none
Can I see more details on "The HTTP request is unauthorized with client authentication scheme 'Negotiate'... RRS feed

  • Question

  • Hi,

    Is there a way to see exactly WHY this error is happening? Can I ask the admins to check logs and look for anything particular?  I appears I'm using Windows Authentication OK but it's not sending the credentials with the Kerberos ticket?  I've tried untold combinations of config settings with no luck.  Are there other tools that can help me debug?

    I'm receiving the following when calling a webservice from a dev server (Windows 2003) to a service hosted on Windows 2008.

    The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.  But it works from my local machine when calling the same wcf service.

    I'm using Windows Authentication and setting proxy.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;

    I've remoted into the dev server and checked Fiddler. 

    I see that I'm sending a Kerberos ticket:

    No Proxy-Authorization Header is present.

    Authorization Header (Negotiate) appears to contain a Kerberos ticket:

    With the response:

    HTTP/1.1 500 Internal Server Error
    Date: Thu, 13 Mar 2014 12:23:41 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    WWW-Authenticate: Negotiate
    SCKfM+U1CkmxFU………evv7Vtn681A5UmUWQ=
    X-AspNet-Version: 4.0.30319
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Content-Length: 7267

    <html>
     <head>
      <title>The remote server returned an error: (401) Unauthorized.</title>

    Thursday, March 13, 2014 2:02 PM

All replies

  • Hi,

    >>The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.  But it works from my local machine when calling the same wcf service.

    ClientCredentialType=Windows makes the authentication header "Negotiate", which isn't quite enough for it to work with "Negotiate, NTLM", please try to set the following:

    client.ClientCredentials.Windows.AllowNTLM = True

    Which will add the necessary NTLM to your authentication header.

    If the above still can not help, please try to check this blog:
    http://www.steveburgess.net/2013/02/unhelpful-error-messages-the-authentication-header-received-from-the-server-was-negotiatentlm/ .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, March 14, 2014 2:58 AM
    Moderator
  • Thanks but that didn't work.  Anyway, I see

    System.ServiceModel.Security.WindowsClientCredential.AllowNtlm' is obsolete: 'This property is deprecated and is maintained for backward compatibility only. The local machine policy will be used to determine if NTLM should be used...

    Local Machine (Windows 8) to Windows 2003 (WCF Service Host) works fine.  When I call from Windows 2003 to a different 2003 server is the is issue.

    I went through this

    http://msdn.microsoft.com/en-us/library/ff650591.aspx

    step-by-step and played with turning impersonating off and on on both the client and service.  But when I deploy I get the same error.  Could Step 8 be causing the issue regarding Constrained Delegation?

    Friday, March 14, 2014 7:46 PM