Forms Authentication Error in WCF - wcf

We are connecting to a WCF web service which has Anonomous Access turned off, Windows Authentication turned on. The web.config file has a local user account for allow users and deny users="?".
I can download and generate the service proxy fine (being prompted for creds), however from my windows form project (even when passing in the credentials), I get the following error:
System.ServiceModel.Security.MessageSecurityException was unhandled
Message="The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Basic realm=\"SEIPART001\"'."
Message="The remote server returned an error: (401) Unauthorized."
Here is my sample code:
ip.eIPCShoppingCartWSSoapClient client = new iParts.ip.eIPCShoppingCartWSSoapClient();
System.Net.NetworkCredential creds = new System.Net.NetworkCredential("username", "password", "domain");
client.ClientCredentials.Windows.ClientCredential = creds;
iParts.ip.OrderListItem[] listItem = client.GetOrderList("1234"); //throws exception here

Looks like your service is asking for basic authentication; not windows integrated authentication.
In that case, I think you need to specify the credentials on the client proxy using in the ClientCredentials.UserName property and not ClientCredentials.Windows.

No change. The virtual directory is asking for Windows Auth and passing in a local user. It works fine in the browser but the service keeps erroring out.

Looks like you should switch to transport security.
Lookin the security section of your configuration.

Related

"Invalid Authentication Headers" with IIS 10 and Windows Authentication

I have been struggling with getting Windows authentication to work on IIS10 for a .Net Core API. The error I am getting is 401.2:
You are not authorized to view this page due to invalid authentication headers.
I have made the following configurations:
Only windows authentication has been enabled on the site (Anonymous is disabled)
SPNs have been created for the site and the server has been enabled for delegation.
The application pool is configured to run under a domain account
Both cURL and Postman give me the same result. Interestingly, when I make use of the SwaggerUI on the API directly, I get the expected behavior, but when making external calls (from another server), I get the 401.2 error.
Some additional content from the error is that the Logon Method and Logon User is Not Yet Determined.
How do I resolve this issue?
I was under the assumption that Postman and cURL were sending the NTLM credentials/token as a part of the request by default, but was incorrect. I had to enable Failed Request Tracing on IIS and saw that they were trying to make use of anonymous authentication. Apparently Postman does not support NTLM authentication so I made use of cURL and appended the credentials. With this I could get the authentication to work with cURL.

WARN:Authentication error: ntlm authorization challenge expected, but not found in Soap UI

I am trying to access WCF Webservice using Windows Authentication in Soap UI.
I am getting 401 unauthorized.
Following are the set up I done.
In Request Authorization Tab, I have given as NTLM
I have given username, password and Domain.
As well as WSS-Password Type: PasswordText or PasswordDigest, and Wss-TimeToLive: 2000
Tried for Basic and Kerberos as well. Getting 401 response ONLY..
Getting following in the http log.
WARN:Authentication error: ntlm authorization challenge expected, but not found
What needs to be done to solve this issue?
I am assuming you are connecting to a VPN in order to access the webservice, and that you have already verified the credentials are correct (ie: by accessing the endpoint in a browser). I will also assume your soapUI's ntlm configuration is correct.
If so, add -Djava.net.preferIPv4Stack=true to your .vmoptions file (under bin directory).

C# Webservice Proxy Windows Authentication

I have a c# application which consumes a webservice through a client proxy. The webservice is setup to use windows authentication (HTTP 401 challange through Active Directory). My user account configured to be authorized to access the webservice.
When I call the webservice through the browser it worked well. The browser is able to do the 401 challange and does not ask for any user id password (as internally the server and client do it through AD controller).
The problem is that when I try to consume the service through the C# application, it throws HTTP request unauthorized error.
I have tried all the below options for the webservice proxy to do windows authentication.
ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation
ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultCredentials as System.Net.NetworkCredential
ClientCredentials.Windows.AllowedImpersonationLevel =System.Security.Principal.TokenImpersonationLevel.Impersonation
Can someone please help on how I can make the webservice call just like how the browser does. I cannot pass user id and password while calling the service.
I figured out myself a workaround.The service call works well (HTTP 401 challange) with HTTPWebRequest with Credentials = CredentialCache.DefaultCredentials. Browser seems to be using the same approach.The problem is while creating a client proxy which is unable to do this 401 challange.
I could not figureout the reason but may be the service does not have enough meta information to establish a proper handshake with a client proxy.

Forwarding credentials with ASP.net WebClient

I have a basic asmx page which requests data from a reporting services server.
The User, Web Server running the asmx and the reporting services server are all on the same windows domain.
Webclient request = new WebClient();
request.Credentials = ?WhatGoesHere?;
byte[] fileData = request.DownloadData(......)
If I set UseDefaultCredentials = true; it tries to authenticate using the credentials of the user running IIS.
How do I get the WebClient to authenticate as the user accessing the asmx page?
i assume that you have integrated authentication enabled on the web server hosting the aspx page and that the server is IIS.
if the page is not on the reporting server then you may be experiencing the double hop issue related to authentication forwarding. the solution requires kerberos authentication and proper configuration of a few items at the domain level.

WCF:Relationship between NetworkCredential and Impersonation

I have a WCF service hosted in IIS 7 in the default app pool in Integrated mode with anonymous access disabled and windows Authentication enabled.
I have put the following attribute on the method implementation for my interface.
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
If I do not supply network credentials in the call to my service I get the expected behavior in that the following are true:
ServiceSecurityContext.Current.WindowsIdentity.Name = myDomain\myUser
ServiceSecurityContext.Current.PrimaryIdentity.Name = myDomain\myUser
Thread.CurrentPrincipal.Identity.Name = myDomain\myUser
I can connect to a database on a remote system using SSPI and myDomain\myUser authentication.
WindowsIdentity.GetCurrent().Name = myDomain\myUser
I can use Thread.CurrentPrincipal.IsInRole() to verify the user is in a role.
I can use WindowsIdentity.GetCurrent().Groups to retrieve a list of groups for the user.
But if I supply network credentials using the following:
var networkCredential = new NetworkCredential(user, pwd, dom);
base.ClientCredentials.Windows.ClientCredential = networkCredential;
base.ClientCredentials.Windows.AllowNtlm = true;
base.ClientCredentials.Windows.AllowedImpersonationLevel
= System.Security.Principal.TokenImpersonationLevel.Delegation;
Then all of the above is the same EXCEPT the database connection and two of the groups listed are different. The connection to the database is being made using the NT Authority\Anonymous login user. Using the NetworkCredentials puts the user in the NT Authority\Network group rather than NT Authority\Interactive and additionally the LOCAL group is removed.
My goal is to make the connection to the database using the credentials passed by NetworkCredential, any advice would be appreciated.
Shane Holder
Sounds like typical double-hop issues.
I am guessing in your working scenario that Kerberos is getting used by default which will get you a Delegation token on the remote server.
In the second scenario it is not using Kerberos because of the supplied user/pass and that does not support getting a Delegation token.
The only other way to get a Delegation token on the remote server that I am aware of is to use Basic Authentication (with SSL), a complete pain.
Concerning the credentials double hop issue