none
The request for security token could not be satisfied because authentication failed. RRS feed

  • Question

  • Hello

    Can anybody throw some light on this. I am not able to find the exact solution for quiet few days.

    I am consuming a web service which is hosted in different domain than my consumer.

    I am using windows authentication and providing username password and domain on the proxy.

    But it throws 

    System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. 

    The request for security token could not be satisfied because authentication failed.

    Please if anybody has any idea..I serached through many forums and it suggest to use basichttpbinding with none security which is not an  option for me.

    Thursday, May 5, 2016 10:52 PM

Answers

  • Hello,

    The Windows Authentication works when the service and client are in the same domain or in the trusted domains. So in order to use the Windows authentication in two different domains, you need to configure the two domains trust each other, for how to configure the trust domains, please try to check the following article:
    #Domain Trust:
    http://technet.microsoft.com/en-us/library/cc961481.aspx .

    Besides, you can also use other authentication mechanism instead of the Windows authentication for cross-domain, for example certificate authentication and username authentication. For more information, please try to refer to:
    #Certificate authentication in WCF:
    https://msdn.microsoft.com/en-us/library/ff648360.aspx .

    #Username authentication in WCF:
    https://msdn.microsoft.com/en-us/library/ff648840.aspx .

    Best Regards,
    Amy Peng




    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, May 6, 2016 4:12 AM
    Moderator
  • Hello,

    >>Doe that means the best option for me would be to go with basic authentication?

    Yes, you are right, in your scenario the basic authentication might be the best option for you to map the user in the Active Directory.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, May 10, 2016 5:13 AM
    Moderator

All replies

  • I am consuming MS SCOM OMCF web service. The client and server both are on different domains. I am using windows authentications.

    Below is my app.config file:

    <system.serviceModel>
          
            <bindings>
                <wsHttpBinding>
                 
                    <binding name="WSHttpBinding_IConnectorFramework" closeTimeout="00:01:00"
                        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                        bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                        maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                        messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
                        allowCookies="false">
                      <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                          maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                      <reliableSession ordered="true" inactivityTimeout="00:10:00"
                          enabled="false" />
                      <security mode="Message">
                        <transport clientCredentialType="Windows" proxyCredentialType="None"
                            realm="" />
                        <message clientCredentialType="Windows" negotiateServiceCredential="true"
                            algorithmSuite="Default" establishSecurityContext="true" />
                      </security>
                    </binding>
              
                </wsHttpBinding>
            </bindings>
            <client>
                <endpoint address="http://10.12.1.233:22222/ConnectorFramework?wsdl"
                    binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IConnectorFramework" contract="OMCFServiceReference.IConnectorFramework"
                    name="WSHttpBinding_IConnectorFramework">
                    <identity>
                        <servicePrincipalName value="Host/xyz.com" />
                    </identity>
                </endpoint>
            </client>
          
        </system.serviceModel>

    I am passing user name ,password and domain using the credentials on proxy.

    But I am getting exception:

    System.ServiceModel.Security.SecurityNegotiationException was unhandled
      HResult=-2146233087
      Message=The caller was not authenticated by the service.
      Source=mscorlib

     InnerException: System.ServiceModel.FaultException
           HResult=-2146233087
           Message=The request for security token could not be satisfied because authentication failed.
           Source=System.ServiceModel

    Can anybody suggest anything..Thanks in advance.

    Wednesday, May 4, 2016 8:27 PM
  • Hello,

    The Windows Authentication works when the service and client are in the same domain or in the trusted domains. So in order to use the Windows authentication in two different domains, you need to configure the two domains trust each other, for how to configure the trust domains, please try to check the following article:
    #Domain Trust:
    http://technet.microsoft.com/en-us/library/cc961481.aspx .

    Besides, you can also use other authentication mechanism instead of the Windows authentication for cross-domain, for example certificate authentication and username authentication. For more information, please try to refer to:
    #Certificate authentication in WCF:
    https://msdn.microsoft.com/en-us/library/ff648360.aspx .

    #Username authentication in WCF:
    https://msdn.microsoft.com/en-us/library/ff648840.aspx .

    Best Regards,
    Amy Peng




    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, May 6, 2016 4:12 AM
    Moderator
  • For me the users are in Active directory. In that case can I still use Userename Authentication? Because it uses sql server membership provider to create user store..So does that means I have to create a user store using sql server membership provider for the users located in Active directory?


    Just now I see there is ActiveDirectoryMembershipProvider. Do I need to use that since my users are in Active Directory? Or should still be using sql server membership provider?


    Also sql server membership provider is restricted to ASP.net or can be used with c#.net also?
    • Edited by KadamSwati Friday, May 6, 2016 8:46 PM
    Friday, May 6, 2016 6:49 PM
  • I looked through the links below to see wcf authentication against active directory.

    https://msdn.microsoft.com/en-us/library/ff649763.aspx#Authentication3

    https://msdn.microsoft.com/en-us/library/ff649763.aspx#Authentication3

    I gives 3 options..windows,basic and username.

    Windows I cant use becacuse of crossdomain.

    Basic authentication maps to users in Active Directory.

    Username authetications maps against users in User store. And it should be used if users are not already in active directory.

    Doe that means the best option for me would be to go with basic authentication?


    • Edited by KadamSwati Friday, May 6, 2016 9:36 PM
    Friday, May 6, 2016 9:34 PM
  • Hello,

    >>Doe that means the best option for me would be to go with basic authentication?

    Yes, you are right, in your scenario the basic authentication might be the best option for you to map the user in the Active Directory.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Tuesday, May 10, 2016 5:13 AM
    Moderator