doesn't work:
(with oauth) Client ---> Apache HTTP Server ---> Jetty
I receive the following error message
"Invalid signature for signature method HMAC-SHA1"
Has any of you faced this issue? Is it possible to sign the request but without the hostname and port?
Thank you.
I had a similar problem. The problem I found was that the OAuth signature and the OAuth header block need to have the Jetty URL, not the Apache URL.
I had to modify my code to pass along two URLs. The URL I was sending the request to (Apache) and the URL of the resource on the final system (Jetty URL).