none
the remote server did not satisfy the mutual authentication requirement wcf RRS feed

  • Question

  • I am trying to call WCF service from  MVC application using C#. I am using Windows authentication for MVC and My Service. I have to impersonate the original caller with in the service to make a request to CRM Service which needs the authenticated user.

    I am able to call the service and able to impersonate the user with no errors for the First service call. But I am receiving the error as "the remote server did not satisfy the mutual authentication requirement" for Second service call at client side but the service method is getting called and executing and also impersonation is working as well with out any problem. For the third Service call there is no error again and next call error again. This is strange for me.

    The following is the config and code:

    I am using basiHttpBinding with the following configuration at the server(Service) side:

    <binding name="BasicHttpBinding" closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" 	sendTimeout="00:10:00" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647" 	messageEncoding="Text" transferMode="Buffered">
    <readerQuotas maxDepth="40" maxStringContentLength="2147483647" maxArrayLength="2147483647" 		maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
    <security mode="TransportCredentialOnly">
    <transport clientCredentialType="Windows">
    <extendedProtectionPolicy policyEnforcement="WhenSupported"></extendedProtectionPolicy>
    </transport>
    </security>
    </binding>

    The service behaviour at service(server) setting I am using is as follows:

    <serviceBehaviors>
    <behavior name="ServiceBehaviour">
    <dataContractSerializer maxItemsInObjectGraph="100000" />
    <serviceMetadata httpGetEnabled="true" />
    <serviceCredentials>
    <windowsAuthentication includeWindowsGroups="false" allowAnonymousLogons="false" />
    </serviceCredentials>
    <serviceDebug includeExceptionDetailInFaults="true" />
    <serviceAuthorization impersonateCallerForAllOperations="true" />
    </behavior>        
    </serviceBehaviors>


    The end point at service(server) side is:

    <service behaviorConfiguration="ServiceBehaviour" name="InvoiceService">
    <endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding" contract="IInvoiceService">         
    </endpoint>
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
    </service>

     I have added this attribute to service method: 

    [OperationBehavior(Impersonation = ImpersonationOption.Required)]

    Implemeted imporsonation using windows identity as follows with in the service method:

    WindowsIdentity identity = ServiceSecurityContext.Current.WindowsIdentity;
    using (identity.Impersonate())
    {
    // implemetation
    }

    At the client side I have :

    var endPoint=new EndpointAddress("service uri");

    var binding = GetBinding();

    ChannelFactory<T> factory = new ChannelFactory<T>(binding, endPoint);

    factory.Credentials.Windows.AllowedImpersonationLevel =

    System.Security.Principal.TokenImpersonationLevel.Delegation; factory.Credentials.Windows.AllowNtlm = false; T proxy = factory.CreateChannel();

    GetBinding method will get:

    BasicHttpBinding basicBinding = new BasicHttpBinding();
    
    basicBinding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
    
    basicBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
                        
    basicBinding.MaxReceivedMessageSize = 2147483647;
    return basicBinding;

     

    I have made AllowNTLM= false, because i want to use kerberos as i want to delegate.

    In IIS for the Service:

    App pool -> Advanced Settings -> Under Process model -> Identity=NetworkService

    I have only Windows Authentication is Enabled , ASP.NET Impersonation is Enabled and all others are disabled.

    Extended protection setting is set to Accept.

    useAppPoolCredentials=true, authPersistNonNTLM= false, authPersistSingleRequest=false,useKernelMode=true

    Enabled providers are NTLM, Negotiate. 

    For My MVC application:

    App pool -> Advanced Settings -> Under Process model -> Identity=NetworkService

    I have only Windows Authentication is Enabled , ASP.NET Impersonation is Enabled and all others are disabled.

    Extended protection setting is set to Accept.

    useAppPoolCredentials=true, authPersistNonNTLM= false, authPersistSingleRequest=false,useKernelMode=true

    Enabled providers are NTLM, Negotiate. 

    Please help me.


     



    • Edited by ramu466 Friday, May 30, 2014 8:13 AM
    Friday, May 30, 2014 7:55 AM

Answers

  • Hi,

    From your description, I know that you have set the AllowNtlm = false, but for some reason you still get the error message "The remote server did not satisfy the mutual authentication requirement.", it seems that kerberos does not work. Please try to check the following:

     For kerberos to work, we need the following conditions to be true:

    1) Both parties support kerberos (all supported versions of Windows support kerberos today)

    2) Machines authenticate to Active Directory

    3) Service Principal Names (SPNs) need be registered for the server endpoint. An SPN is just an endpoint that kerberos will connect to; it needs this data to support mutual authenticate.

    If any of the steps above are not true, then the Windows will usually default to NTLM.

    Also please try to check the following article for debugging.
    #Debugging Windows Authentication Errors:
    http://msdn.microsoft.com/en-us/library/bb463274.aspx .

    Besides, the following article can also help you, please try to check it:
    #The remote server did not satisfy the mutual authentication requirement:
    http://blogs.msdn.com/b/tiche/archive/2011/07/13/wcf-on-intranet-with-windows-authentication-kerberos-or-ntlm-part-1.aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Monday, June 2, 2014 1:54 AM
    Moderator

All replies

  • Hi,

    From your description, I know that you have set the AllowNtlm = false, but for some reason you still get the error message "The remote server did not satisfy the mutual authentication requirement.", it seems that kerberos does not work. Please try to check the following:

     For kerberos to work, we need the following conditions to be true:

    1) Both parties support kerberos (all supported versions of Windows support kerberos today)

    2) Machines authenticate to Active Directory

    3) Service Principal Names (SPNs) need be registered for the server endpoint. An SPN is just an endpoint that kerberos will connect to; it needs this data to support mutual authenticate.

    If any of the steps above are not true, then the Windows will usually default to NTLM.

    Also please try to check the following article for debugging.
    #Debugging Windows Authentication Errors:
    http://msdn.microsoft.com/en-us/library/bb463274.aspx .

    Besides, the following article can also help you, please try to check it:
    #The remote server did not satisfy the mutual authentication requirement:
    http://blogs.msdn.com/b/tiche/archive/2011/07/13/wcf-on-intranet-with-windows-authentication-kerberos-or-ntlm-part-1.aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Monday, June 2, 2014 1:54 AM
    Moderator
  • Hello,

    I have the problem, too.

    My kerberos-configuration is valid.

    How did you solve your problem?

    EDIT:

    Now it works. I had to set:

    system.webServer/security/authentication/windowsAuthentication/authPersistNonNTLM = False


    • Edited by Philip Sz Wednesday, March 15, 2017 2:58 PM Problem solved
    Tuesday, March 14, 2017 8:07 PM