Using PSI Proxy with CBA RRS feed

  • Question

  • Hello,

    I developed a SharePoint web part to import users from external system to project server 2010 users. I generated the PSI proxy based on project server 2010 SDK and used it to add the users.

    When I run my web part(hosted by SharePoint Web Part Page), it throws the following exception when it calls any PSI method:

    "The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate,NTLM'"

    My SharePoint site is configured to use CBA and it will not work correctly until I explicitly specify the username and password that should be used by proxy to get authenticated. But when I deploy my web part to a site configured to use Classic authentication, it works fine.

    What should I do to make it work with CBA without explicitly specify the username and password the should be used by proxy?

    One more thing, I'm using the same proxy in SharePoint custom workflow (not project server workflow) and it works correctly with CBA. Why?
    • Edited by tabudayyeh Tuesday, November 22, 2011 9:18 AM
    Tuesday, November 22, 2011 9:01 AM

All replies

  • Hi,

    I've banged my head up against this issue a few times, firstly though when you mention that you are able to use the same proxy in a Sharepoint custom workflow successfully I'm quite intrigued as to how that works, as from my investigations I haven't been able to get that working unless using the GetPSI method in a custom Project Server workflow activity, I'd be interested to see your implementation there.

    But back to your actual issue, from what I have previously implemented the problem is that using the standard SDK WCF proxy examples you don't at anypoint get your Claims token for the authentication.

    To do that (AFAIK) you need to retrieve the token first from something like ADFS, e.g.


    Personally I use the same easier method as used by SharePoint Enterprise Search (recall that for any Claims Auth web-application to be indexed search requires that you also have a Claims-Windows auth zone configured), basically just authenticate to the PSI using the URL for your claims web application that is configured to use Claims-Windows.

    One day I plan to sit down and solve this properly using ADFS to get my proper membership provider token, but until then the above works quite nicely. Especially since all my Claims web-apps have a Claims-Windows Zone for search indexing.



    Martin Laukkanen (Project Server Blog -
    Friday, November 25, 2011 9:45 AM