none
The HTTP request was forbidden with client authentication scheme 'Basic'.he remote server returned an error: (403) Forbidden. RRS feed

  • Question

  • I followed below links to create a selfsigned cert and configure IIS for the same. I am using Trasport security with Basic authetication.

    But I get below exception when I make a call to the service.

    https://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/

    https://www.jayway.com/2014/10/27/configure-iis-to-use-your-self-signed-certificates-with-your-application/

    at System.Threading.ThreadHelper.ThreadStart()</StackTrace><ExceptionString>System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Basic'. ---&amp;gt; System.Net.WebException: The remote server returned an error: (403) Forbidden.

    My client code is as below:

       WSHttpBinding binding = new WSHttpBinding();
                binding.Name = "Main";
                binding.HostNameComparisonMode = HostNameComparisonMode.StrongWildcard;
                binding.Security.Mode = SecurityMode.Transport;
                binding.ReliableSession.Enabled = false;
                binding.TransactionFlow = false;

     OMCFApp.OMCFServiceReference.ConnectorFrameworkClient proxy = new OMCFServiceReference.ConnectorFrameworkClient(); //OmcfServiceReference.ConnectorFrameworkClient();

                proxy.ClientCredentials.UserName.UserName = @"Axyz";
                proxy.ClientCredentials.UserName.Password = "ssd234";

    After this call to the web service method fails.

    I appreciate any help on this. Have been tried many many ways to resolve the issue. But no luck.

    Thursday, September 1, 2016 12:14 AM

All replies

  • Hi KadamSwati,

    Do you have any settings in configuration file of client? Based on your code, you did not use binding and address in “OMCFApp.OMCFServiceReference.ConnectorFrameworkClient”, and you did not set Transport.ClientCredentialType by “HttpClientCredentialType.Basic”.

    Here is a simple code for client in Trasport security with Basic authentication.

    // Create the binding.
    WSHttpBinding myBinding = new WSHttpBinding();
    myBinding.Security.Mode = SecurityMode.Transport;
    myBinding.Security.Transport.ClientCredentialType =
        HttpClientCredentialType.Basic;
    
    // Create the endpoint address. Note that the machine name 
    // must match the subject or DNS field of the X.509 certificate
    // used to authenticate the service. 
    EndpointAddress ea = new
        EndpointAddress("https://machineName/Calculator");
    
    // Create the client. The code for the calculator 
    // client is not shown here. See the sample applications
    // for examples of the calculator code.
    CalculatorClient cc =
        new CalculatorClient(myBinding, ea);
    // The client must provide a user name and password. The code
    // to return the user name and password is not shown here. Use
    // a database to store the user name and passwords, or use the 
    // ASP.NET Membership provider database.
    cc.ClientCredentials.UserName.UserName = ReturnUsername();
    cc.ClientCredentials.UserName.Password = ReturnPassword();
    try
    {
        // Begin using the client.
        cc.Open();
        Console.WriteLine(cc.Add(100, 11));
        Console.ReadLine();
    
        // Close the client.
        cc.Close();
    }
    

    You could refer the link below for more information.

    # Transport Security with Basic Authentication
    https://msdn.microsoft.com/en-us/library/ms733775%28v=vs.110%29.aspx?f=255&MSPPError=-2147217396

    Best Regards,

    Edward


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Thursday, September 1, 2016 6:00 AM

  • I am still getting the same issue. I am using trasport with Basic authetication

    I made above  chnages in code . Please have a look at my Config file


                // Create a WSHttpBinding and set its property values.
                WSHttpBinding binding = new WSHttpBinding();
                binding.Name = "Main";
                binding.HostNameComparisonMode = HostNameComparisonMode.StrongWildcard;
                binding.Security.Mode = SecurityMode.Transport;
                binding.Security.Transport.ClientCredentialType =
        HttpClientCredentialType.Basic;
                binding.ReliableSession.Enabled = false;
                binding.TransactionFlow = false;

      EndpointAddress endpoint = new EndpointAddress("https://resolvetest-3.com:51905/ConnectorFramework?wsdl");
                // Define the Web service URI endpoint address for the Web service
                // that is used to create the connector.
                string uriEndpointAddress = "https://resolvetest-3.com:51905/ConnectorFramework?wsdl";

                OMCFApp.OMCFServiceReference.ConnectorFrameworkClient proxy = new OMCFServiceReference.ConnectorFrameworkClient(binding, endpoint); //OmcfServiceReference.ConnectorFrameworkClient();
                

                proxy.ClientCredentials.UserName.UserName = @"usernamer";
               proxy.ClientCredentials.UserName.Password = "Rassword";
               proxy.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My, X509FindType.FindByThumbprint, " 03 a0 d4 fe 63 d6 46 43 63 0f 7f 56");

    My client config file is :

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
        <system.serviceModel>
          <diagnostics wmiProviderEnabled="true">
            <messageLogging
                 logEntireMessage="true"
                 logMalformedMessages="true"
                 logMessagesAtServiceLevel="true"
                 logMessagesAtTransportLevel="true"
                 maxMessagesToLog="3000"
           />
          </diagnostics>
            <bindings>
                <wsHttpBinding>
                    <binding name="Main">
                        <security mode="Transport">
                            <transport clientCredentialType="Basic"  proxyCredentialType="None" realm="" />
                        </security>
                    </binding>
                </wsHttpBinding>
            </bindings>
            <client>
                <endpoint address="https://resolvetest-3.com:51905/ConnectorFramework"
                    binding="wsHttpBinding" bindingConfiguration="Main" contract="OMCFServiceReference.IConnectorFramework"
                    name="Main" />
            </client>

          
        </system.serviceModel>


      <system.diagnostics>
        

        
        <sources>
          <source name="System.ServiceModel"
                  switchValue="Information, ActivityTracing"
                  propagateActivity="true">
            <listeners>
              <add name="traceListener"
                  type="System.Diagnostics.XmlWriterTraceListener"
                  initializeData="c:\log\NewTraces.svclog"  />
            </listeners>
          </source>
        </sources>
      </system.diagnostics>
    </configuration>

    Thursday, September 1, 2016 11:40 PM
  • Hi KadamSwati,

    Based on your code, there is no obvious issue. If you have consumed your service in code, there is no need to configure in the config file.

    Based on Certificate Validation Differences Between HTTPS, SSL over TCP, and SOAP Security,

    When using HTTPS to communicate between a client and a service, the certificate that the client uses to authenticate to the service must support chain trust. That is, it must chain to a trusted root certificate authority. If not, the HTTP layer raises a WebException with the message "The remote server returned an error: (403) Forbidden."

    To check whether it is related with certificate, I suggest you try below code to ignore the server certificate and tells the service point manager that whatever certificate is fine which can seriously compromise client security.

    System.Net.ServicePointManager.ServerCertificateValidationCallback +=
                (se, cert, chain, sslerror) =>
                {
                    return true;
                };
    

    For certificates in WCF, I suggest you refer the link below:

    # How to: Create and Install Temporary Client Certificates in WCF During Development

    https://msdn.microsoft.com/en-us/library/ff650751.aspx

    Best Regards,

    Edward


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Friday, September 2, 2016 6:36 AM
  • Hello ,

    My web srevice is installed in a different domain than that of my machine from where I am making a service calls.

    Because of interdomain I went for a Transport security with basic authentication.

    Now I have installed a client certificate that is signed by root authority under Current user/personal/certificate on machine. I also have installed server certificate on the server where service is installed that is signed by a root authority.

    Below is snapshot of the client certificate :

    Also Below is snapshot of the server certificate that is installed on the server machine who's domain is different than that of my machine from where I am making this service calls.

    DO you see if I have done anything wrong here? I appreciate your response. Thank you.

    Friday, September 2, 2016 5:09 PM
  • I also tried to add the code snippet and still getting the same response:

    An unhandled exception of type 'System.ServiceModel.Security.MessageSecurityException' occurred in mscorlib.dll

    Additional information: The HTTP request was forbidden with client authentication scheme 'Basic'.

    {"The remote server returned an error: (403) Forbidden."}

    Friday, September 2, 2016 5:11 PM
  • Hi KadamSwati,

    >> My web srevice is installed in a different domain than that of my machine from where I am making a service calls.

    For cross domain, do they trust each other? To check whether it is related with different domain, I suggest you test with service and client in the same domain.

    For basic authentication in IIS, I suggest you check whether Basic Authentication is enabled in IIS for your WCF service.

    Best Regards,

    Edward


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Monday, September 5, 2016 7:02 AM