none
SecurityNegotiationException thrown while trying to open the connection to the service RRS feed

  • Question

  • I have a WCF service running on IIS 5.1 Windows XP machine and I am trying to connect to it on my website but I get an exception when trying to open the connection:

    System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
       at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
       at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
       --- End of inner exception stack trace ---

    Server stack trace:
       at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
       at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)
       at System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(SecurityTokenProvider tokenProvider, TimeSpan timeout)
       at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
       at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
       at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
       at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at System.ServiceModel.ICommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.ClientBase`1.System.ServiceModel.ICommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.ClientBase`1.Open()
       at BMOCMWeb.Login.Page_Load(Object sender, EventArgs ex) in C:\Documents and Settings\obryukha\My Documents\Projects\BMOCM-Analytics\BMOCM-Website\BMOCM-Website\Login.aspx.cs:line 18

    The service is running properly (I have successfully tried requesting the service .svc page remotely). I am using wsHttpBinding as I need the security for my Login page. My set up of the client is the following:

        <client>
          <endpoint address="http://pc70204017.ibg.adroot.bmogc.net/DatabaseServices/DataProviderServiceLibrary.SapphireDataService.svc"
            binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ISapphireDataService"
            contract="DataServiceReference.ISapphireDataService" name="WSHttpBinding_ISapphireDataService">
            <identity>
              <dns value="localhost" />
            </identity>
          </endpoint>
          <endpoint address="http://pc70204017.ibg.adroot.bmogc.net/DatabaseServices/DataProviderServiceLibrary.SecurityService.svc"
            binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ISecurityService"
            contract="SecurityService.ISecurityService" name="WSHttpBinding_ISecurityService">
            <identity>
              <dns value="localhost" />
            </identity>
          </endpoint>
        </client
    Friday, September 11, 2009 8:43 PM

Answers

  • Hi Alex,

    As you mentioned that your ASP.NET web application calls the WCF service(which require the client to supply windows credentials), then how did your WCF client supply the credential?

    By default, if your WCF client proxy doesn't explicitly supply the windows credentials(on the proxy object's Credentials property), it will use the current thread's security account. When you use Visual Studo test server to run the ASP.NET site, the current executing account is your logon user account, but when you move it into IIS server, it is the IIS worker process account. I think the problem is likely that the IIS worker process account(for IIS 6 or higher , that is the application pool identity) is not able to be passed to the WCF service.

    If you didn't originally supply a windows credentials, you can try explicitly supply one as below:

    CalcServiceClient cleint = new CalcServiceClient();
    
    client.ClientCredentials.Windows.ClientCredential = new NetworkCredential("username", "password");

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Thursday, September 17, 2009 7:21 AM
    Moderator

All replies

  • Turn on WCF tracing on the server to see the exact error.
    You did not published the binding configuration. For windows authentication (the default) the machines are probably not on the same domain. For X.509 certificates the client certificate is probably not valid on the server.

    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    Friday, September 11, 2009 9:24 PM
  • Hi,
       It was a error caused by Failed Client Aunthentication.
       Your client should be supply the right user  token.
       I have no idea about tour security mode,Message or transport?
       and what is your clientcreadential mode?username?certifcate ?or some others?
       
       I got the same error When I try to use WCF Tranpsport  mode with Certificate clientcreadential using WSHttpbindiing.
     
       I fixed with set the CLient  trust the server certifcate:
        you can take a try:
      
    1)To work with certificates, it is often necessary to view them and examine their properties. This is easily done with the Microsoft Management Console (MMC) snap-in tool. For more information, see How to: View Certificates with the MMC Snap-in. Additional how-to documents for using the tool can be found in Httpcfg Overview
       2)Export your client Certificate to a .pfx file with private key;
       3) Import  your client certificate to  Localmachine : My ,Trusted People and Trusted CA from the pfx file,(Server can validate client);
       4)repeat the above steps 2 and 3,Import Server Certificate to client CurrentUser :My ,Trusted People and Trusted CA .Then Client can trusted Sever Certifiacte.

       Regards
    Frank Xu Lei--谦卑若愚,好学若饥
    专注于.NET平台下分布式应用系统开发和企业应用系统集成
    Focus on Distributed Applications Development and EAI based on .NET
    欢迎访问老徐的中文技术博客:Welcome to My Chinese Technical Blog
    欢迎访问微软WCF中文技术论坛:Welcome to Microsoft Chinese WCF Forum
    欢迎访问微软WCF英文技术论坛:Welcome to Microsoft English WCF Forum
    Saturday, September 12, 2009 11:46 AM
  • Sorry, here's the binding information.

    <wsHttpBinding>
            <binding name="WSHttpBinding_ISapphireDataService" closeTimeout="00:01:00"
              openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
              bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
              maxBufferPoolSize="524288" maxReceivedMessageSize="5242880"
              messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
              allowCookies="false">
              <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              <reliableSession ordered="true" inactivityTimeout="00:10:00"
                enabled="false" />
              <security mode="Message">
                <transport clientCredentialType="Windows" proxyCredentialType="None"
                  realm="" />
                <message clientCredentialType="Windows" negotiateServiceCredential="true"
                  algorithmSuite="Default" establishSecurityContext="true" />
              </security>
            </binding>
            <binding name="WSHttpBinding_ISecurityService" closeTimeout="00:01:00"
              openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
              bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
              maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
              textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
              <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              <reliableSession ordered="true" inactivityTimeout="00:10:00"
                enabled="false" />
              <security mode="Message">
                <transport clientCredentialType="Windows" proxyCredentialType="None"
                  realm="" />
                <message clientCredentialType="Windows" negotiateServiceCredential="true"
                  algorithmSuite="Default" establishSecurityContext="true" />
              </security>
            </binding>
          </wsHttpBinding>
    Also, I'm rather new to the service security so any articles on that topic would be greatly appreciated. Thanks!
    Monday, September 14, 2009 1:55 PM
  • for windows authenticaiton machines should be on the same domain
    http://webservices20.blogspot.com/
    WCF Security, Performance And Testing Blog
    Monday, September 14, 2009 4:48 PM
  • UPDATE: I thought maybe if I provide more details into my situation, it may point to some suggestions/fixes.

    I am running an ASP.Net website which logs in the user by calling a wcf service on a different server for authentication. My current set up is that both of these servers are on the same network and both IIS run under my login where I am a local administrator of both PCs.

    When I run the webapp from Visual Studio, everything works great. The same application, when published to IIS location, doesn't and I get the following error:

    The request for security token could not be satisfied because authentication failed.

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [FaultException: The request for security token could not be satisfied because authentication failed.]
       System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target) +11286289
       System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState) +49
    
    [SecurityNegotiationException: The caller was not authenticated by the service.]
       System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +7594687
       System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +275
       System.ServiceModel.ICommunicationObject.Open(TimeSpan timeout) +0
       System.ServiceModel.ClientBase`1.System.ServiceModel.ICommunicationObject.Open(TimeSpan timeout) +117
       System.ServiceModel.ClientBase`1.Open() +38
       WebApplication1._Default.login(Object sender, EventArgs e) in C:\Documents and Settings\obryukha\My Documents\Projects\WebApplication1\WebApplication1\Default.aspx.cs:17
       System.Web.UI.WebControls.Button.OnClick(EventArgs e) +111
       System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +110
       System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
       System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
       System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +36
       System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1565
    


    A simple Console application that does the same (calls a remote wcf service to authenticate a user) works perfect when deployed on the same machine as the web application. The configurations are the same in both cases (copy/pasted) but one works and the other doesnt. Is this a wcf issue or some sort of odd IIS permissioning/set up problem???
    Monday, September 14, 2009 5:15 PM
  • Hi Alex,

    As you mentioned that your ASP.NET web application calls the WCF service(which require the client to supply windows credentials), then how did your WCF client supply the credential?

    By default, if your WCF client proxy doesn't explicitly supply the windows credentials(on the proxy object's Credentials property), it will use the current thread's security account. When you use Visual Studo test server to run the ASP.NET site, the current executing account is your logon user account, but when you move it into IIS server, it is the IIS worker process account. I think the problem is likely that the IIS worker process account(for IIS 6 or higher , that is the application pool identity) is not able to be passed to the WCF service.

    If you didn't originally supply a windows credentials, you can try explicitly supply one as below:

    CalcServiceClient cleint = new CalcServiceClient();
    
    client.ClientCredentials.Windows.ClientCredential = new NetworkCredential("username", "password");

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Thursday, September 17, 2009 7:21 AM
    Moderator