locked
Security Issues - ASP.NET + WCF RRS feed

  • Question

  • Hi All,

    I have a ASP.NET website that is configuration/management UI for a WCF service hosted in IIS.

    The ASP.NET site will have Integrated Windows Authentication configured. However, when debugging I am running it with ASP.NET development server. The service is hosted on IIS when debugging.

    I have configured basic HTTP binding both in the service' web.config and in the website' web.config. I have specifically enabled

    1. Impersonation on both components by adding <identity impersonate="true"/>
    2. Enabled ASP.NET compatibility mode on the service.
    3. Enabled authentication mode as NTLM on both components.
    4. Transport security for the basic HTTP binding as

    <security mode="TransportCredentialOnly">
    <
    transport clientCredentialType="Ntlm" proxyCredentialType="None" realm="" />
    <
    message clientCredentialType="UserName" algorithmSuite="Default" />
    </
    security>

    After all this, I am still not able to connect to the WCF service from ASP.NET code. I get the following error

    "The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate,NTLM'."

    If I try changing the transport client credential types to Windows, but that doesn't help.

    I have code up the ASP.NET code as:

    MantisResultsServiceClient client = new MantisResultsServiceClient ("BasicHttpBinding_IMantisResultsService", serviceHost);

    client.ClientCredentials.Windows.ClientCredential.UserName = this.User.Identity.Name;

    client.ClientCredentials.Windows.AllowNtlm = true;

    client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;

    client.Open ();

    List<TProductData> products = new List<TProductData> (client.GetAvailableProducts ());

    I have no idea why this happens since I am fairly new to WCF.

    Any ideas on what I am doing wrong?


    Thanks,

    Vijai.

    Friday, October 17, 2008 12:54 AM

Answers

  • Hello Umesh,

    Actually, yes, it was still an unauthorized error. However, I fixed the problem. I deleted the above properties and left it on. I had to change the binding configuration to Windows on client and service and also impersonate the user in the web UI. That worked correctly.

    Thanks,

    VIjai.
    Saturday, October 25, 2008 5:16 PM

All replies

  • Whats happening is your web server is sending a 'Negotiate,NTLM' header while your client supports only NTLM. You can workaround it by telling the server to use only NTLM. Try this article
    http://support.microsoft.com/kb/215383/en-us
    Set NTAuthenticationProviders as NTLM
    • Proposed as answer by UmeshMR Saturday, October 18, 2008 12:23 AM
    Saturday, October 18, 2008 12:22 AM
  •  Thanks Umesh. I set the properties

    W3SVC/NTAuthenticationProviders
    W3SVC/1/NTAuthenticationProviders

    both to "NTLM". That just changes the error message to indicate that the client sent Ntlm and the server sent NTLM. So, no, that doesn't work.

    Thanks though,

    Vijai.
    Tuesday, October 21, 2008 1:48 AM
  • And do you still see an UnAuthorized error?
    Friday, October 24, 2008 9:49 PM
  • Hello Umesh,

    Actually, yes, it was still an unauthorized error. However, I fixed the problem. I deleted the above properties and left it on. I had to change the binding configuration to Windows on client and service and also impersonate the user in the web UI. That worked correctly.

    Thanks,

    VIjai.
    Saturday, October 25, 2008 5:16 PM