Cannot call methods on Https service

Question

Hi

I've created a service that I need to make available using either Https or net.tcp. The service is written in .net and uses Transport security. And, I can host the service in IIS7 or WAS (Note: Only 1 service is running at any one time)
My client, written in C++, is using the WWSAPI to call the service.

When I use the net.tcp protocol, everything is good. I can call the methods on the service and receive the response. However, when I switch to Https, my calls fail with the following error message :

Failure errorCode=0x80070057
Custom identities are not supported for this binding.

(Note: The WsCreateServiceProxy and WsOpenServiceProxy have both succeeded)
I have checked around for the error and can only find references to the E_INVALIDARG being related to incorrect sizes being sent to the service. But, I cannot find any errors in my code. Everything is ULONG or BOOL etc. The calls to the service are generic i.e. they are the same for the Net.tcp host as they are for the Https host - so I know they work :)

I am running a 32bit service (Windows 7 RTM) and a 32bit client (Windows XP). They are both on the same domain and I can access the hosted site from IE.
I have installed a self-signed certificate on the server to host the IIS7 and installed it in IE certificate store. Could this be the problem? Do I need to override something in the client to tell it to accept the certificate, even though it might not be from a trusted source (i.e. because it is self-signed)?

Does anyone know what the problem might be?
Is it certificate related? (Not obvious from the error message)
Is it something in the generated code? (Do I need to wait for the Release version of the tools? My colleague has sent an email requesting the Release versions)

Any help is appreciated

Thanks

Ged

Answer 1

Hi Ged,

What version of WWSAPI runtime are you running on the client side? Have you enabled tracing? What does tracing contains for this scenario?

Thank,
Nikola

---

Nikola Dudar is the Program Manager for Windows Web Services API team. This post is provided "AS IS" with no warranties, and confer no rights. Use of any samples is subject to the terms specified at http://www.microsoft.com/ info/cpyright.htm

Answer 2

Hi Nikola

I am using the RC version of the runtime on the client.

I've got tracing running on the server, but the log is empty.

Can I enable tracing on the client?

Thanks

Ged

Answer 3

You can find instructions on enabling the WWS tracing in the MSDN, http://msdn.microsoft.com/en-us/library/dd815339(VS.85).aspx.

BTW, you need to stop using the RC version. The final version is already available and if you plan to use the WWS runtime on pre-Windows 7 platform, your company should start the process for getting access to it. See http://blogs.msdn.com/wndp/archive/2009/10/09/final-version-of-windows-web-services-api-for-windows-xp-vista-server-2003-and-server-2008-is-now-available.aspx for details.

---

Nikola Dudar is the Program Manager for Windows Web Services API team. This post is provided "AS IS" with no warranties, and confer no rights. Use of any samples is subject to the terms specified at http://www.microsoft.com/ info/cpyright.htm

Answer 4

I'll switch on the tracing and report back my findings.

BTW, we have started the process for the final version of the runtime and we will be switching as soon as we receive access...but we can'tstop our development whilst we wait :)

Thanks

Ged

Answer 5

I cannot seem to get anything in the client log. It is always empty.
I have tried the link you sent and also the info on your blog (http://blogs.msdn.com/nikolad/archive/2009/05/08/how-to-use-tracing-with-the-rc-version-of-windows-web-services.aspx) but the log is always empty.

Plus, it only works first time I run it. All subsequent runs complain that I don't have administrator privileges - which I do - locally and on the domain. (I've also tried "Run As" and used an admin account, without success).

So, no logs I'm afraid.

Cheers

Ged

Answer 6

What are the steps you are doing to enable tracing on client side?

Basic steps - (Once you have wstrace.bat and wstracedump.exe on the client box)

wstrace.bat create verbose (Verbose - will generate all the messages for the log - error, info, message traces, operation)
wstrace.bat on
wstrace.bat dump
Run your scenarios (This should dump the traces on the console)
Click Ctrl+C for stopping the tracing.

Also do you have the Https certificates set up on your box?

Answer 7

I am installing the Windows 7 SDK onto the XP box to get the relevant files on there. Then I am following the steps as you have detailed (apart from the dump, which I pipe to a file).

I have a self-signed certificate setup on IIS.
Also, I have accessed the site from IE so I can confirm that the site is reachable from my client.

I am going to try running the client from a Windows 7 box to see if the issues are XP/RC related.

Thanks

Ged

Answer 8

After changing my client to Windows7 I have managed to generate a trace.

The text below is the first contents of the trace (which then repeats itself numerous times before I stopped it).
The generated call it is using is below the log text.

I have used the RTM Windows 7 SDK for both the server (AKA dev machine) and the client.

If you can help, or need any more info, please let me know.

Thanks

Ged


--------------------------------------------
Microsoft (R) Windows Web Services API Trace Viewer Tool version 1.0
Copyright (c) Microsoft Corporation 2009.
All rights reserved.

TimeStamp,ProcessID,ThreadID,Event,Operation,Error,Info
129000649778557477,1044,1152,"enter","WsCreateError"
129000649778557938,1044,1152,"exit","WsCreateError"
129000649778558122,1044,1152,"enter","WsFreeError"
129000649778558156,1044,1152,"exit","WsFreeError"
129000650099189362,1044,544,"enter","WsCreateError"
129000650099189616,1044,544,"exit","WsCreateError"
129000650099189881,1044,544,"enter","WsCreateHeap"
129000650099189926,1044,544,"exit","WsCreateHeap"
129000650099191250,1044,544,"enter","WsCreateServiceProxy"
129000650099206032,1044,544,"exit","WsCreateServiceProxy"
129000650099208434,1044,544,"enter","WsOpenServiceProxy"
129000650122739369,1044,3508,"error","",0x80072f94,The Proxy Auto-configuration URL was not found.
129000650122740394,1044,544,"exit","WsOpenServiceProxy"
129000650122742380,1044,544,"enter","WsCall"
129000650122745113,1044,544,"error","",0x80070057,The parameter is incorrect.
129000650122746370,1044,544,"error","",0x0,Custom identities are not supported for this binding.
129000650122747574,1044,544,"exit failed","WsCall",0x80070057
129000650122749448,1044,544,"enter","WsGetErrorProperty"
129000650122749499,1044,544,"exit","WsGetErrorProperty"
129000650122750060,1044,544,"enter","WsGetErrorString"
129000650122750111,1044,544,"exit","WsGetErrorString"
129000650122751845,1044,544,"enter","WsCloseServiceProxy"
129000650122753664,1044,544,"exit","WsCloseServiceProxy"
129000650122754234,1044,544,"enter","WsFreeServiceProxy"
129000650122754885,1044,544,"exit","WsFreeServiceProxy"
---------------------------------------

// operation: WSHttpBinding_IManageAVM_GetConfigurationIds
HRESULT WINAPI WSHttpBinding_IManageAVM_GetConfigurationIds(
    __in WS_SERVICE_PROXY* _serviceProxy,
    __out unsigned int* GetConfigurationIdsResultCount, 
    __deref_out_ecount_opt(*GetConfigurationIdsResultCount) GUID** GetConfigurationIdsResult, 
    __in WS_HEAP* _heap,
    __in_ecount_opt(_callPropertyCount) const WS_CALL_PROPERTY* _callProperties,
    __in const ULONG _callPropertyCount,
    __in_opt const WS_ASYNC_CONTEXT* _asyncContext,
    __in_opt WS_ERROR* _error)
{
    void* _argList[2]; 
    _argList[0] = &GetConfigurationIdsResultCount;
    _argList[1] = &GetConfigurationIdsResult;
    return WsCall(_serviceProxy,
        (WS_OPERATION_DESCRIPTION*)&tempuri_org_wsdlLocalDefinitions.contracts.WSHttpBinding_IManageAVM.WSHttpBinding_IManageAVM_GetConfigurationIds.WSHttpBinding_IManageAVM_GetConfigurationIds,
        (const void **)&_argList,
        _heap,
        _callProperties,
        _callPropertyCount,
        _asyncContext,
        _error);
}

Answer 9

I'd like to add that, even though the same message is repeated in the trace file, it is from a different generated call.
Plus, the WsOpenServiceProxy does return S_OK, even though the log reports an error.

I am going to try and setup the server using BasicHttpBinding to see if that changes the issue.

Thanks

Ged

Answer 10

Hey Ged,

The error likely means that you set the identity field of the WS_ENDPOINT_ADDRESS (http://msdn.microsoft.com/en-us/library/dd401828(VS.85).aspx) to something non-NULL. This is only allowed if the identity is actually consumed. TCP consumes it (as does the WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING) but HTTP does not.

To fix this, remove the identity from the endpoint address when using HTTP as transport unless you also use the WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING.


Axel

Answer 11

Hi Axel

Thanks for your suggestion, however this is something I have already attempted and it did not work. I get an "access denied" message from the webservice if I don't set the identity field of the WS_ENDPOINT_ADDRESS. I have added the trace output below.

Note: I am using HTTPS with a self-signed certificate and the certificate is installed on the client in the trusted root store.
My IIS webservice has Anonymous and Windows authentication enabled. If I disable either of them I cannot access the endpoint from IE (The WCF error says I need to enable both authentication methods).

Cheers

Ged

------------------
Here is the WWS trace output :

Microsoft (R) Windows Web Services API Trace Viewer Tool version 1.0
Copyright (c) Microsoft Corporation 2009.
All rights reserved.

TimeStamp,ProcessID,ThreadID,Event,Operation,Error,Info
129001577737873937,3792,1780,"enter","WsCreateError"
129001577737874599,3792,1780,"exit","WsCreateError"
129001577737874864,3792,1780,"enter","WsFreeError"
129001577737874917,3792,1780,"exit","WsFreeError"
129001577884183213,3792,1508,"enter","WsCreateError"
129001577884183412,3792,1508,"exit","WsCreateError"
129001577884183697,3792,1508,"enter","WsCreateHeap"
129001577884183744,3792,1508,"exit","WsCreateHeap"
129001577884185314,3792,1508,"enter","WsCreateServiceProxy"
129001577884202163,3792,1508,"exit","WsCreateServiceProxy"
129001577884203199,3792,1508,"enter","WsOpenServiceProxy"
129001577907428623,3792,3492,"error","",0x80072f94,The Proxy Auto-configuration URL was not found.
129001577907429467,3792,1508,"exit","WsOpenServiceProxy"
129001577907431324,3792,1508,"enter","WsCall"
129001577907462443,3792,1508,"sending message start ","message# (1)"
129001577907463977,3792,1508,"io started","Send"
129001577908274842,3792,3888,"io completed","Send",0x0,0
129001577908274951,3792,3888,"io started","Receive"
129001577908275907,3792,3888,"io completed","Receive",0x0,0
129001577908276686,3792,3888,"sending message       ","message# (1)",
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">
  <s:Header>
    <a:Action s:mustUnderstand="1">http://AVM.ManagementService/IManageAVM/GetConfigurationIds</a:Action>
    <a:MessageID>urn:uuid:5cfeb729-43c0-4c1b-8aaa-a28e30e80f0c</a:MessageID>
    <a:To s:mustUnderstand="1">https://gedm-desktop.profiledc01.appdevelop.local:443/ManageAVMssl/</a:To>
  </s:Header>
  <s:Body>
    <GetConfigurationIds xmlns="http://AVM.ManagementService"/>
  </s:Body>
</s:Envelope>
129001577908276745,3792,3888,"sending message stop  ","message# (1)"
129001577908280477,3792,3888,"error","",0x803d0005,Access was denied by the remote endpoint.
129001577908280849,3792,3888,"error","",0x0,The requested resource requires user authentication.
129001577908281469,3792,3888,"error","",0x0,The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
129001577908286252,3792,3888,"error","",0x0,There was an error communicating with the endpoint at 'https://gedm-desktop.profiledc01.appdevelop.local:443/ManageAVMssl/'.
129001577908287053,3792,1508,"exit failed","WsCall",0x803d0005
129001577908289299,3792,1508,"enter","WsGetErrorProperty"
129001577908289353,3792,1508,"exit","WsGetErrorProperty"
129001577908290048,3792,1508,"enter","WsGetErrorString"
129001577908290098,3792,1508,"exit","WsGetErrorString"
129001577908290783,3792,1508,"enter","WsGetErrorString"
129001577908290830,3792,1508,"exit","WsGetErrorString"
129001577908291453,3792,1508,"enter","WsGetErrorString"
129001577908291504,3792,1508,"exit","WsGetErrorString"
129001577908292792,3792,1508,"enter","WsCloseServiceProxy"
129001577908296904,3792,1508,"exit","WsCloseServiceProxy"
129001577908297516,3792,1508,"enter","WsFreeServiceProxy"
129001577908298178,3792,1508,"exit","WsFreeServiceProxy"
----------------

Answer 12

Hey Ged,

If you use Windows auth on your service ("new WsHttpBinding(SecurityMode.Transport)" or equivalent in config) you need to add a WS_HTTP_HEADER_AUTH_SECURITY_BINDING (http://msdn.microsoft.com/en-us/library/dd401908(VS.85).aspx) with WS_HTTP_HEADER_AUTH_SCHEME_NEGOTIATE to your client configuration.

Please note that you still need to set the identity field of the endpoint address to NULL. Otherwise we fail before we even make contact with the server, due to the previously mentioned reason.


Axel

Answer 13

Hi Axel

I've tried your suggestion, but still cannot contact my endpoint.
If I leave the WS_ENDPOINT_ADDRESS.identity field NULL, then I get the error I listed in my previous post.

Also, I thought I may have misread your original suggestion and tried a few variations on the WS_UPN_ENDPOINT_IDENTITY fields.
   - Set the UPN.upn field to NULL
   - Set the UPN.upn field to an empty string

Both of these variations resulted in the error

"Invalid Endpoint Identity"

The endpoint is running and can be contacted via IE and from other clients (not using WWS).
Below are my code snippets for creating the service proxy and opening it.
If you can identify (pun intended :D) anything wrong in these snippets, please let me know.

Cheers

Ged

---------------------------------

CreateServiceProxy

	// Declare and initialize an SSL transport security binding
	WS_SSL_TRANSPORT_SECURITY_BINDING sslBinding = {};
	sslBinding.binding.bindingType = WS_SSL_TRANSPORT_SECURITY_BINDING_TYPE;

	// use the default client credential - if the thread opening the channel/proxy is impersonating
	// the thread token will be used; otherwise the process token will be used
	WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL defaultCred = {};
	defaultCred.credential.credentialType = WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE;


	// Declare and intitlialize the properties to set the authentication scheme to Negotiate
	// Since the default scheme for WWSAPI header authentication is Negotiate, this property may be omitted
	ULONG scheme = WS_HTTP_HEADER_AUTH_SCHEME_NEGOTIATE;
	WS_SECURITY_BINDING_PROPERTY headerAuthBindingProperties[1] = 
	{
		{ WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME, &scheme, sizeof(scheme) },
	};

	// Declare and initialize an header authentication security binding
	WS_HTTP_HEADER_AUTH_SECURITY_BINDING headerAuthBinding = {};
	headerAuthBinding.binding.bindingType = WS_HTTP_HEADER_AUTH_SECURITY_BINDING_TYPE;
	headerAuthBinding.binding.properties = headerAuthBindingProperties;
	headerAuthBinding.binding.propertyCount = WsCountOf(headerAuthBindingProperties);
	headerAuthBinding.clientCredential = &defaultCred.credential;

	// Declare and initialize the array of all security bindings
	WS_SECURITY_BINDING* securityBindings[2] =
	{
		&sslBinding.binding,
		&headerAuthBinding.binding
	};

	// Declare and initialize the security description
	WS_SECURITY_DESCRIPTION securityDescription = {};
	securityDescription.securityBindings = securityBindings;
	securityDescription.securityBindingCount = WsCountOf(securityBindings);

	return WsCreateServiceProxy( 
		WS_CHANNEL_TYPE_REQUEST,
		WS_HTTP_CHANNEL_BINDING,
		(const WS_SECURITY_DESCRIPTION*)&securityDescription,<br/>		null,<br/>		0,<br/>		null,<br/>		0,
		&m_pServiceProxy,
		m_wsError);

OpenServiceProxy

	WS_UPN_ENDPOINT_IDENTITY upn = {};
	upn.identity.identityType = WS_UPN_ENDPOINT_IDENTITY_TYPE;
//	WS_STRING upnString = WS_STRING_VALUE(L"anonymouse@dizknee-land.com");
//	WS_STRING upnString = WS_STRING_VALUE(L"");
//	upn.upn = upnString;

	WS_ENDPOINT_ADDRESS address = {};
	WCHAR wszTemp[255];
	wszTemp[0] = NULL;
	ZeroMemory(&wszTemp[0], sizeof(wszTemp));
	wsprintf(wszTemp, L"%s", m_wstrServerUrl);
	WS_STRING url = WS_STRING_VALUE(wszTemp);
	address.url.chars = url.chars;
	address.url.length = wcslen(wszTemp);

	address.identity = &upn.identity;

	HRESULT hr = WsOpenServiceProxy(m_pServiceProxy, &address, NULL, m_wsError);

Answer 14

Hey Ged,

If available, it is probably best to look at a trace from the WCF service (for the configuration that gives you the 401). That should give you a detailed reason why the client was rejected.


Axel

Answer 15

Ged,

In case that the WCF trace does not give you the answer, can you please share some information about your IIS configuration (version, kernel or user mode authentication, app pool setting of the server)?

Hao

Answer 16

Hi Hao

My WCF trace is empty - or, to be more precise - does not get created when I attempt to call it from my client.

IIS details:

Version = 7.5.7600.16385
Authentication = default (Kernel mode?)
App pool = custom app pool using domain account (required for DB access)

One thing to note, I do not have any problems communicating with the webservice using a .Net generated service reference to the same endpoint address (using VS2008 or VS2010).

Thanks

Ged

Answer 17

Ged,

Could you share the configuration of the .net generated client that successfully calls the service?


Thanks!

Axel

Answer 18

Ged,

There is a known interop problem with WWSAPI client doing HTTP Negotiate authentication with WCF service running under a domain account. You can see more detail in item 8 of my blog post http://blogs.msdn.com/haoxu/archive/2009/03/13/wwsapi-to-wcf-interop-7-http-header-authentication-part-1.aspx. This is also described indirectly in our MSDN doc http://msdn.microsoft.com/en-us/library/dd323386(VS.85).aspx on WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME (I think Axel added the verbiage).

I am not sure if it's causing your problem since your service is hosted in IIS. But you could try one of these two things:
  1. change the WCF service to run under Network Service account
  2. change the authentication scheme to something else (like NTLM)

Since the second option makes the system less secure, you probably want to try the first option and impersonate the domain account before accessing the database.

Hao

Answer 19

Hao,

I made the changes you suggested to IIS, but still no luck.
1a. I changed the AppPool to run under the NetworkService account.
1b. I changed the WCF Service to use the DefaultAppPool

2. I modified the Windows Authentication setting for the service, chaning the Enabled Providers list to have NTLM at the top (Negotiate second).

Unfortunately, I still get the "Invalid endpoint identity" error in the client.

Below is the generated client configuration for the service (generated in VS2010 B2)

Thanks

Ged

------------------------------

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.serviceModel>
        <bindings>
            <wsHttpBinding>
                <binding name="WSHttpBinding_IManageAVM" closeTimeout="00:01:00"
                    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                    bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
                    allowCookies="false">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <reliableSession ordered="true" inactivityTimeout="00:10:00"
                        enabled="false" />
                    <security mode="Transport">
                        <transport clientCredentialType="Windows" proxyCredentialType="None"
                            realm="" />
                        <message clientCredentialType="Windows" negotiateServiceCredential="true" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
        <client>
            <endpoint address="https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl/ManageAVMAgent.svc"
                binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IManageAVM"
                contract="AVM.EndpointSvc.IManageAVM" name="WSHttpBinding_IManageAVM">
            </endpoint>
        </client>
    </system.serviceModel>
</configuration>

Answer 20

Ged,

I mistakenly thought you already passed the "Invalid endpoint identity" error. That's because you are setting a WS_ENDPOINT_IDENTITY in WS_ENDPOINT_ADDRESS, which is not allowed when you only use HTTP header authentication (with or without https). Can you keep the identity field NULL in WS_ENDPOINT_ADDRESS and try again?

Hao

Answer 21

Hi Hao

I've changed the code to not set the address.idenitity field, but I still get an error:

0x803d0005

There was an error communicating with the endpoint at 'https://gedm-desktop.profiledc01.appdevelop.loca/ManageAVMssl'.
The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
The requested resource requires user authentication.


Cheers

Ged

Answer 22

Hey Ged,

After you changed the code you should get traces from WCF and IIS. Could you share those please?

Thanks!

Axel

Answer 23

Hi Axel

Sorry. I should have thought to post the traces.
I've pasted the WCF trace (just the error part of it), at the bottom of this post.

I've also generated a FailedRegLogFile from IIS and it is approx 162KB. I'm assuming you don't want me to paste all of that text onto this post. So, can I email this log to you directly?

The error event in the IIS log is:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
  <Provider Name="WWW Server" Guid="{3A2A4E84-4C21-4981-AE10-3FDA0D9B0F83}"/>
  <EventID>0</EventID>
  <Version>1</Version>
  <Level>3</Level>
  <Opcode>16</Opcode>
  <Keywords>0x100</Keywords>
  <TimeCreated SystemTime="2009-10-27T14:59:43.596Z"/>
  <Correlation ActivityID="{00000000-0000-0000-A800-0080000000F3}"/>
  <Execution ProcessID="3208" ThreadID="2516"/>
  <Computer>GEDM-DESKTOP</Computer>
 </System>
 <EventData>
  <Data Name="ContextId">{00000000-0000-0000-A800-0080000000F3}</Data>
  <Data Name="ModuleName">WindowsAuthenticationModule</Data>
  <Data Name="Notification">2</Data>
  <Data Name="HttpStatus">401</Data>
  <Data Name="HttpReason">Unauthorized</Data>
  <Data Name="HttpSubStatus">1</Data>
  <Data Name="ErrorCode">2148074254</Data>
  <Data Name="ConfigExceptionInfo"></Data>
 </EventData>
 <RenderingInfo Culture="en-GB">
  <Opcode>MODULE_SET_RESPONSE_ERROR_STATUS</Opcode>
  <Keywords>
   <Keyword>RequestNotifications</Keyword>
  </Keywords>
  <freb:Description Data="Notification">AUTHENTICATE_REQUEST</freb:Description>
  <freb:Description Data="ErrorCode">No credentials are available in the security package
 (0x8009030e)</freb:Description>
 </RenderingInfo>
 <ExtendedTracingInfo xmlns="http://schemas.microsoft.com/win/2004/08/events/trace">
  <EventGuid>{002E91E3-E7AE-44AB-8E07-99230FFA6ADE}</EventGuid>
 </ExtendedTracingInfo>
</Event>

129011279623387031,1992,2452,"sending message start ","message# (1)"
129011279623388453,1992,2452,"io started","Send"
129011279630885481,1992,4040,"io completed","Send",0x0,0
129011279630885593,1992,4040,"io started","Receive"
129011279630886521,1992,4040,"io completed","Receive",0x0,0
129011279630887280,1992,4040,"sending message       ","message# (1)",
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">
  <s:Header>
    <a:Action s:mustUnderstand="1">http://AVM.ManagementService/IManageAVM/GetConfigurationIds</a:Action>
    <a:MessageID>urn:uuid:d2272ea0-4dbd-4154-a41a-c75ce9eeb95c</a:MessageID>
    <a:To s:mustUnderstand="1">https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl</a:To>
  </s:Header>
  <s:Body>
    <GetConfigurationIds xmlns="http://AVM.ManagementService"/>
  </s:Body>
</s:Envelope>
129011279630887336,1992,4040,"sending message stop  ","message# (1)"
129011279630890236,1992,4040,"error","",0x803d0005,Access was denied by the remote endpoint.
129011279630890602,1992,4040,"error","",0x0,The requested resource requires user authentication.
129011279630891180,1992,4040,"error","",0x0,The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
129011279630895689,1992,4040,"error","",0x0,There was an error communicating with the endpoint at 'https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl'.
129011279630896265,1992,2452,"exit failed","WsCall",0x803d0005

Answer 24

Ged,

I was only able to reproduce your issue when setting up the app pool to run under a domain account AND turning off kernel mode authentication at the web application. Just to double check, you did check the Advanced Settings of the Windows Authentication feature on your web application, right?

If changing the app pool account to Network Service does not help, can you try these steps to isolate the issue?
1. run the client on the same machine as the server; if it does not fail, then there is something with the client OS or credential.
2. if it still fails, run the client on a Vista machine; if it still fails consistently, get WinHttp traces using "netsh winhttp set tracing" command (with some more parameters). You can then open up the trace file to see how the header auth goes. You should see an Authorization header in the first POST request.

If you don't have a Vista machine, you can try to remove SSL from the picture and sniff the network packets. Since WSHttpBinding does not support header auth without SSL, you'll have to create a CustomBinding on the server. On the client side, you can use WsUtil to generate the stub from the new WSDL files and then use the template helper function (see my blog post http://blogs.msdn.com/haoxu/archive/2009/09/09/wwsapi-to-wcf-interop-11-security-binding-templates.aspx) to create the service proxy.

Thanks,
Hao

Answer 25

Hao,

I've double checked the Advanced Settings and Kernel Mode authentication is definitely enabled.

1. I moved the server to the client machine and still had the same issue. (The logs were identical to my previous post)
2. I've ran my client from a Vista machine and got the following info :

** Note: The server certificate is self-signed by the server and I have exported it from the server and imported it into the Trusted Root Certificate store via IE options. I can access the page using IE without getting an certificate warning.
**

----------------------------
errorCode=0x803d000a
There was an error communicating with the endpoint at 'https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl'.
The certificate authority is invalid or incorrect
----------------------------

The Netsh log contains :

17:41:25.558 ::*Session* :: DllMain(0x73de0000, DLL_PROCESS_ATTACH, 0x0)
17:41:25.558 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
17:41:25.574 ::*Session* :: WinHttpOpen("MS-WebServices/1.0",  (1), "", "", 0x10000000)
17:41:25.574 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
17:41:25.589 ::*Session* :: WinHttpOpen() returning handle 0x331a788
17:41:25.589 ::*Session* :: WinHttpGetProxyForUrl(0x331a788, "https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl", 0x3f8feb8, 0x1ea0618)
17:41:25.620 ::*Session* :: WinHttpGetProxyForUrl() returning FALSE
17:41:25.620 ::*Session* :: WinHttpOpen("MS-WebServices/1.0",  (1), "", "", 0x10000000)
17:41:25.620 ::*Session* :: WinHttpOpen() returning handle 0x33258e8
17:41:25.620 ::*Session* :: WinHttpSetStatusCallback(0x33258e8, 0x6c7f26f0, 0x7f4000)
17:41:25.620 ::*Session* :: WinHttpSetStatusCallback() returning NULL
17:41:25.620 ::*Session* :: WinHttpCrackUrl("https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl", 0x3e, 0x0, 0x31df8bc)
17:41:25.620 ::*Session* :: WinHttpCrackUrlA("https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl", 0x3e, 0x0, 0x31df7c4)
17:41:25.620 ::*Session* :: WinHttpCrackUrlA() returning TRUE
17:41:25.620 ::*Session* :: WinHttpCrackUrl() returning TRUE
17:41:25.620 ::*Session* :: WinHttpCrackUrl("https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl", 0x3e, 0x10000000, 0x31df8bc)
17:41:25.620 ::*Session* :: WinHttpCrackUrlA("https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl", 0x3e, 0x10000000, 0x31df7c4)
17:41:25.620 ::*Session* :: WinHttpCrackUrlA() returning TRUE
17:41:25.620 ::*Session* :: WinHttpCrackUrl() returning TRUE
17:41:25.620 ::*Session* :: WinHttpConnect(0x33258e8, "gedm-desktop.profiledc01.appdevelop.local", 443, 0x0)
17:41:25.620 ::*Session* :: InternetConnectA(0x33258e8, "gedm-desktop.profiledc01.appdevelop.local", 443, 0x00000000, 0x0)
17:41:25.620 ::*Session* :: WinHttpConnect() returning handle 0x3325b98
17:41:25.620 ::*Session* :: WinHttpSetOption(0x33258e8,  (73), 0x31dfb38 [0xffffffff], 4)
17:41:25.620 ::*Session* :: WinHttpSetOption() returning TRUE
17:41:25.620 ::*Session* :: WinHttpSetOption(0x33258e8,  (74), 0x31dfb38 [0xffffffff], 4)
17:41:25.620 ::*Session* :: WinHttpSetOption() returning TRUE
17:41:25.620 ::*Session* :: WinHttpOpenRequest(0x3325b98, "POST", "/ManageAVMssl", "", "", 0x0, 0x008001c0)
17:41:25.620 ::*Session* :: WinHttpCreateUrlA(0x31df89c, 0x0, 0x331de60, 0x31df8dc)
17:41:25.620 ::*Session* :: WinHttpCreateUrlA() returning TRUE
17:41:25.620 ::*0000001* :: WinHttpOpenRequest() returning handle 0x331d848
17:41:25.620 ::*0000001* :: WinHttpSetOption(0x331d848,  (63), 0x31dfab4 [0x2], 4)
17:41:25.620 ::*0000001* :: WinHttpSetOption() returning TRUE
17:41:25.620 ::*0000001* :: WinHttpSetOption(0x331d848,  (47), 0x0 [0x0], 0)
17:41:25.620 ::*0000001* :: WinHttpSetOption() returning TRUE
17:41:25.620 ::*0000001* :: WinHttpSetOption(0x331d848,  (2), 0x31dfac8 [0xffffffff], 4)
17:41:25.620 ::*0000001* :: WinHttpSetOption() returning TRUE
17:41:25.620 ::*0000001* :: WinHttpSetOption(0x331d848,  (3), 0x31dfacc [0xffffffff], 4)
17:41:25.620 ::*0000001* :: WinHttpSetOption() returning TRUE
17:41:25.620 ::*0000001* :: WinHttpSetOption(0x331d848,  (5), 0x31dfad0 [0xffffffff], 4)
17:41:25.620 ::*0000001* :: WinHttpSetOption() returning TRUE
17:41:25.620 ::*0000001* :: WinHttpSetOption(0x331d848,  (7), 0x31dfad4 [0xffffffff], 4)
17:41:25.620 ::*0000001* :: WinHttpSetOption() returning TRUE
17:41:25.620 ::*0000001* :: WinHttpSetOption(0x331d848,  (6), 0x31dfad8 [0xffffffff], 4)
17:41:25.620 ::*0000001* :: WinHttpSetOption() returning TRUE
17:41:25.620 ::*0000001* :: WinHttpAddRequestHeaders(0x331d848, "Content-Type: application/soap+xml; charset=utf-8; action="http://AVM.Management", 119, 0x20000000)
17:41:25.620 ::*0000001* :: WinHttpAddRequestHeaders() returning TRUE
17:41:25.620 ::*Session* :: WinHttpSetOption(0x33258e8,  (38), 0x1ea0abc [0x0], 12)
17:41:25.620 ::*Session* :: WinHttpSetOption() returning TRUE
17:41:25.620 ::*0000001* :: WinHttpSetOption(0x331d848,  (77), 0x31dfa18 [0x1], 4)
17:41:25.620 ::*0000001* :: WinHttpSetOption() returning TRUE
17:41:25.620 ::*0000001* :: WinHttpSetCredentials(0x331d848, 0x0, 0x10, "", "NULL", "NULL")
17:41:25.620 ::*0000001* :: WinHttpSetCredentialsA(0x331d848, 0x0, 0x10, "", "NULL", "NULL")
17:41:25.620 ::*0000001* :: WinHttpSetCredentialsA() returning TRUE
17:41:25.620 ::*0000001* :: WinHttpSetCredentials() returning TRUE
17:41:25.620 ::*0000001* :: WinHttpSendRequest(0x331d848, "", 0, 0x331f9c8, 488, 488, 330c814)
17:41:25.620 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
17:41:25.620 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
17:41:25.620 ::*0000001* :: WinHttpSendRequest() returning TRUE
17:41:25.620 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
17:41:25.636 ::*0000001* :: "gedm-desktop.profiledc01.appdevelop.local" resolved
17:41:25.636 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
17:41:25.636 ::*0000001* :: Winsock/RPC/SSL/Transport error: 0x90312 [SEC_I_CONTINUE_NEEDED]

then an unreadable http stream, followed by :

17:41:25.761 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
17:41:25.824 ::*0000001* :: Winsock/RPC/SSL/Transport error: 0x800b0109 [?]
17:41:25.824 ::*0000001* :: WINHTTP_CALLBACK_STATUS_REQUEST_ERROR: Failure API = API_SEND_REQUEST, Error = ERROR_WINHTTP_SECURE_FAILURE
17:41:25.824 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
17:41:25.824 ::*Session* :: WinHttpCloseHandle(0x331a788)
17:41:25.824 ::*Session* :: WinHttpCloseHandle() returning TRUE
17:41:25.824 ::*0000001* :: WinHttpCloseHandle(0x331d848)
17:41:25.824 ::*0000001* :: WinHttpCloseHandle() returning TRUE
17:41:25.824 ::*Session* :: WinHttpCloseHandle(0x3325b98)
17:41:25.824 ::*Session* :: WinHttpCloseHandle() returning TRUE
17:41:25.824 ::*Session* :: WinHttpCloseHandle(0x33258e8)
17:41:25.824 ::*Session* :: WinHttpCloseHandle() returning TRUE
17:41:25.824 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_DETACH, 0x0)
17:41:25.824 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_DETACH, 0x0)
17:41:25.824 ::*Session* :: DllMain(0x73de0000, DLL_PROCESS_DETACH, 0x0)

I also ran Network Monitor on the server and can see an exchange of ARP, TCP and SSL messages, but the log is too big to post here. Let me know if you need any of that information.

Thanks

Ged

Answer 26

Ged,

You should be able to resolve the trusted root error by importing the self-signed server certificate into the root store. I am not sure about the IE options. I've been using the Certificates snap-in in mmc.exe to import certificates into the machine store. Once you get past the error 0x800b0109 and establish the secure channel, you should be able to see the HTTP request/response messages, which hopefully can give us more information.

Hao

Answer 27

My apologies. I thought I had added the certificate as a trusted root.
Right, after setting that up correctly, we are back with the 0x803d0005 error :

---------------
0x803d0005
There was an error communicating with the endpoint at 'https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl'.
The server returned HTTP status code '401 (0x191)' with text 'Unauthorized'.
The requested resource requires user authentication.
---------------

The netsh trace contains the following info :

11:09:14.981 ::*Session* :: DllMain(0x73de0000, DLL_PROCESS_ATTACH, 0x0)
11:09:14.981 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
11:09:14.997 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
11:09:14.997 ::*Session* :: WinHttpOpen("MS-WebServices/1.0",  (1), "", "", 0x10000000)
11:09:14.997 ::*Session* :: WinHttpOpen() returning handle 0x2be28c8
11:09:14.997 ::*Session* :: WinHttpSetStatusCallback(0x2be28c8, 0x6b1626f0, 0x7f4000)
11:09:14.997 ::*Session* :: WinHttpSetStatusCallback() returning NULL
11:09:14.997 ::*Session* :: WinHttpCrackUrl("https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl", 0x3e, 0x0, 0x337f8bc)
11:09:14.997 ::*Session* :: WinHttpCrackUrlA("https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl", 0x3e, 0x0, 0x337f7c4)
11:09:14.997 ::*Session* :: WinHttpCrackUrlA() returning TRUE
11:09:14.997 ::*Session* :: WinHttpCrackUrl() returning TRUE
11:09:14.997 ::*Session* :: WinHttpCrackUrl("https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl", 0x3e, 0x10000000, 0x337f8bc)
11:09:14.997 ::*Session* :: WinHttpCrackUrlA("https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl", 0x3e, 0x10000000, 0x337f7c4)
11:09:14.997 ::*Session* :: WinHttpCrackUrlA() returning TRUE
11:09:14.997 ::*Session* :: WinHttpCrackUrl() returning TRUE
11:09:14.997 ::*Session* :: WinHttpConnect(0x2be28c8, "gedm-desktop.profiledc01.appdevelop.local", 443, 0x0)
11:09:15.012 ::*Session* :: InternetConnectA(0x2be28c8, "gedm-desktop.profiledc01.appdevelop.local", 443, 0x00000000, 0x0)
11:09:15.012 ::*Session* :: WinHttpConnect() returning handle 0x2be2d08
11:09:15.012 ::*Session* :: WinHttpSetOption(0x2be28c8,  (73), 0x337fb38 [0xffffffff], 4)
11:09:15.012 ::*Session* :: WinHttpSetOption() returning TRUE
11:09:15.012 ::*Session* :: WinHttpSetOption(0x2be28c8,  (74), 0x337fb38 [0xffffffff], 4)
11:09:15.012 ::*Session* :: WinHttpSetOption() returning TRUE
11:09:15.012 ::*Session* :: WinHttpOpenRequest(0x2be2d08, "POST", "/ManageAVMssl", "", "", 0x0, 0x008001c0)
11:09:15.012 ::*Session* :: WinHttpCreateUrlA(0x337f89c, 0x0, 0x2be4e40, 0x337f8dc)
11:09:15.012 ::*Session* :: WinHttpCreateUrlA() returning TRUE
11:09:15.012 ::*0000001* :: WinHttpOpenRequest() returning handle 0x2be2e08
11:09:15.012 ::*0000001* :: WinHttpSetOption(0x2be2e08,  (63), 0x337fab4 [0x2], 4)
11:09:15.012 ::*0000001* :: WinHttpSetOption() returning TRUE
11:09:15.012 ::*0000001* :: WinHttpSetOption(0x2be2e08,  (47), 0x0 [0x0], 0)
11:09:15.012 ::*0000001* :: WinHttpSetOption() returning TRUE
11:09:15.012 ::*0000001* :: WinHttpSetOption(0x2be2e08,  (2), 0x337fac8 [0xffffffff], 4)
11:09:15.012 ::*0000001* :: WinHttpSetOption() returning TRUE
11:09:15.012 ::*0000001* :: WinHttpSetOption(0x2be2e08,  (3), 0x337facc [0xffffffff], 4)
11:09:15.012 ::*0000001* :: WinHttpSetOption() returning TRUE
11:09:15.012 ::*0000001* :: WinHttpSetOption(0x2be2e08,  (5), 0x337fad0 [0xffffffff], 4)
11:09:15.012 ::*0000001* :: WinHttpSetOption() returning TRUE
11:09:15.012 ::*0000001* :: WinHttpSetOption(0x2be2e08,  (7), 0x337fad4 [0xffffffff], 4)
11:09:15.012 ::*0000001* :: WinHttpSetOption() returning TRUE
11:09:15.012 ::*0000001* :: WinHttpSetOption(0x2be2e08,  (6), 0x337fad8 [0xffffffff], 4)
11:09:15.012 ::*0000001* :: WinHttpSetOption() returning TRUE
11:09:15.012 ::*0000001* :: WinHttpAddRequestHeaders(0x2be2e08, "Content-Type: application/soap+xml; charset=utf-8; action="http://AVM.Management", 119, 0x20000000)
11:09:15.012 ::*0000001* :: WinHttpAddRequestHeaders() returning TRUE
11:09:15.012 ::*Session* :: WinHttpSetOption(0x2be28c8,  (38), 0x1ee4c74 [0x0], 12)
11:09:15.012 ::*Session* :: WinHttpSetOption() returning TRUE
11:09:15.012 ::*0000001* :: WinHttpSetOption(0x2be2e08,  (77), 0x337fa18 [0x1], 4)
11:09:15.012 ::*0000001* :: WinHttpSetOption() returning TRUE
11:09:15.012 ::*0000001* :: WinHttpSetCredentials(0x2be2e08, 0x0, 0x10, "", "NULL", "NULL")
11:09:15.012 ::*0000001* :: WinHttpSetCredentialsA(0x2be2e08, 0x0, 0x10, "", "NULL", "NULL")
11:09:15.012 ::*0000001* :: WinHttpSetCredentialsA() returning TRUE
11:09:15.012 ::*0000001* :: WinHttpSetCredentials() returning TRUE
11:09:15.012 ::*0000001* :: WinHttpSendRequest(0x2be2e08, "", 0, 0x2be6690, 488, 488, 2be00fc)
11:09:15.012 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
11:09:15.012 ::*0000001* :: WinHttpSendRequest() returning TRUE
11:09:15.012 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
11:09:15.012 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
11:09:15.028 ::*0000001* :: "gedm-desktop.profiledc01.appdevelop.local" resolved
11:09:15.028 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
11:09:15.028 ::*0000001* :: Winsock/RPC/SSL/Transport error: 0x90312 [SEC_I_CONTINUE_NEEDED]
11:09:15.028 ::*0000001* :: sending data:
11:09:15.028 ::*0000001* :: 142 (0x8e) bytes

<the http stream>

11:09:15.168 ::*0000001* :: <<<<-------- HTTP stream follows below ----------------------------------------------->>>>
11:09:15.168 ::*0000001* :: POST /ManageAVMssl HTTP/1.1
11:09:15.168 ::*0000001* :: Content-Type: application/soap+xml; charset=utf-8; action="http://AVM.ManagementService/IManageAVM/GetConfigurationIds"
11:09:15.168 ::*0000001* :: User-Agent: MS-WebServices/1.0
11:09:15.168 ::*0000001* :: Host: gedm-desktop.profiledc01.appdevelop.local
11:09:15.168 ::*0000001* :: Content-Length: 488
11:09:15.168 ::*0000001* :: Connection: Keep-Alive
11:09:15.168 ::*0000001* :: Cache-Control: no-cache
11:09:15.168 ::*0000001* :: Pragma: no-cache
11:09:15.168 ::*0000001* :: Authorization: Negotiate 

<the negotiate data>

11:09:15.168 ::*0000001* :: 
11:09:15.168 ::*0000001* :: 
11:09:15.168 ::*0000001* :: <<<<-------- End ----------------------------------------------->>>>
11:09:15.168 ::*0000001* :: sending data:
11:09:15.168 ::*0000001* :: 488 (0x1e8) bytes
11:09:15.168 ::*0000001* :: <<<<-------- HTTP stream follows below ----------------------------------------------->>>>
11:09:15.168 ::*0000001* :: <s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope"><s:Header><a:Action s:mustUnderstand="1">http://AVM.ManagementService/IManageAVM/GetConfigurationIds</a:Action><a:MessageID>urn:uuid:6b6fc1f8-71a6-4aa4-93c3-f329dea40098</a:MessageID><a:To s:mustUnderstand="1">https://gedm-desktop.profiledc01.appdevelop.local/ManageAVMssl</a:To></s:Header><s:Body><GetConfigurationIds xmlns="http://AVM.ManagementService"/></s:Body></s:Envelope>
11:09:15.168 ::*0000001* :: <<<<-------- End ----------------------------------------------->>>>
11:09:15.168 ::*0000001* :: WinHttpReceiveResponse(0x2be2e08, 0x0)
11:09:15.168 ::*0000001* :: WinHttpReceiveResponse() returning TRUE
11:09:15.168 ::*0000001* :: received data:
11:09:15.168 ::*0000001* :: 1500 (0x5dc) bytes

<another http stream>

11:09:15.168 ::*0000001* :: <<<<-------- End ----------------------------------------------->>>>
11:09:15.168 ::*0000001* :: received data:
11:09:15.168 ::*0000001* :: 41 (0x29) bytes
11:09:15.168 ::*0000001* :: <<<<-------- HTTP stream follows below ----------------------------------------------->>>>
11:09:15.168 ::*0000001* :: .<...L!f...UR.+>?I...8....s....C....T..&Y
11:09:15.168 ::*0000001* :: <<<<-------- End ----------------------------------------------->>>>
11:09:15.168 ::*0000001* :: received data:
11:09:15.168 ::*0000001* :: 1024 (0x400) bytes
11:09:15.168 ::*0000001* :: <<<<-------- HTTP stream follows below ----------------------------------------------->>>>
11:09:15.168 ::*0000001* :: HTTP/1.1 401 Unauthorized
11:09:15.168 ::*0000001* :: Content-Type: text/html
11:09:15.168 ::*0000001* :: Server: Microsoft-IIS/7.5
11:09:15.168 ::*0000001* :: WWW-Authenticate: Negotiate
11:09:15.168 ::*0000001* :: WWW-Authenticate: NTLM
11:09:15.168 ::*0000001* :: X-Powered-By: ASP.NET
11:09:15.168 ::*0000001* :: Date: Mon, 02 Nov 2009 11:09:16 GMT
11:09:15.168 ::*0000001* :: Content-Length: 1293
11:09:15.168 ::*0000001* :: 
11:09:15.168 ::*0000001* :: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
11:09:15.168 ::*0000001* :: <html xmlns="http://www.w3.org/1999/xhtml">
11:09:15.168 ::*0000001* :: <head>
11:09:15.168 ::*0000001* :: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
11:09:15.168 ::*0000001* :: <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
11:09:15.168 ::*0000001* :: <style type="text/css">

<the "unauthorized" html>

11:09:15.168 ::*0000001* :: <<<<-------- End ----------------------------------------------->>>>
11:09:15.168 ::*0000001* :: WinHttpQueryHeaders(0x2be2e08,  (0x20000013), "<null>", 0x3d7fe04, 0x3d7fddc [4], 0x0 [0])
11:09:15.168 ::*0000001* :: WinHttpQueryHeaders() returning TRUE
11:09:15.168 ::*0000001* :: WinHttpQueryAuthSchemes(0x2be2e08, 0x3d7fde4, 0x3d7fdc4)
11:09:15.168 ::*0000001* :: WinHttpQueryAuthSchemes: error 4317 [0x10dd]
11:09:15.168 ::*0000001* :: WinHttpQueryAuthSchemes() returning FALSE
11:09:15.168 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_ATTACH, 0x0)
11:09:15.168 ::*0000001* :: WinHttpQueryHeaders(0x2be2e08,  (0x14), "<null>", 0x0, 0x3d7fd74 [110], 0x0 [0])
11:09:15.168 ::*0000001* :: WinHttpQueryHeaders() returning FALSE
11:09:15.168 ::*0000001* :: WinHttpQueryHeaders(0x2be2e08,  (0x14), "<null>", 0x2c1fc78, 0x3d7fd78 [26], 0x0 [0])
11:09:15.168 ::*0000001* :: WinHttpQueryHeaders() returning TRUE
11:09:15.168 ::*0000001* :: WinHttpCloseHandle(0x2be2e08)
11:09:15.168 ::*0000001* :: WinHttpCloseHandle() returning TRUE
11:09:15.168 ::*Session* :: WinHttpCloseHandle(0x2be2d08)
11:09:15.168 ::*Session* :: WinHttpCloseHandle() returning TRUE
11:09:15.168 ::*Session* :: WinHttpCloseHandle(0x2be28c8)
11:09:15.168 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_DETACH, 0x0)
11:09:15.168 ::*Session* :: WinHttpCloseHandle() returning TRUE
11:09:15.168 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_DETACH, 0x0)
11:09:15.168 ::*Session* :: DllMain(0x73de0000, DLL_THREAD_DETACH, 0x0)
11:09:15.168 ::*Session* :: DllMain(0x73de0000, DLL_PROCESS_DETACH, 0x0)

Thanks

Ged

Answer 28

Ged,

The WinHttp trace matches the IIS trace you posted earlier. It does seem that the client credential cannot be accepted. I assume that your client user account and the server machine account are in the same domain profiledc01.appdevelop.local and the app pool is using Network Service account. In that case, I'd suggest you to try the explicit user credential (WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL) on the WWSAPI client instead of the default credential. To be safe, you can start with a local user account that exists on both client and server machine. If the local user works, you can then try a domain user account. If with explicit credential, the local user ccount works, but the domain user account does not work, I'd suspect a problem with the server machine/IIS/web application/web.config settings. I personally would take ETW traces of SPNEGO and Kerberos on the server machine.

Hao

Answer 29

 Ged, can you also get IIS logs/failed request trace logs? http://learn.iis.net/page.aspx/266/troubleshooting-failed-requests-using-tracing-in-iis-70/ has instructions to get the failed request trace.