none
401 error with NTLM and SSL RRS feed

  • Question

  • Hi there

    We have curious behaviour with one server's WCF:

    • If we run the webservice SVC test directly - error as follows:

    ************** Exception Text **************
    System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
       at System.Net.HttpWebRequest.GetResponse()
       at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
       --- End of inner exception stack trace ---

    • Now, if we browse in IE to the SVC and provide credentials (the same creds the webservice uses) – after that running the SVC call test works from the separate test application.
    • If we then change the creds in the test application to incorrect creds, it fails (so its not cached; its using the creds passed).
    • If we then set the creds back to the correct values, it works again, seemingly until the web app gets restarted (in the morning for example it doesn't work as it needs to spin up again).

    With the same setup as far as I can see - this works fine on the TEST environment; but on DEV we have the above behaviour.

    We have the same web.config setup for the WCF service and the same (as far as I can tell) web.config hosting the overall Web Application.

    We are using NTLM for the web app; and the following WCF Web.Config:

    <configuration>
      <!-- ASP.NET configuration -->
      <system.serviceModel>
        <behaviors>     
           <serviceBehaviors>        
            <behavior name="basicHttpBinding">
              <serviceMetadata httpsGetEnabled="true" httpGetEnabled="true" />
              <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
              <serviceDebug includeExceptionDetailInFaults="true"/>
              <serviceThrottling maxConcurrentCalls="500" maxConcurrentSessions="500" maxConcurrentInstances="500"/>   
       <useRequestHeadersForMetadataAddress />
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <services>
          <service behaviorConfiguration="basicHttpBinding" name="xx.xx.xxxx.xxxx.CRMInterface">
            <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding" contract="xx.xx.xxxx.xxxx.ICRMInterface"/>
          </service>
        </services>
        <bindings>
          <basicHttpBinding>
            <binding name="basicHttpBinding" maxReceivedMessageSize="2147483647" maxBufferPoolSize="2147483647" >
              <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
              <security mode="Transport">   
                <transport clientCredentialType="None" proxyCredentialType="None" realm="" />
              </security>
            </binding>
          </basicHttpBinding>
        </bindings>
      </system.serviceModel>
    </configuration>

    I think that web.config is fine; and the code is fine (it works fine on a different server, also setup with NTLM and SSL) - and the files are all there (as it works After a login through IE) - I cant see what else may be involved that would cause this behaviour?

    Any ideas would be greatly appreciated!!

    Thanks

    David

    Wednesday, August 23, 2017 7:03 AM

All replies

  • Hi David,

    Could you help to clarify below points?

    1. >>If we run the webservice SVC test directly

    Is this svc test WCF Test Client or anything else?

    2.>> after that running the SVC call test works from the separate test application.

    What is this test application?

    3.>> seemingly until the web app gets restarted

    What is this web app? Is it WCF Service or test application in Point 2?

    4. Do you implement WCF Service from a web application? If so, what is the code did you use? Did you pass the credential to client?

    It would be helpful if you could share us a simple project and detail steps which could reproduce your issue.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, August 24, 2017 2:01 AM
  • Hi Edward

    Apologies if it wasnt clear.

    1) I have a small test Winforms app that calls that webservice, passing in credentials; using the generated proxy for that address

    2) This is the same Winforms test application

    3) The WebApp is the hosted WebApplication in IIS - the Web Application where the webservice is hosted

    4) The specific webmethod is very simply; the method contents are empty in fact - so nothing in there that can cause an error.

    The calling code is quite simple as well (as noted, once I have signed in on IE with the SAME account as I am trying to use here, then even if the IE is closed, the below seems to work all day long; until the next morning when I assume an IIS recycle gets done):

        BasicHttpBinding binding = new BasicHttpBinding(BasicHttpSecurityMode.Transport);
                binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
                binding.Security.Transport.ProxyCredentialType = HttpProxyCredentialType.None;

                EndpointAddress address =
                   new EndpointAddress("https://xxx.xxx.xxxx.x.xxx/CRMInterface.svc");

                var c = new ComplaintsDev.CRMInterfaceClient(binding, address);
                c.ClientCredentials.Windows.ClientCredential = new NetworkCredential("accountname", "passwordvalue", "domainvalue");

    Thanks!! David

    Thursday, August 24, 2017 5:34 AM
  • Hi David,

    Could you share us complete steps to reproduce your issue?

    Based on your description, it seems you create a web application, add WCF Service to this web application and then call this WCF Service from winform client.

    If so, how did you enable NTLM for the web app? According the WCF Web.cofnig, you only enable Transport security with None clientCredentialType which means it only achieved HTTPS. It did not set Windows authentication for WCF Service.

    Do you mean you only set Windows authentication in IIS for web application?

    If you could share us the detail steps, we will try to make a test by following your steps.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, August 25, 2017 5:28 AM
  • Hi Edward

    Detailed below is the IIS setup (please see image below).

    While I didnt want to cloud the issue - as this appears to be a pure low-level issue (and it works on other environments fine) - but the webservice itself is hosted in SharePoint - along the lines of:

    https://mydevenvirobnment.org.uk/_vti_bin/ABCD/SOAP/CRMInterface.svc

    As noted - its accessible browsing to it in IE - issue is purely when calling to the SVC from outside without signing in directly before.

    Any thoughts welcome!!

    Thanks

    David

    Friday, August 25, 2017 8:19 AM
  • Hi David,

    >> and it works on other environments fine

    What do you mean by it works on other environments? Do you mean this issue only happens while hosting in SharePoint?

    Is the sharepoint on SharePoint online or premis? Do you must host Service under _vti_bin? If it hosts under normal IIS web application, will it work?  

    If you must host under SharePoint address and it only throws error under SharePoint address, it seems to be related with SharePoint, and I would suggest you go to below forum for help.

    # https://social.msdn.microsoft.com/Forums/office/en-US/home?forum=sharepointdevelopment

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, August 28, 2017 3:38 AM
  • Hi Edward

    By Another Environment I mean it works fine on the TEST and PROD environments; both wit the same web.config setups, and the same calling code, and both in the same location within SharePoint.

    Which leads me to think there is something low-level in IIS or at machine-level that could come into play.

    Thanks

    David

    Monday, August 28, 2017 5:54 AM
  • Hi David,

    >> Which leads me to think there is something low-level in IIS or at machine-level that could come into play

    To check whether it is related with IIS Settings, could you try to deploy the service under IIS Sites->Default Web Site instead of SharePoint location?

    If it did not work, it would be helpful if you could share us the error message and detail steps you publish.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, August 28, 2017 8:22 AM