none
The server has rejected the client credentials in WCF

    Question

  • Good morning,

     

    I have a straight large problem with the WCF. I wrote a small test consol application, which host WCF Service.

     

    I user NetTcpBinding. As long as I tried everything on the local host, also all this functioned marvelously. Then I tried out also between two Vista PCs, Everything ran also here without any problem.

     

    Then I tried to contact  WinXP Desktop. That failed. The XP-Client spent the following error message:

    The server has rejected the client credentials.

     

    Again I try on another XP-Machine,  agai on that machine i got same problem:

    The server has rejected the client credentials.

     

    I must try that out now once again between XP and XP.

    What is to be done here and that does that lie exactly? Is it because of WinXP or something i am missing in WCF While creating service.

     

       I dont think that there is something error in WCF because the application run successfuly on both Vista machine.

     

    May be there is any issue of operating system like (WCF need Vista to run perfectlly or what???)

     

    If such situation is there then please tell me the solution of this problem and factors which produce this problem (To run WCF application on Windows XP/2003 Server machine)

     

    Thanks,

    Nisarg

    Saturday, May 26, 2007 9:30 AM

All replies

  • I believe the .NET 3.0 fx- which comprises of WCF/WF/WPF etc needs atleast WinXP SP2. Do you have the latest service pack for you XP systems?

     

     

    Monday, May 28, 2007 2:57 PM
  • hi Dwight Goins

     

    Thanks for reply. I tested this application on XP sp2 system and Windows server 2003 sp1 also but i am getting same error.

     

    what ever i dont want to put such restrictions on the application like application runs under vista or xp sp2. it sould run on any operating system, because what am i thinking if any application developed in latest version sould competable to the older version of microsoft os.

     

    By the way what can i do to run application in windows server 2003 or Windows XP sp2. and what are the reasones that application run successfuly in Vista and not in other OS.

     

    Thanks.

    Nisarg

    Thursday, May 31, 2007 10:51 AM
  • Hey

     

    I've been struggling with this for a couple of days now. 

    I first started on .NET Remoting and found that I can get the error to go away if I do the following to things:

    1. Make sure that the username and password that you're logged on with on the client, also exists on the server.  If you're logged in on the client as Username "Test" and password "123456", you will need to create that exact username and password on the computer hosting the service as well.
    2. Go to Control Panel -> Administrative Tools -> Local Security Policy.  Then go to the User Rights Assignment node.  For "Access this computer from the network", make sure that "Authenticated Users" is added that your list

    In .NET Remoting, I tried using different credentials to impersonate or something, but the program just froze without ever throwing an exception.  Since I couldn't find a solution for that and nobody has been ably to give me a solution on the forums I've posted on, I've switched to WCF for now.  I'm still trying to find out how to connect to the service with different credentials via WCF.

     

    I would however prefer to use remoting (via tcp) because we have a lot of customers still running on Windows 2000 servers and clients.

     

    Regards

     

    Wimpie van Lingen

    Wednesday, June 06, 2007 10:31 PM
  • I'm also getting the same error when I attempt to call my service from another computer. I'm using the NetTcp sample from Microsoft that creates the "classic" calculator (add/sub/mult/div) service. If the client and server runs on the same machine, it works fine, but when I run the server on another machine, SecurityNegotiationException is thrown on the line
      Dim result as Double = client.Add(value1, value2)
    The above line is the line where the service is actually called. The exception also says "The server has rejected the client credentials." Solution would be appreciated!
    Wednesday, July 04, 2007 10:57 AM
  • have you set the ClientCredential property to a domain credential, custom credential or a machine credential? is it using windows authentication?

     

    Wednesday, July 04, 2007 6:05 PM
  • I solved the problem of authenticating. Apparently, the issue was that I had not set the properties of client.ClientCredentials.Windows.ClientCredential.

    When I inspected the client object during debugging, it contained a reference to ClientCredentials (System.ServiceModel.Description.ClientCredentials) in which
    the .UserName.UserName and .UserName.Password were Nothing, and the .Windows.ClientCredential's .Domain, .Password and .UserName were Nothing with .Windows.AllowedImpersonationLevel = Identification {2}.

    In App.config on the Server, under
    <configuration><system.ServiceModel><bindings><netTcpBinding>, there was a tag defined as follows: <security mode="Transport">
    <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
    </security>

    Apparently, to make the client authenticate to the server with clientCredentialType="Windows" in the same successful way as when the client and server was running on the same machine over netTcpBinding it was necessary (and sufficient) to add, before the call to Client.Open():

    With client.ClientCredentials
    With .Windows
    With .ClientCredential
    .Domain = "192.168.0.xx"
    .UserName = "myusername"
    .Password = "mypassword"
    End With
    End With
    End With

    The user name I used is an administrator of the computer. The above worked correctly. Very simple but just not clearly documented or googlable. The solution proposed earlier in the thread e.g. to create the same account (user name/password) on the client and server machines probably only works if the account created on both machines is logged on and used to start the client, since the client would pass this authentication information if it doesn't have anything else specified to pass. This solution is therefore limited to situations where these two preconditions, (1) same user name and password accounts created on both client/server machine and (2) user is already authenticated on client can be met simultaneously.

    Thursday, July 05, 2007 2:23 AM
  • Just noticed that it's important to realise the difference between ClientCredentials.UserName and ClientCredentials.Windows.ClientCredential. Because my server is authenticating using Windows, I must use the 2nd for the server to accept the credentials. Hope this helps someone!

    Saturday, July 05, 2008 10:14 AM
  • Also, I believe that the default setting for netTcpBinding is to use Transport security with EncryptAndSign protection, so there's no need to explicitly specify this in your config file. Please could somebody verify that this is correct?

    Saturday, July 05, 2008 10:23 AM
  • Nick, you are correct about there being a difference between the UserName and Windows.  In the Username case, WCF will attempt to logon to the service, if the user doesn't have an account on that machine, it will fail.  In the Windows case, WCF will perfrom SPNego to negotiate credentials.

     

    Wednesday, July 09, 2008 4:24 AM
  •  

    If you try to run some sample for tcp binding where the host and the client are on two different machines and the only thing in the app.config of the client is solely the endpoint with no additional binding configuration such as the following:

    <endpoint binding="netTcpBinding" contract="MyServiceContract" address="net.tcp://some.remote.domain.com:1234/EndpointRelativeAddress"></endpoint>

    Than the host and the client need to run under the identical credentials (Username and Password) on both machines.

    Probably you had the same credentials on both vista machines and it seemed to you that is some kind of OS problem but infact you started the host while logged as the same user, with the identical password (not sure about this password thing) as in the client.
    My case was running the host as the console application under the W2k3 and the client in W2k8.
    Monday, October 27, 2008 11:22 AM
  •  

    For internal TCP services, set your binding security mode to none.

     

    <system.serviceModel>

        <client>

          <endpoint address               = "net.tcp://MyPC/MyService"

                    binding               = "netTcpBinding"

                    name                  = "WindowsService"

                    bindingConfiguration  = "tcp_Unsecured"

                    contract              = "IMyContract" />

        </client>

        <bindings>

          <netTcpBinding>

            <binding name="tcp_Unsecured">

              <security mode="None"></security>

            </binding>

          </netTcpBinding>

        </bindings>

      </system.serviceModel>

     

    http://msdn.microsoft.com/en-us/library/ms734784.aspx

    Monday, March 02, 2009 8:13 PM
  • Hi Guys,

    is this problem solved for anyone ... even i have the same situation. My Service is self hosted service with console application project. the client is also console app. its working fine when both are on the same machine but when i put the client to different machine the problem starts. it throws the following message: 

    "The server has rejected the client credentials.

    8/09/2011 3:08:28 PM__Inner Exception:System.Security.Authentication.InvalidCredentialException: The server has rejected the client credentials. ---> System.ComponentModel.Win32Exception: The logon attempt failed"

     

    Here is my server app.config file:

    ------------------------------------------------------------------------------------------------------------------------------------

    <?xml version="1.0"?>

    <configuration> 

      <system.serviceModel>

        <services>

          <service behaviorConfiguration="netTcpBehavior" name="ExportDataService.ExportService">

            <endpoint address="" binding="netTcpBinding" bindingConfiguration="NetTcpBindingEndpointConfig "

              name="NetTcpBindingEndpoint" contract="ExportDataService.IExportService">

              <identity>

                <userPrincipalName />

                <dns value="10.28.12.73" />

              </identity>

            </endpoint>

            <endpoint address="mex" binding="mexTcpBinding" bindingConfiguration=""

              name="mexTcpBindingEndpoint" contract="IMetadataExchange" />

            <host>

              <baseAddresses>

                <add baseAddress="net.tcp://10.28.12.73:8523/ExportDataService" />

              </baseAddresses>

            </host>

          </service>

        </services>

     

        <bindings>

          <netTcpBinding>        

            <binding name="NetTcpBindingEndpointConfig ">

              <security mode="Transport">

                <transport clientCredentialType="Windows"  protectionLevel="EncryptAndSign"/>            

              </security>

            </binding>

          </netTcpBinding>

        </bindings>

     

        <behaviors>

          <serviceBehaviors>

            <behavior name="netTcpBehavior">          

              <serviceMetadata httpGetEnabled="false"/>          

              <serviceDebug includeExceptionDetailInFaults="false"/>

            </behavior>

          </serviceBehaviors>

        </behaviors>

        <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

      </system.serviceModel>

      <system.webServer>

        <modules runAllManagedModulesForAllRequests="true"/>

      </system.webServer>

     

    </configuration>

    ------------------------------------------------------------------------------------------------------------------------------------

    Here is my client app.config file:

    ------------------------------------------------------------------------------------------------------------------------------------

    <?xml version="1.0" encoding="utf-8"?>

    <configuration>

      <system.serviceModel>

        <bindings>

          <netTcpBinding>

            <binding name="NetTcpBindingEndpoint" closeTimeout="00:01:00"

                openTimeout="00:01:00" receiveTimeout="10:10:10" sendTimeout="00:01:00"

                transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"

                hostNameComparisonMode="StrongWildcard" listenBacklog="10"

                maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"

                maxReceivedMessageSize="65536">

              <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"

                  maxBytesPerRead="4096" maxNameTableCharCount="16384" />

              <reliableSession ordered="true" inactivityTimeout="00:10:00"

                  enabled="false" />

              <security mode="Transport">

                <transport clientCredentialType="Windows"  protectionLevel="EncryptAndSign"/>

              </security>

            </binding>

          </netTcpBinding>

        </bindings>

        <client>

          <endpoint address="net.tcp://10.28.12.73:8523/ExportDataService"

              binding="netTcpBinding" bindingConfiguration="NetTcpBindingEndpoint"

              contract="IExportService" name="NetTcpBindingEndpoint">

            <identity>

              <dns value="10.28.12.73" />

            </identity>

          </endpoint>

        </client>

      </system.serviceModel>

    </configuration>

    ------------------------------------------------------------------------------------------------------------------------------------

     

    and here is the code where i am passing the credentials to my proxy object:

    obj.ClientCredentials.Windows.ClientCredential.Domain = "domain";

    obj.ClientCredentials.Windows.ClientCredential.UserName = "username";

    obj.ClientCredentials.Windows.ClientCredential.Password = "password";

     

    both the machines are on the same domain, username is working fine on both the machines. please help me with this.

    thanks. 

     

     

    Thursday, September 08, 2011 6:12 AM
  • |On the client side, the security mode must be also None like following:

                <netTcpBinding>
                    <binding name="NetTcpBindingEndpoint" [...]/>
    [...]
                        <security mode="None">
                        </security>
                    </binding>
                </netTcpBinding>

    Enjoy!

    • Proposed as answer by EphyL Tuesday, July 03, 2012 2:06 PM
    Tuesday, July 03, 2012 2:06 PM
  • http://www.techaray.com/post/2012/10/26/The-server-has-rejected-the-client-credentials-WCF-Error-NetTCpBinding-.aspx

    Saturday, October 27, 2012 1:18 PM