WCF Windows Authentication not working

Question

Hi All,

I have developed the WCF services those needs to be run with Windows Authentication. For the SQL db connection, in the connection string, the Integrated Security property is set to SSPI.

When I execute the service, I get following error msg: "The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'."

Following settings are there in my web.config

<system.web>
    <compilation debug="true" strict="false" explicit="true" targetFramework="4.0" />
	  <identity impersonate="true"/>
	  <authentication mode="Windows" />
  </system.web>

<bindings>
      <basicHttpBinding>
        <binding name="BasicHttpEndpointBinding">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
            <message clientCredentialType="UserName" algorithmSuite="Default" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>

Are there any changes to be made explicitly in the code? (I hope, this will not be the case). OR what changes should I make in the web.config? Kindly share ur inputs asap. Note that I m testing the service with wcftestclient. The wcf service will be consumed by non-.net application.

Thanks,

---

alex

Answer 1

Can you try changing this line -

<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />

to -

<transport clientCredentialType="Negotiate" proxyCredentialType="None" realm="" />

I had a similar issue with a WCF service that I was working on, though I dont remember the details...

Answer 2

You might also try disabling anonymous access to your application in the IIS settings.

Answer 3

Check this link:

http://randypaulo.wordpress.com/2011/07/13/wcf-using-windows-authentication-and-sqlroleprovider-over-basichttp/

---

Randy Aldrich Paulo

MCTS(BizTalk 2010/2006,WCF NET4.0), MCPD | My Blog

BizTalk Message Archiving - SQL and File
Automating/Silent Installation of BizTalk Deployment Framework using Powershell >
Sending IDOCs using SSIS

Answer 4

Hello....

If you have installed your service on IIS then make sure that the anonymous access is Disabled.

To confirm this follow the below steps

1) Open IIS and navigate to your service and open Authentication settings from Features View

2) Now set Status of Anonymous Authentication to Disabled  and Windows Authentication status as Enable

---

Regards, Hiren Bharadwa

Answer 5

Thanks for ur replies.

But, none of the above settings are working.

Point 1: "Negotiate" is not the valid value supported. The valid enumerations are: None, Baisc, Digest, Ntlm, Windows, Certificate

Point 2: Even after trying all above enumerations, it doesnt work. I get error as "Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service."

Point 3: Even after enabling Anonymous access, the error is still there. (Preferably, I would like to prevent Anonymous Access)

Any valuable suggestions?

Thanks,

---

alex

Answer 6

Alex,

From your config above i assume you are trying to secure the transport channel with Windows credentials. If that is the case you can remove the message level security you have specified (unless you are performing authentication of agian). Make sure that your access to SQL server database you need is also configured to use windows authentication to login.

If its just you want to perform custom username password authentication and secure your transport channel with SSL then you need to use "TransportWithMessageCredential" settings as the value for mode attribute in the security element. Once you have this just enable anynonymous authentication on IIS enabled as you are performing your own custom authentication at the service level.

I would suggest that it would be easier to get the service working without any problem and later add the needed security one by one as per your requirements.

---

Rajesh S V

Answer 7

Hi Alex,

I would like to know couple of things from you.

1. You have mentioned that you have used SSPI - Intergrated Security for DB and in web.config, you have enabled identity impresonation, so have you planned to add all the windows user to access db? and maintaing the permission accordingly? If so, then wouldn't that be a security issue, provided a person knows the DB server details can access it directly?
2. In the production, will the user machine pass through the routers or proxies? If so, the transport only authentication won't work, because the transport level security will work only hop-to-hop. Refer "Pros and Cons of Transport-Level Security" section in http://msdn.microsoft.com/en-us/library/ms733137.aspx for more details.

The reason for the above exception may reside at any stage of WCF service invocation, can you enable WCF diagnostics trace logs and analyze them for the exact reason for the failure of security verification. 

---

Vijay Pandurangan

Answer 8

Sincere thanks to you Vijay. It seems its getting more interesting now.

I forgot to mention that I have set the identity impersonation to false already. I just want to achieve Windows Authentication and on top of it I would like to ensure that just by hitting proxy it shouldnt invoke the service. So, what security mechanism is advisable here? Yes, in the production, user machine is going to pass through proxies.

I am evaluating all the best possible options and trying to implement them to see their behaviour as well.

Will this require any changes in the coding or is just a part of configuration? Would like to know your thoughts.

Thanks,

---

alex

Answer 9

Hi Alex,

Sorry for the delayed response. 

Does your service needs authentication as well as authorization or only authentication?

1. If it is only authentication, then you can hand over the authentication part to IIS (through windows authentication) and expose service without any security. But this will result in all the communication (though it is in internal network) as transperent in network. 
2. If it involves authorization also, then it is a bit complex to solve the issue as the service is going to be consumed by non- .net applicaiton. 
   Again the solution depends on who will be the client, i.e, if the client have sophisticated SOAP engine/interface which supports providing username authentication and windows authentication, then it can be acheived throug Message Level security (through Username, which will provide https WCF service and hence the communication will be secured). If the client is not supporting much of the advanced SOAP features by default, then we need to analyze the possible implementation complexity (viz., amount and complexity involved in server side work, client side work, possibility of implementing within timeframe etc.) and conclude the solution.

Thanks and Regards,

---

Vijay Pandurangan

Answer 10

Not a problem at all Vijay. The service consuming clients are Perfectus and Peoplesoft.

Further, I am planning to have authentication(windows authentication) in such a way that,

Option 1: The services would be accessible to a particular group only. Any user falling outside to that grp. should not be able to invoke the services.

Option 2: Just have plain windows authentication.

Before I go with option 1, I want to make sure that at least windows authentication is working smoothly. And then the enhancements can be done.

ALso, I also would like to mention that I have disabled Anonymous Authentication.

Thanks once again,

---

alex

Answer 11

Hi Alex,

Thanks for the update.

As far as I understood, you planned to implement only Authentication. If so, you can enable windows authentication in IIS and in web.config <authentication mode="Windows" />  and can configure endpoint without any security <security mode="None">. This will make sure the WCF is called by only authenticated windows users. If you planned to restrict the users to the service, you can acheive by restricting the user permission to the folders (refer http://support.microsoft.com/kb/815151 for more details). 

This way, you don't need extra customization on service side as well as client side will consume services without much complexity as this will be just a plain SOAP call.

Thanks and Regards,

---

Vijay Pandurangan

Answer 12

Thanks Vijay. I am fighting hard to run my service. I tried below approaches:

Approach 1:  As mentioned in your earlier thread, if I configure my endpoint as <security mode="None">, then it throws error as soon as invoke my service. Error msg: "If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address.  Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service."  Even after enabling Anonymous Access to True in IIS, the problem continues.

Approach 2: When I configure my endpoint as <security mode="TransportCredentialOnly">, then the service is successfully getting invoked. But, when I run one of it's method, it throws error as: "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication." Even after setting Integrated Authentication to True, the problem continues. To tackle this error, I found http://blogs.msdn.com/b/dataaccesstechnologies/archive/2010/01/29/testing-connection-to-sql-server-from-a-service-running-under-local-system-account.aspx very good. Again, no luck with this.

My web.config looks like below

<basicHttpBinding>
        <binding name="MyBinding">
          <security mode="TransportCredentialOnly"  >
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>  
    </bindings>

    <services>
      <service behaviorConfiguration="WindowsAuthenticationBehavior" name="abc.xyz.LoggingService">
        <endpoint address ="" binding="basicHttpBinding" bindingConfiguration="MyBinding" contract="abc.xyz.ILogging"/>
        <!--<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>-->
      </service>
    </services>

<behavior name="WindowsAuthenticationBehavior">
          <serviceMetadata httpGetEnabled="true"/>
</behavior>

I also read that, when running the application hosted on IIS, it runs under "domain\machineName$". And as this a/c is not configured with the SQL server, it throws login failed error. Is it so?

Where am I going wrong? Any explicit setting which I am missing? Kindly let me know your thoughts on this.

Thanks,

---

alex

Answer 13

Alex can you post the behaviorConfiguration section as well. Also have you tried enabling Tracing and inspect the trace logs.

Regarding your first approach the error "check that you have enabled metadata publishing at the specified address" just uncomment the mex endpoint and that should take care of the error.

---

Rajesh S V

Answer 14

pls find behavior config section updated in my last thread. Thanks,

---

alex

Answer 15

Hi Alex,

Please let me know which OS and IIS version you are using.

Approach 1:
1. Make sure you have anonymous and windows authentication enabled at root site level and virutal directory level.
2. Have <authentication mode="Windows" /> under <system.web>
3. Have <security mode="None"  > under binding

I have tested the above with the binding configuration you posted and it is working fine.

Approach 2:
Yes, as you mentioned this is because of Internet User account. If this is IIS7, for the appool identity, make sure you configure an authenticated account instead of default app pool identity account. SQL Server will be authenticated against this. Refer http://learn.iis.net/page.aspx/624/application-pool-identities/ for more details for configuring this. If you plan to use, logged in user authentication, then it is complex to maintain in DB level as already discussed. For doing so, either you can enable impersonation or set the thread idedntity to the windows user after authentication (through custom authenticaiton provider).

Thanks and Regards,

---

Vijay Pandurangan

Answer 16

My Dev environment used WinXP with IIS 5.1 whereas Test has Win Server 2008R2 Std with IIS 6.1

First, I am trying to host and run this on Dev environ. If it works, I would go ahead with Test. Thanks once again.

---

alex

Answer 17

Sincere thanks Vijay. Its now working!

---

alex

Answer 18

I have a similar issue..  I am trying to communicate with WCF from Script task of "SSIS"

Receving the Error :

The HTTP request is unauthorized with client authentication scheme 'Basic'. The authentication header received from the server was 'Negotiate,NTLM,Basic realm="web-dev.pnet.com"'.

Can anybody help?

Answer 19

Hello

Try this How to configure Windows Authentication for a WCF Service with Client Credential passed through to BizTalk over SSL

Good luck!

---

Jason Sauers