WCF The HTTP request is unauthorized with client authentication scheme 'Negotiate' - wcf

I have a WCF service hosted on IIS with Windows Aut, I am able to connect to the service from my client application (WPF) on my local machine, but when I try to access the service from some other machine I get the following error
The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
I checked the providers in my IIS and there "Negotiate" is the first one and then the "NTLM". I also tried removing "NTLM" but that also did not help.
I have following configuration in my App.config
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding" maxReceivedMessageSize="2147483647"
receiveTimeout="00:30:00" sendTimeout="00:30:00"
openTimeout="00:10:00" closeTimeout="00:10:00">
<readerQuotas maxStringContentLength="2147483647" maxArrayLength="20971520" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>

You may need to enable anonymous access in IIS.

Related

WCF web service method dying on https, works on http

I have an old WCF web service method which execute 10-20 minutes.
It's written on vb.net 4.0
I use SoapUI application to test it, and self written vb.net app which consume it.
On my localhost when I run it in Debug mode with IIS Express, I'm getting results back in both application.
But on QA web server, under https, I'm getting error back:
SoapUI error: Error getting response; java.net.SocketException: Connection reset.
From my web client: "An error occurred while receiving the HTTP response to https://qa.organization.com/services/Blah.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details." Inner Exception: The underlying connection was closed: An unexpected error occurred on a receive. Inner Exception: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Web engineer run trace on web server, got and error "An operation was attempted on a nonexistent network connection".
Please advise what else I can check in order to fix this issue?
From web service web.config:
<binding name="Blah_1"
closeTimeout="00:12:00"
openTimeout="00:12:00"
receiveTimeout="00:30:00"
sendTimeout="00:30:00"
allowCookies="false"
bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard"
maxBufferSize="2147483647"
maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647"
messageEncoding="Text"
textEncoding="utf-8"
transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="1000"
maxStringContentLength="2147483647"
maxArrayLength="2147483647"
maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
<security mode="Transport">
<transport clientCredentialType="None"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName"
algorithmSuite="Default" />
</security>
</binding>
Add the protocol mapping in the config file:
<protocolMapping>
<add binding="basicHttpsBinding" scheme="https" />
</protocolMapping>

WCF - Consuming SOAP Service Over HTTPS - Request Timeout

I have a WPF application, and I'm using WCF to consume a php webservice over Https, I've created a self-singed certificate on the server to test it and configured the client to use this certificate, but an exception appeared and tell me that I need to pass the client certificate also.
Actually I just want to secure the transmitted message, I don't need to authenticate the client, so how could I disable the client authentication.
I'm using security model "Transport" with clientCredentialType "Certificate" and .Net 3.5.
thanks in advance for opinions..
UPDATE
As I've mentioned, I don't need the service to verify the identity of the client so I have used Transport Security with an Anonymous Client instead of Transport Security With Certificate Authentication, the following is the client configurations:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="bindingName" closeTimeout="00:0:04"
openTimeout="00:00:04" receiveTimeout="00:00:04" sendTimeout="00:00:04"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647">
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://myServer/myApp/myWebService"
binding="wsHttpBinding" bindingConfiguration="bindingName"
contract="xx.yy" name="zz">
</endpoint>
</client>
Now the issue is: when I called the service a timeout error appears "The HTTP request to {My Service URL} has exceeded the allotted timeout".
Additional Info: The service worked fine over HTTP, the issues appear only when I moved to the HTTPS, and I can see the service WSDL if I open it through the internet browser, but the browse told me that there are insecure resources and I should enforce it to show me all resources in order to see the WSDL.
Probably your issue is:
// Create the endpoint address. Note that the machine name //
must match the subject or DNS field of the X.509 certificate //
used to authenticate the service.
So review your client config, and check certificate section findValue attribute to match you certificate's one.
Like
<clientCertificate findValue="contoso.com"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
See more about Transport Security with Certificate Authentication.

Java JAX-WS Service with WCF Client

Is it possible to create a WebService using JAX-WS, that whould then be consumed by a WCF client using such a binding?
<bindings>
<basicHttpBinding>
<binding name="CaseObjectServicePortBinding" >
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
I created such a service without WSIT for now, just a plain service and wanted to just ignore the "Security" header in incoming SOAP message. But it fails with:
"Could not establish secure channel for SSL/TLS with authority 'xxxxxxxxxx'."
If I change:
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="Certificate" />
</security>
to:
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="Certificate" />
</security>
everything works flawlessly. Any ideas what am I doing wrong?
The answer is yes. You can use BasicHttpBinding or WsHttpBinding
The error was occurred because when you use TransportWithMessageCredential, the WCF client will impose additional security to your message sent through the wire, which is interoperable only to WCF service.
Once you changed it to Transport, only transport security( SSL using certificate) is applied , so that why both client and service can understand how to communicate with each other.
Cheers.
When defining security as TransportWithMessageCredential you say: I want a service which will communicate over secured transport channel (HTTPS) and I want to pass client credentials in SOAP header.
If you define Certificate credential type in message element you say: The SOAP header will transport client credentials as x.509 Certificate token profile. It is interoperable format which requires WS-Security on the service.
If you define Certifiate credential type in transport element you say: I want mutual SSL authentication. I'm actually not sure if this is used if you define TransportWithMessageCredential
This happened on the step of initiating the request; the TLS exception pops out to you because the certificate set on the client is not trusted. Use a certificate with the common destination name, if you are using the service on public use the domain name else use the destination IP address as a common name and it will work just fine .
PS: Use the 'basichttps' binding in case you want to proceed with the https content type 'text/xml' soap 11 the the default from jaxws

WCF reliable sessions via proxy server - not sending authentication credentials on Windows XP

I have a full trust XBAP which connects using reliable sessions to a remote service using the endpoint configuration attached below. The catch is that when running the application behind a client's organizational proxy server, the WCF requests are blocked on Windows XP but pass through fine on Windows 7. My suspicion (pending further analysis by the client) is that the default proxy credentials are not attached to the HTTP or HTTPS requests on the XP machines, despite the useDefaultWebProxy=true setting.
Is this a known issue on XP, or am I missing something? Is there a way to bypass this issue?
Thanks in advance for any help
Binding configuration for the secure (production) version:
<customBinding>
<binding name="Https_IOltpLogic">
<reliableSession ordered="False" inactivityTimeout="00:20:00" />
<httpsTransport />
</binding>
</customBinding>
For the demo (unsecured) version:
<wsHttpBinding>
<binding name="WSHttpBinding_IOltpLogic"
allowCookies="false"
bypassProxyOnLocal="false"
hostNameComparisonMode="StrongWildcard"
messageEncoding="Text"
textEncoding="utf-8"
useDefaultWebProxy="true">
<reliableSession enabled="True" ordered="False" inactivityTimeout="00:20:00" />
<security mode="None" />
</binding>
</wsHttpBinding>
(Please note that neither of them work under the described conditions!)
Well, it worked itself out after the client's network admin fiddled with the proxy server settings... since I wasn't allowed to analyze the HTTP traffic I don't really know which headers were missing/modified that caused the WCF requests to be blocked and the normal browser requests to pass though.

Error while calling secured web service in C#

I have to connect to secured webservice, I am passing in the credentials while calling the service
But I am getting following error message while calling service
"An error was discovered processing
the < wsse:Security > header"
I am using basicHttpBinding with security mode set to "Transport"
The endpoint address points to secured site URL
I am not sure why I am getting this error message, Am i missing something?
You're using basicHttpBinding, and passing credentials, so I believe you must use something to the effect of:
<basicHttpBinding>
<binding name="myBinding">
<security mode="TransportWithMessageCredential">
<transport />
<message clientCredentialType="Username" />
</security>
</binding>
</basicHttpBinding>
This will allow messages to flow via SSL (secure transport) with plain credentials.