WCF Authentication Troubleshooting


Using WCF with Windows Authentication and SSL is a common scenario, but it can be trickier to get it to work than it seems, especially in our environment. If you're getting an error, chances are you missed something in your configuration on the client or server. If you're trying to use a binding other than BasicHttpBinding, ask yourself if it's really necessary. The complexity only increases with other binding types. Consider using a custom WCF client DLL to encapsulate your configuration. This w

Common Error Messages
Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service

· You probably forgot to set your binding's credential type to Windows ().

Could not find a base address that matches scheme https for the endpoint with binding BasicHttpBinding. Registered base address schemes are [http]

· Check that your binding's security mode is Transport on your client, and TransportCredentialOnly on your service config in an extranet SSL scenario. This is due to the fact that SSL ends at the F5 and will be converted to HTTP before it reaches the WCF service endpoint

The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM,Basic"'

This message occurs in a few scenarios. Here are some that I've encountered:

· You forgot to change your endpoint address from http to https

· The client is having trouble authenticating with the service and may be defaulting to NTLM instead of Kerberos. For this scenario see "Adding a User Principle Name to Your Config".

Adding a User Principle Name to Your Config
I'm not entirely sure of the exact combination of client, server, and environment that causes this issue to occur. With any luck you will never run in to it.

In my specific scenario, the client was running .NET 3.5 on the Windows 2003 Extranet servers, and the web service was running .NET 4.0 on the Windows 2008 Extranet servers. Impersonation was being done on the web service call.

Signs you may need it:

· You can connect with a local client to a deployed service in a GMI environment, but when you deploy the client and make the same calls, a HTTP 401 unauthorized error occurs.

· You've already checked that, if needed, your client is impersonating the user when it makes the web service call

· You get a weird error such as "System.Net.ProtocolViolationException: The requirement for mutual authentication was not met by the remote server", or the Negotiate Error (above) only when your applications are deployed

· You can connect to the service using other applications with the exact same client config

· Your credentials are being sent as NTLM instead of Kerberos between your deployed client and server. If you run a trace you will see a Negotiate header, which can contain either Kerberos or NTLMSSP credentials. WE-APPs is able to decode the header in the trace using a 64base decoder. If you see NTLMSSP then something is going wrong, as NTLM cannot fufill a double-hop scenario.

What Is My User Principal Name?
The format for a UPN in WCF is "user@domain".

First find out the process identity that your service is running as. This is easy if you have an error message from your service and are logging the process or windows identity. The basic logger that is included when you request a new project outputs the process identity in errors by default.

The other thing you'll need is the domain your service is running on (EXTMS, MS, etc).


Example:

Process Identity: w_d_cprdataservice.g

Domain: EXTMS

UPN: w_d_cprdataservice.g@EXTMS

How to add it:
User Principle Name or UPN can be added in the client config or code:

Code:

new EndpointAddress(new Uri(serviceAddress), EndpointIdentity.CreateUpnIdentity("user@domain"))
Config:








Comments

No responses found. Be the first to comment...


  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name:
    Email: