none
SetClientEndpoint for Kerberos RRS feed

  • Question

  • Hi all,

    i'm trying to implement an event handler for a server which use kerberos.

    My Code looks like this:

    private static void SetClientEndpoint(Guid pwaUid)
    {
                const int MAXSIZE = 500000000;
                const string svcRouter = "/_vti_bin/PSI/ProjectServer.svc";
    
                BasicHttpBinding binding = null;
    
                SPSite pwaSite = new SPSite(pwaUid);
                string pwaUrl = pwaSite.Url;
    
                if (pwaSite.Protocol.ToLower() == "https:")
                {
                    // Create a binding for HTTPS.
                    binding = new BasicHttpBinding(BasicHttpSecurityMode.Transport);
                }
                else
                {
                    // Create a binding for HTTP.
                    binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);
                }
    
                binding.Name = "basicHttpConf";
                binding.SendTimeout = TimeSpan.MaxValue;
                binding.MaxReceivedMessageSize = MAXSIZE;
                binding.ReaderQuotas.MaxNameTableCharCount = MAXSIZE;
                binding.MessageEncoding = WSMessageEncoding.Text;
                binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
    
                // The endpoint address is the ProjectServer.svc router for all public PSI calls.
                EndpointAddress address = new EndpointAddress(pwaUrl + svcRouter);
    
                resClient = new SvcResource.ResourceClient(binding, address);
                resClient.ChannelFactory.Credentials.Windows.AllowNtlm = false;
            }
        }
    

    But this solution fails with that exception: "The remote server did not satisfy the mutual authentication requirement."

    Whats wrong? The code or the configuration of kerberos?

    Thank you!

    Thursday, December 15, 2011 9:30 AM

Answers

  • Hi,

    The problem in your code is the line:

    resClient.ChannelFactory.Credentials.Windows.AllowNtlm = false;

    Where you disable Windows authentication, change this to true and then if required as I said disable NTLM in your IIS configuration in order to enforce Kerberos.

    The error message indicates that you have disabled Windows authentication and IIS is attempting to use client certificate authentication instead.

     

    Regards,


    Martin Laukkanen (Project Server Blog - www.nearbaseline.com/blog)
    Tuesday, January 3, 2012 10:29 PM

All replies

  • There are no problems with
    resClient.ChannelFactory.Credentials.Windows.AllowNtlm = true;
    Thursday, December 15, 2011 9:31 AM
  • Hi,

    I assume that you are trying to enforce kerberos when authenticating? If so then that should be done in the Web Applications IIS configuration, under the IIS settings for your Web Application open Authentication -> Windows Authentication -> Providers. In there you can select NTLM or Negotiate (or both), and that will enforce the desired authentication type.

     

    HTH,


    Martin Laukkanen (Project Server Blog - www.nearbaseline.com/blog)
    Thursday, December 22, 2011 11:06 PM
  • Hi,

    the Web Applications are configured correctly - I hope so. NTLM and Negotiate are selected. Negotiate on top.

    Fiddler and "Kerberos Authentication Tester v0.9.2" confirm that Kerberos is activated. I can browse to the Sites and so on.

    So i think, that the code above isn't correct. But i can't find the failure.

    Tuesday, January 3, 2012 10:15 AM
  • Hi,

    The problem in your code is the line:

    resClient.ChannelFactory.Credentials.Windows.AllowNtlm = false;

    Where you disable Windows authentication, change this to true and then if required as I said disable NTLM in your IIS configuration in order to enforce Kerberos.

    The error message indicates that you have disabled Windows authentication and IIS is attempting to use client certificate authentication instead.

     

    Regards,


    Martin Laukkanen (Project Server Blog - www.nearbaseline.com/blog)
    Tuesday, January 3, 2012 10:29 PM
  • Thank you!!!!
    Friday, January 6, 2012 3:21 PM