We Keep Coding

Can't run WCF service on Local Machine

I have a wcf service that will only work once I deploy it to a server and configure through IIS. there error message I get when running it through IIS express is:
The authentication schemes configured on the host ('Ntlm, Anonymous') do not allow those configured on the binding 'BasicHttpBinding' ('Negotiate'). Please ensure that the SecurityMode is set to Transport or TransportCredentialOnly. Additionally, this may be resolved by changing the authentication schemes for this application through the IIS management tool, through the ServiceHost.Authentication.AuthenticationSchemes property, in the application configuration file at the element, by updating the ClientCredentialType property on the binding, or by adjusting the AuthenticationScheme property on the HttpTransportBindingElement.
My web.config services binging looks like this:
<services>
<service name="LMS.Services.Services.AppService" behaviorConfiguration="LargeDataRequestBehavior">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttp_LargeDataRequestBinding" contract="LMS.Services.Services.AppService" />
<endpoint address="mex" binding="basicHttpBinding" bindingConfiguration="basicHttp_LargeDataRequestBinding" contract="IMetadataExchange" />
</service> </services>
and my binding looks like this:
<bindings>
<basicHttpBinding>
<binding name="basicHttp_LargeDataRequestBinding" receiveTimeout="01:00:00" sendTimeout="01:00:00" maxBufferSize="2147483647" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Text">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" >
</transport>
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
<basicHttpBinding>
</bindings>
Any Help would be greatly appreciated.

Try changing this part. The issue is that the enum for Credential Type Windows maps to a protocol called Negotiate. IIS is informing you that Negotiate has not been enabled on your website, only Basic (no security) and Ntlm (another form of Windows Security) is allowed.
<bindings>
<basicHttpBinding>
<binding>
<security >
<transport clientCredentialType="Ntlm" >
</transport>
</security>
</binding>
</basicHttpBinding>
</bindings>
The WTF here is that there is a mismatch between "Negotiate" and "Windows".

Updating IIS Authentication settings as below fixed it in my case:
Anonymous Authentication: Disabled
Windows Authentication: Enabled

TCP error code 10013 Cross Domain Policy Error with netTcpBinding Service and Silverlight Client

Was wondeirng if anybody could get me out of my cross domain policy hell.
I have a duplex WCF service which uses netTcpBining, and the client is a Silverlight 4 app. When I self host the service, then it works perfectly and my Silverlight clients can consume the service with no problems. However when I host it in IIS 7, that's when the trouble starts. When I host it in IIS I'm able to see the service at:
http://localhost/Conference/VideoConferenceService.svc
And when I add a reference to the service which is hosted in IIS, and try to call it, I get a:
CommunicationException: Could not connect to
net.tcp://localhost/Conference/VideoConferenceService.svc. The
connection attempt lasted for a time span of 00:00:03.3071892. TCP
error code 10013: An attempt was made to access a socket in a way
forbidden by its access permissions.. This could be due to attempting
to access a service in a cross-domain way while the service is not
configured for cross-domain access. You may need to contact the owner
of the service to expose a sockets cross-domain policy over HTTP and
host the service in the allowed sockets port range 4502-4534.
Or if seeing the actual error helps inspire those who have seen it before, here is what it throws at me in Reference.cs:
I have checked out almost every solution suggested regarding solving the cross-domain policy error, and I've put my clientaccesspolicy.xml in my default website root in IIS, and also in wwwroot. I've also turned off all my firewalls. I'm able to see the policy at http://localhost/clientaccesspolicy.xml
and also at http://127.0.0.1/clientaccesspolicy.xml but I still get this error.
Here is my web.config for the service hosted in IIS 7:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<runtime>
<gcServer enabled="true" />
</runtime>
<system.web>
<compilation debug="false" />
</system.web>
<system.serviceModel>
<services>
<service name="VideoServer.VideoConferenceService">
<endpoint address="" binding="netTcpBinding" bindingConfiguration="NetTcpBinding_IVideoConferenceService" contract="VideoServer.IVideoConferenceService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:4502/VideoServer/" />
</baseAddresses>
</host>
</service>
</services>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_IVideoConferenceService" portSharingEnabled="true" transactionFlow="false" transferMode="Buffered" listenBacklog="2147483647" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="2147483647" maxReceivedMessageSize="2147483647" closeTimeout="24.20:31:23.6470000" openTimeout="24.20:31:23.6470000" receiveTimeout="24.20:31:23.6470000" sendTimeout="24.20:31:23.6470000">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<reliableSession enabled="false" />
<security mode="None">
<message clientCredentialType="None" />
<transport protectionLevel="None" clientCredentialType="None" />
</security>
</binding>
</netTcpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="False" />
<serviceDebug includeExceptionDetailInFaults="False" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
And here is the Silverlight client's ServiceReferences.ClientConfig file:
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="NetTcpBinding_IVideoConferenceService">
<binaryMessageEncoding />
<tcpTransport maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="net.tcp://localhost/Conference/VideoConferenceService.svc"
binding="customBinding" bindingConfiguration="NetTcpBinding_IVideoConferenceService"
contract="ServiceReference1.IVideoConferenceService" name="NetTcpBinding_IVideoConferenceService" />
</client>
</system.serviceModel>
</configuration>
Has anybody got any suggestions? This annoying error has taken days of my time thus far.
Any help would be greatly appreciated.
EDIT
When I check the files being retrieved in my web sessions using fiddler, it shows that my browser is retrieving the client access policy file, so I think the error lies somewhere else and WCF is just throwing this error at me? I've also set IE9 to clear its cache everytime its close. Take a look below.

Well I just managed to get it working. Couple of points worth mentioning are that:
1. If you look at the erroneous ServiceReferences.ClientConfig that I posted above (generated by visual studio when I gave the service address as: http://localhost/Conference/VideoConferenceService.svc ) you can see that the netTcp port which is 4502, was not generated as part of the endpoint, this is what what causing the TCP error 10016 (EndpointNotFoundException) as well as TCP error 10013. The correct ServiceReferences.ClientConfig is actually:
<configuration>
<system.serviceModel>
<bindings>
<customBinding>
<binding name="NetTcpBinding_IVideoConferenceService">
<binaryMessageEncoding />
<tcpTransport maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="net.tcp://localhost:4502/Conference/VideoConferenceService.svc"
binding="customBinding" bindingConfiguration="NetTcpBinding_IVideoConferenceService"
contract="ServiceReference1.IVideoConferenceService" name="NetTcpBinding_IVideoConferenceService" />
</client>
</system.serviceModel>
</configuration>
2. When I was hosting my service in IIS 7, I was giving the port range 808:* as the netTcp ports, whereas I should have given 4502:* as the port range, like below:
Also from what I gathered, the website hosting the service should be on port 80, as Silverlight will look in localhost:80/ClientAccessPolicy.xml for the client access policy file.
And just for the record, for those who stumble across this same problem, this web.config managed to work in IIS:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<compilation debug="false" />
</system.web>
<system.serviceModel>
<services>
<service name="VideoServer.VideoConferenceService">
<endpoint address="" binding="netTcpBinding" bindingConfiguration="NetTcpBinding_IVideoConferenceService" contract="VideoServer.IVideoConferenceService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_IVideoConferenceService" portSharingEnabled="false" transactionFlow="false" transferMode="Buffered" listenBacklog="2147483647" maxBufferPoolSize="2147483647" maxBufferSize="2147483647" maxConnections="2147483647" maxReceivedMessageSize="2147483647" closeTimeout="24.20:31:23.6470000" openTimeout="24.20:31:23.6470000" receiveTimeout="24.20:31:23.6470000" sendTimeout="24.20:31:23.6470000">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<reliableSession enabled="false" />
<security mode="None">
<message clientCredentialType="None" />
<transport protectionLevel="None" clientCredentialType="None" />
</security>
</binding>
</netTcpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="True" />
<serviceDebug includeExceptionDetailInFaults="False" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
Also worth noting that you don't need to put any ports or base addresses in the web.config for IIS. It will create the service endpoint using the port 4502, I tried changing it to 4503, 4522 etc. and interestingly it didn't work with those ports, only with 4502.

We had a similar problem as specified in the original post. Just to help anyone who has not been able to resolve the issue with the solutions provided above, we found that the Windows firewall on the machine hosting the service was blocking the port we were trying to connect with net.tcp through. Once we allowed the traffic through the port on that software firewall our service started working as expected.
It may be worth checking any hardware firewall you might have in place as well to allow the ranges 4502-4530 I believe for net.tcp

WCF Callback Service with netTcp Binding timeout after 10 mins

I'm creating a chat application with WCF(using callback contract) and netTcpBinding.
I'm hosting the service as a windows service and accessing it from other computers
via the client application.
The problem that i'm facing now is the clients connection comes to a Fault state after
10 mins which seems to be some kind of timeout that occur.
I already tried increasing the received timeout and send timeout in both service and client but didn't work.
which setting should i change to increase this timeout period and in which application, service or client?
Following are my configuration files,
Service
<system.serviceModel>
<services>
<service behaviorConfiguration="PeerTalk.Service.ChatServiceBehavior"
name="PeerTalk.Service.ChatService">
<endpoint address="" binding="netTcpBinding" bindingConfiguration=""
contract="PeerTalk.Service.ServiceContracts.IChat">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexTcpBinding" bindingConfiguration=""
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://localhost:7920/ChatService" />
<add baseAddress="net.tcp://localhost:7921/ChatService" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="PeerTalk.Service.ChatServiceBehavior">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="tcpBinding"
maxBufferSize="67108864"
maxReceivedMessageSize="67108864"
maxBufferPoolSize="67108864"
transferMode="Buffered"
closeTimeout="00:01:00"
openTimeout="00:01:00"
receiveTimeout="00:00:10"
sendTimeout="00:00:10"
maxConnections="100">
<readerQuotas maxDepth="64"
maxStringContentLength="67108864"
maxArrayLength="67108864"
maxBytesPerRead="67108864"
maxNameTableCharCount="16384"/>
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows"/>
</security>
<reliableSession enabled="false" inactivityTimeout="00:01:00"/>
</binding>
</netTcpBinding>
</bindings>
</system.serviceModel>
Client
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_IChat" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:00:10" transactionFlow="false"
transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="67108864"
maxBufferSize="67108864" maxConnections="10" maxReceivedMessageSize="67108864">
<readerQuotas maxDepth="32" maxStringContentLength="67108864"
maxArrayLength="67108864" maxBytesPerRead="67108864" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:01:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://10.10.10.45:7921/ChatService" binding="netTcpBinding"
bindingConfiguration="NetTcpBinding_IChat" contract="PeerTalkService.IChat"
name="NetTcpBinding_IChat">
</endpoint>
</client>
</system.serviceModel>
Thanks.

The timeout in this case is defined by both receiveTimeout in the binding and inactivityTimeout in reliable session which is used for duplex messaging. The correct solution is not increasing timeout but implementing some ping / keep alive messages. The reason is that increasing timeout will keep connections open for failed clients.

Can you post client call sample (service call example). What might happening here is that you are not closing client correctly and you reach maximum sessions on service side.
You must be aware that using net.tcp binding is different than http.
You can use System.ServiceModel performance counters (http://msdn.microsoft.com/en-us/library/ms750527.aspx) and see after 10 minutes what is happening (number of calls outstanding, number of service instances, etc..)
http://dkochnev.blogspot.com/2011/06/wcf-framework-40-monitoring-service.html

WCF Multiple Service Configuration Issue

Scenario
Ignoring that fact that some of the settings might be wrong and inconsistent or just not there!.
Why does the program fail to compile when I try and put these 2 separate configurations for WCF Services into the same APP.CONFIG file? One was writen by myself and another by a friend, yet I cannot get the application to compile. What have I missed?
ERROR
Type Initialization Exception
CODE
<configuration>
<system.serviceModel>
<!--START Service 1 CONFIGURATION-->
<bindings>
<netTcpBinding>
<binding name="tcpServiceEndPoint" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="524288"
maxBufferSize="65536" maxConnections="10" maxReceivedMessageSize="65536">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:05:00"
enabled="true" />
<security mode="None">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address=""
binding="netTcpBinding" bindingConfiguration="tcpServiceEndPoint"
contract="ListenerService.IListenerService"
name="tcpServiceEndPoint" />
</client>
<!--END Service 1 CONFIGURATION-->
<!--START Service 2 CONFIGURATION-->
<services>
<service name="UploadObjects.ResponseService">
<!-- Define NetMsmqEndpoint -->
<endpoint address=""
binding="netTcpBinding"
contract="UploadObjects.IResponseService"
bindingConfiguration="TransactedBinding"/>
</service>
</services>
<bindings>
<netTcpBinding>
<binding name="TransactedBinding">
<security mode="None" />
</binding>
</netTcpBinding>
</bindings>
<!--END Service 2 CONFIGURATION-->
</system.serviceModel>
</configuration>

A couple of observations:
Your <client> endpoint has no address:
<client>
<endpoint address=""
binding="netTcpBinding"
bindingConfiguration="tcpServiceEndPoint"
contract="ListenerService.IListenerService"
name="tcpServiceEndPoint" />
How do you expect your client code to know where to connect to?? You need to specify a full WCF service address in any client <endpoint>
Your <service> endpoint also is lacking an address - you either need to specify a full address here, or than you have to have a base address defined in your service! One of the two must be present:
<services>
<service name="UploadObjects.ResponseService">
<endpoint address="net.tcp://YourServer:5455/YourServiceAddress"
binding="netTcpBinding"
contract="UploadObjects.IResponseService"
bindingConfiguration="TransactedBinding"/>
</service>
or:
<services>
<service name="UploadObjects.ResponseService">
<endpoint address=""
binding="netTcpBinding"
contract="UploadObjects.IResponseService"
bindingConfiguration="TransactedBinding"/>
<host>
<baseAddresses>
<add baseAddress="net.tcp://YourServer:5455/YourServiceAddress" />
</baseAddresses>
</host>
</service>
Also, from your question, it's not clear what you're trying to do when you get the error:
are you trying to start up a service host that hosts the service? A console app, or IIS?
are you trying to connect a client side to a running service?

WCF and Kerberos Authentication

I have followed numerous msdn articles and the codeplex guidance but cannot get WCF to work with Kerberos authentication and delegation and would appreciate a little help.
Setup
I have the WCF service in an IIS website on a remote machine
IIS 6.0 on Windows 2003 R2 - SP 2
The SPN for the machine has been added (http/myserver && http/myserver:8080)
An AD account has been created for the IIS app pool
The AD account has the setting, allow delegation (for Kerberos), set to true
I am using Brian Booth's debug site on 8080 and the site passes all requirements for Kerberos delegation. The debug IIS site has anonymous authentication off, and Integrated Windows authentication on.
I have mirrored these settings to the site hosting the WCF service.
Web Service - Web Config (Original)
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WsHttpBindingConfig">
<security>
<message negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ServiceBehavior" name="Service">
<endpoint address=""
binding="wsHttpBinding"
bindingConfiguration="WsHttpBindingConfig"
contract="IService">
<identity>
<servicePrincipalName value="http/myserver" />
<dns value="" />
</identity>
</endpoint>
<endpoint address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceAuthorization
impersonateCallerForAllOperations="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
Web Service - Web Method
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public string GetCurrentUserName()
{
string name = WindowsIdentity.GetCurrent().Name;
return name;
}
Client App - App Config
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService"
... />
...
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://myserver/Service.svc"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IService"
contract="KerberosService.IService"
name="WSHttpBinding_IService">
<identity>
<servicePrincipalName value="http/myserver" />
</identity>
</endpoint>
</client>
</system.serviceModel>
Application Error
The following error occurs when my test application, a WinForms app, tries to call the web method:
"The HTTP request is unauthorized with
client authentication scheme
'Anonymous'. The authentication header
received from the server was
'Negotiate,NTLM'."
Event Log
The following error is in the event log:
Exception:
System.ServiceModel.ServiceActivationException:
The service '/Service.svc' cannot be
activated due to an exception during
compilation. The exception message
is: Security settings for this service
require 'Anonymous' Authentication but
it is not enabled for the IIS
application that hosts this service.
Which I don't understand. The whole point of this service is to not allow anonymous authentication, every user/request must be authenticated using Kerberos tickets, then passing them through to other machines.
How should I configure this WCF service for Kerberos authentication and delegation?
Revision 1
After reading this SO question I removed the metadata endpoint. This has not resolved the issue.
Revision 2
After more researching I found a few posts suggesting to change wsHttpBinding to basicHttpBinding. The modification to that portion of the web.config has been included below, and the service endpoint has been updated to refer to that binding.
Web Service - Web Config (Revised)
<basicHttpBinding>
<binding name="basicBindingConfig">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"
proxyCredentialType="Windows"
realm="" />
</security>
</binding>
</basicHttpBinding>
Client App - App Config (Revised)
<!-- ... -->
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"
proxyCredentialType="Windows"
realm="" />
<message clientCredentialType="UserName"
algorithmSuite="Default" />
</security>
<!-- ... -->
Error (Revised)
The current error looks like it contains a Kerberos authentication header.
The HTTP request is unauthorized with
client authentication scheme
'Negotiate'. The authentication header
received from the server was
'Negotiate SOMEHUGESCARYKEYHERE

For me the current setup does work:
On the Server:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBindingConf" useDefaultWebProxy="true"/>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="returnFaults" name="Epze.BusinessLayer.ZeitManager">
<endpoint binding="wsHttpBinding" bindingConfiguration="wsHttpBindingConf" contract="Epze.Contract.IZeitManager"/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="returnFaults">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceAuthorization impersonateCallerForAllOperations="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
Set the following attribute on all methods for the WCF:
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
On the Client:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IZeitManager" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false"/>
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
<message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="Delegation">
<clientCredentials>
<windows allowedImpersonationLevel="Delegation" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="http://server.mydomain.net/ePZEsvc/ZeitManager.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IZeitManager"
contract="External.Epze.IZeitManager" name="WSHttpBinding_IZeitManager" behaviorConfiguration="Delegation">
<identity>
<servicePrincipalName value="HOST/localhost"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
HTH, Sven

Something that I notice: the client and server config don't seem to agree on security mode.
In the original section, you have <security>..... in the web.config (omitted the mode="message"), and <security mode="Message"> on the client side.
After your edit, it seems that the client side is unchanged, but the server (web.config) now contains <security mode="TransportCredentialOnly">.
The question really is: can you guarantee that there's only ever going to be one network leg between the client and the server being called? I.e. is this behind a corporate firewall? In that case, I would recommend netTcp binding with <security mode="Transport"> on both ends.
If that's not the case, then you're ok with either wsHttpBinding (which supports more security and reliability features, but is slower and "heavier") or basicHttpBinding. In that case, you would have to use <security mode="Message"> on both ends, and authenticate the service with a certificate (so that the service and client have a common "secret" which to use for encryption).
I would try to leave out the impersonation parts out for the beginning and just get the basic communication and mutual authentication between service and client up and running first - once that's in place, you can start adding the impersonation bits to it, and you can always fall back on a known configuration which works.
David Sackstein has a great series of blog posts explaining the five security scenarios that industry guru Juval Lowy has identified (in his Programming WCF book - the WCF Bible) as the most common and most useful - in order to limit the number of possible combinations of parameters you might want to tweak. One of them is a "Internet" scenario which would probably apply here, if your service is outward facing.
Marc

You need to specify a behaviorConfiguration in your client config. SVCUtil does not auto generate. This resolved my issue and I am now successfully using Kerberos. It was a mission though!
<client>
<endpoint address="..."
binding="customBinding" bindingConfiguration="..."
contract="..." name="..." behaviorConfiguration="ImpersonationBehavior" />
</client>
<behaviors>
<endpointBehaviors>
<behavior name="ImpersonationBehavior">
<clientCredentials>
<windows allowedImpersonationLevel="Impersonation"/> </clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>

You should try your initial configuration and make sure to set the IIS to be anonymous and windows authentication at the same time.The reason is when you are using wsHttpBinding default security is message security and there is no transport security defined unless you want to do https. SO Clr states that it needs anonymous authentication turned-on on the IIS.