I'm accessing a third party WCF service (I have no access to the service configuration) We're using SSL certificates for the authentication.
I'm getting this error when trying to access to any of the provided methods
The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The
authentication header received from the server was 'Negotiate,NTLM
I checked many google links and no luck so far- No idea what else to check on my side.
EDIT
Here is the configuration
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBinding" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows" negotiateServiceCredential="true"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://url"
binding="wsHttpBinding" bindingConfiguration="wsHttpBinding"
contract="IApiWS" name="wsHttpBinding">
</endpoint>
</client>
</system.serviceModel>
Try setting your clientCredentialType="Windows" to clientCredentialType="Certificate" I usually use hard-coded WCF config, not config file, so I'm not really sure on this, but either way, take a look at the following link: Selecting a Credential Type on MSDN.
Good luck. I'm surprised what/whom you're connecting to didn't give explicit endpoint connection instructions, but hey, you deal with every kind when working with 3rd-party stuff.
Ok, this may be a little vague so I aplogise in advance, essentially the server is telling you you are not authorised, normally for this you would add something like the below onto the proxy you generated
svc.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
where svc is your generated proxy. I have also seen this on a misconfigured IIS hosted endpoint where the virtual folder does not have allow anonymous set (though you say you cannot access the service configuration so that may not be to helpful). hope this helps
edit added more info,
It may be, depending on security, that a setting similar to below may be more usefull
svc.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Anonymous;
Edit 2
The config above shows that the wsHttpBinding you are using has Windows set as clientCredentialtype for the transport security and user authentication, this mean that you will be sending through the credentials of the currently logged on user to the service for authentication using NTLM (as negotiateServiceCredentials is true) have you confirmed that the user logged on has rights on the service?
Related
I have been battling to resolve wcf issues on our production servers. One of the errors thrown is "The server rejected the upgrade request." among other weird errors I'm receiving. Our applications runs on the Citrix environment for the front end and our application servers host our WCF Services. We have two application servers set up for load balancing and this KEMP server supports sticky ip's since we are using nettcpbinding. However, I am not sure if we have configured our NetTCP settings correctly as the application frequently uses 100% CPU, when more than 5 users log onto an application. After an iisreset, it takes about an hour for this to re-occur. Please find below the configuration of the NETTcpBinding below:
<bindings>
<netTcpBinding>
<binding name="NetTcpLargeBindingEndpoint"
closeTimeout="00:05:00"
openTimeout="00:05:00"
receiveTimeout="00:15:00"
sendTimeout="00:15:00"
transactionFlow="false"
transferMode="Buffered"
transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="2147483647"
maxBufferSize="2147483647"
maxReceivedMessageSize="2147483647"
listenBacklog="10"
portSharingEnabled="false"
>
<reliableSession enabled="false"/>
<readerQuotas maxArrayLength="2147483647" maxStringContentLength="2147483647" />
<security mode="Transport">
<transport clientCredentialType="Windows" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</netTcpBinding>
</bindings>
I have tried searching articles for the correct settings to have for nettcpbindng, but not luck and the most helpful is this msdn article:
https://msdn.microsoft.com/en-us/library/vstudio/hh273122(v=vs.100).aspx
Is there something I'm doing wrong in these settings? Please assist
Good day. I've written a service in WCF that uses message-level security, which is set to use Windows authentication. The relevant configuration is shown below:
<wsHttpBinding>
<binding name="WsHttpBinding" closeTimeout="00:30:00" openTimeout="00:30:00"
receiveTimeout="00:30:00" sendTimeout="00:30:00" maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647">
<readerQuotas maxStringContentLength="2147483647" maxArrayLength="2147483647"
maxBytesPerRead="2147483647" />
<security mode="Message">
<message clientCredentialType="Windows" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
The developer of the calling client requested that my service is configured using these details. I also do not have access to the configuration of the client binding unfortunately, but I can only assume it is configured properly, since other services that are consumed by it is working.
The service is hosted through IIS, as an application under the default website. The Authentication for the service application is set to Windows, with Anonymous authentication turned off. It also doesn't have a SSL certificate bound to it.
When the service gets called from the client, the following error is reported in the logs:
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.
Any help resolving this issue will be greatly appreciated.
Additional Info
In an effort to find a solution, I had thrown together a WinForms test client to call the service. The client binding is configured as follows:
<wsHttpBinding>
<binding name="WSHttpBinding_IEAIEndpointService" closeTimeout="00:10:00"
openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="Message">
<message clientCredentialType="Windows" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
Before making calls using the client proxy, I have the following code to set the Windows user account I want the service to authenticate with:
client.ClientCredentials.Windows.ClientCredential = new System.Net.NetworkCredential("Username", "Password", "DOMAIN");
Even with this configuration, I am still receiving the above-mentioned error.
IIS authentication is transport security. Your client requested message security, so you need to disable it. Message security will be handled by WCF, not IIS.
I was getting exception while making a call the my WCF service more larger request XML object content length 65708, where it is working without any issues with request XML file content length less than this.
This is service we are exposed to external clients and I used SoapUI to debug the service and I am getting the exception HTTP/1.1 400 Bad Request[\r][\n] and not even hitting to the debug point. I searched the web and applied the configuration values provided, but none of them helped me to resolve the issue.
After all the config changes, my web.config file is looks like this (only binding part).
<bindings>
<basicHttpBinding>
<binding name="GDASHttp" closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="2147483647" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647" messageEncoding="Mtom" textEncoding="utf-8" transferMode="Streamed" useDefaultWebProxy="true">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
I didn't changed any settings in the client file as I can getting the exception from SoapUI and issue is related to server configuration only. I do understand the issue with some the settings is accepting according to the file size, but not sure what is maximum values we can provide in the above settings.
I modified the IIS settings as per some of the Google advises in the server and this is my changed applicationhost.config file.
<location path="Default Web Site/GDAS.FY15R2.3.1/Trusted" overrideMode="Allow">
<system.webServer>
<handlers accessPolicy="Read, Execute" />
<security>
<ipSecurity>
<add ipAddress="127.0.0.1" subnetMask="255.255.255.255" allowed="true" />
</ipSecurity>
<requestFiltering>
<requestLimits maxAllowedContentLength="40000000" />
</requestFiltering>
</security>
<serverRuntime uploadReadAheadSize="2147483647" />
</system.webServer>
</location>
This is the value you would use: 2147483647
But for WCF you need to configure that in both the client and the server. You can not just change the Server Binding, as the two Bindings are basically shaking hands so the MAX value should match in both configs.
I would turn on tracing and see exactly what is happening.
I have a web application connects web service on a machine uses proxy server. Connections are ok on internet explorer as shown in image
And my web.config is:
<system.net>
<defaultProxy>
<proxy autoDetect="true" usesystemdefault="true"/>
</defaultProxy>
</system.net>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="ProcessSoap" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
useDefaultWebProxy="true" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
>
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://www.serveraddressthatiwanttoconnect.com/services/WebService.asmx"
binding="basicHttpBinding" bindingConfiguration="ProcessSoap"
contract="PINAlmaServis.ProcessSoap" name="ProcessSoap" />
</client>
I want to use system proxy settings, because it can change time to time. "kurumsalproxy" is a machine name on local network. I tried every potential variations for web.config on http://msdn.microsoft.com/en-us/library/kd3cf2ex.aspx but can not establish to connect.
Is there something that i miss?
I want to use system proxy settings
There is no “system” proxy settings. Every user owns personal proxy configuration. You could create a user with the proxy configuration and change app pool identity to use that account.
UPDATE: How to use the proxy used in Internet Explorer in an ASP.NET application
I don't think you need to change application pool identity, if you carefully read this server fault thread,
https://serverfault.com/questions/34940/how-do-i-configure-proxy-settings-for-local-system
You need to configure the proxy setting for system accounts (local system, local service, and network service) if your application pool identity is Network Service.
We have a .Net 3.5 Workflow hosted as a service that sometimes stops unexpectedly. This has occurred at times while it is writing a file and, most recently, when receiving a reply from another WCF service. There are no exceptions being caught, as these all get logged, and there are no messages in the event logs on the server where both are hosted. I added logging to verify that the service is completing it's logic, which it is (taking about 6 minutes). All my timeouts are far higher than they need be. I'm starting to think the issue might be that the channel is getting closed and, due to the very high timeouts, an error is not yet thrown. Of potential relevance, the workflow is calling the wcf service asynchronously and then using a WaitOne() on the AsyncWaitHandle. I have a feeling this is maybe not the best idea, but I'm not sure if it could cause this issue. Also, persistence is not set up on the workflow (I had previously thought that the unloadOnIdle setting might have been causing issues with getting return values from the called service, as I'm not very clear on how this is supposed to work).
Any help/advice would be greatly appreciated.
Have you checked the timeout settings on the client. I know in the past I had to update both the client timeout settings as well as the server settings.
In the workflow App.config (missing a timeout for the hosting of the workflow?):
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IService" closeTimeout="00:02:00"
openTimeout="00:02:00" receiveTimeout="04:00:00" sendTimeout="04:00:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="655360000" maxBufferPoolSize="2147483647" maxReceivedMessageSize="655360000"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://url/Service.svc"
binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IService"
contract="DALService.IService" name="BasicHttpBinding_IService" />
</client>
In the DalService WCF web.config:
<httpRuntime
maxRequestLength="1048576"
executionTimeout="6000000"
/>
<basicHttpBinding>
<binding name ="LargeMessageBinding"
closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="04:30:00" sendTimeout="04:30:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="655360000" maxBufferPoolSize="524288" maxReceivedMessageSize="655360000"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true"
/>
<!--maxReceivedMessageSize="6553600" -->
<!--maxBufferSize="6553600" -->
Turns out, the workflow was not being hosted in its own worker process, as I had thought. Another app was crashing the process. The WCF service was correctly configured to use its own worker process, hence it would correctly return, but to a no longer running app.