Ok, I've read every thread & question I can find with this error and surprisingly have not found a solution. I'm trying to require Windows authentication on my IIS hosted WCF service (.NET 4.0) which, until now, has been optional. I have had a Windows authentication enabled endpoint available on the server for a while with several remote applications successfully using it. I'm now trying to switch our web applications and other server apps that use the WCF service over to this secured endpoint by giving them the exact same client configuration as the working remote clients, but the server apps are receiving a 401 with the message:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.]
I have Anonymous and Windows authentication enabled for the WCF hosting site. The web application I've started with is hosted on a different server than the WCF service and is running on ASP.NET 2.0 and Windows Server 2008 R2 Enterprise. I have both created a client behavior with allowNtlm and set the NetworkSecurity: LAN Manager authentication level to Send LM & NTLM... on the client end. On the hosting end, it is set to Send NTLMv2 Response Only...I don't know if that affects how the server/service handles authentication. I've also tried setting allowedImpersonationLevel to Impersonation on the client which, thankfully, didn't work (because impersonation shouldn't be necessary). We seem to get the same result for a Windows service and console app running on the same server as the web app.
Here is my server config:
<binding name="WindowsSecuredBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
...
<service behaviorConfiguration="OMWebServices.QueueServiceBehavior"
name="OMWebServices.QueueService">
<endpoint address="" binding="basicHttpBinding" name="QueueEndpoint"
bindingName="" contract="OMWebServices.IQueueService" />
<endpoint binding="basicHttpBinding" bindingConfiguration="WindowsSecuredBinding"
name="QueueSecuredEndpoint" contract="OMWebServices.IQueueService" />
<endpoint address="mex" binding="mexHttpBinding" name="QueueMetadataEndpoint"
contract="IMetadataExchange" />
</service>
...
<behavior name="OMWebServices.QueueServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
And here is the client config:
<endpoint address="https://.../QueueService.svc" binding="basicHttpBinding" bindingConfiguration="QueueSecuredEndpoint" behaviorConfiguration="OMServiceBehavior" contract="OMQueueService.IQueueService" name="QueueSecuredEndpoint" />
<binding name="QueueSecuredEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Transport">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
....
<!-- The behavior I tried that didn't make a difference -->
<behavior name="OMServiceBehavior">
<clientCredentials>
<windows allowedImpersonationLevel="Impersonation" allowNtlm="True"/>
</clientCredentials>
</behavior>
My first question is, what is this error message really telling me? It says the client scheme is Negotiate and the server's responding with Negotiate,NTLM. If the server offers Negotiate and and client is using Negotiate, what's the problem?
Second question is, obviously, what's wrong and how do I make it work?
EDIT
Well this is stupid. The problem seems to be there are no credentials being passed. Way back when the web site was in development, I started writing code to explicitly set the credentials in code, but in the process, found that it was already working without explicitly setting them. So that code has remained commented out. This was running on IIS 6. Now running on IIS 7, it seems to only work if I explicitly set the credentials in my code. Can I get it automatically using the w3wp process' account?
To answer the first question, the error message is telling me exactly what it says; I'm not authorized. The line telling me the client authentication scheme and server header is just extra info, not an indication of a conflict. It's actually confirmation that the configuration is correct.
In the staging environment, the problem is being masked because the WCF service and the web application are hosted on the same server. The problem is the web app's site is configured to use IUSR (or IUSR_Server), a local account, for anonymous users by default. This is the user that is being passed (which I believe is equal to CredentialCache.DefaultNetworkCredentials). When they're on different servers, WCF on server 2 obviously can't authenticate a server 1 user. The solution is in IIS, right click Anonymous Authentication > Edit...> check Application pool identity (which is a domain account in my case) or enter a domain account for Specific user.
It just means your client and server are using different authentication scheme.
In your client config, you've set up a
<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
and a message security
<message clientCredentialType="UserName" algorithmSuite="Default" />
So you might be getting errors because of this. These links might help you.
Ch. 7 Message and Transport Security
security of basicHttpBinding
Also, in your client config
<endpoint address="https://.../QueueService.svc" binding="basicHttpBinding" bindingConfiguration="QueueSecuredEndpoint" behaviorConfiguration="OMSServiceBehavior" contract="OMQueueService.IQueueService" name="QueueSecuredEndpoint" />
Change the behaviorConfiguration from behaviorConfiguration="OMSServiceBehavior"
to behaviorConfiguration="OMWebServices.QueueServiceBehavior"
Also did you try to use TransportCredentialOnly? If not, it might be good to try this http://msdn.microsoft.com/en-us/library/ff648505.aspx
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
My problem with this error was not config related but specific to
a WCF Service calling another on the same machine.
Because this affected a fleet of new servers that were partly provisioned through a C# console app, I solved it by executing code like this through the affected servers:
const string userRoot = "HKEY_LOCAL_MACHINE";
const string subkey = #"SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0";
const string keyName = userRoot + #"\" + subkey;
Registry.SetValue(keyName, "BackConnectionHostNames", hostnamesOnServer.ToArray(), RegistryValueKind.MultiString);
Reboot wasn't required on Windows Server 2012.
This can also apparently be an issue with your credentials not being passed correctly. I needed:
Client.ClientCredentials.Windows.ClientCredential.UserName = User;
Client.ClientCredentials.Windows.ClientCredential.Password = Password;
Instead of:
Client.ClientCredentials.UserName.UserName = User;
Client.ClientCredentials.UserName.Password = Password;
(Oddly, the second way worked once in a while for me, but not always.)
I was having exactly the same issue reported here. The AD account being used for credentials had had the password changed. Once I used the new password it started working.
This error is very misleading for an incorrect password situation.
Related
We are currently implementing WCF services in Sitecore to execute certain tasks. However we want to secure and authenticate these interactions to keep the Sitecore security model intact.
We use following configuration for the authentication (only relevant config and anonymised):
<service name="Services.MailService" behaviorConfiguration="serviceBehavior">
<endpoint address="" binding="wsHttpBinding" contract="Interfaces.IMailService"/>
</service>
<behavior name="serviceBehavior">
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Services.Authentication.CustomServiceAuthentication, MyLibrary" />
</serviceCredentials>
</behavior>
<wsHttpBinding>
<binding>
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
<transport clientCredentialType="None">
</transport>
</security>
</binding>
</wsHttpBinding>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true"/>
The custom validator inherits from UserNamePasswordValidator and logs the user in using the standard Sitecore.Security.Authentication.AuthenticationManager.Login() method. On this exact moment the user is indeed logged in and appears as Sitecore.Context.User. But when arriving in the WCF method itself this authentication is gone. (resulting in access exceptions from Sitecore as anonymous user does not have add item rights)
After a few tests and studying the interactions I noticed that the issue would be that WCF uses multiple messages and thus multiple HttpContext are being used. The cookies and login are not being retained between the requests. Looking deeper I noticed that the System.ServiceModel.ServiceSecurityContext.Current does retain the security login however it only shows up once entering the WCF method (ea it's not possible to use this in the Sitecore httpBeginRequest pipeline to identify and login the user at the UserResolver)
How can I ensure both asp.net and wcf are properly authenticated throughout the call?
In the end we ended up resolving this by including the following in the constructor of the service since our InstanceContextMode was set to PerCall:
// Handle login for Sitecore to sync with the WCF security context
if (ServiceSecurityContext.Current != null)
{
AuthenticationManager.Login(
string.Format("{0}\\{1}", "yoursitecoredomain", ServiceSecurityContext.Current.PrimaryIdentity.Name));
}
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="DataSoap" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="Transport" />
</binding>
</basicHttpBinding>
<customBinding>
<binding name="CustomBinding_GetData">
<binaryMessageEncoding />
<httpsTransport maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://localhost/MyApp.Web/Webservice/Data.asmx"
binding="basicHttpBinding" bindingConfiguration="DataSoap"
contract="ServiceReference1.DataSoap" name="DataSoap" />
<endpoint address="https://localhost/MyApp.Web/Webservice/GetData.svc"
binding="customBinding" bindingConfiguration="CustomBinding_GetData"
contract="GetData.GetData" name="CustomBinding_GetData" />
</client>
</system.serviceModel>
Hello every one, above is my silverlight applications ServiceReferences.ClientConfig file. The site is configured to be accessed over https. From the above file, i would imagine i have everything configured correctly. I can browser to my service from local development environment successfully but after deploying the application in my QA environment, browing to the service gives me the error below.
Could not find a base address that matches scheme https for the endpoint with binding CustomBinding. Registered base address schemes are [http].
Any i dea why http is still being picked as the registered base address schemes only QA but not in my local development environment?.
EDIT:
#Brian, thanks for the reply, let me give you more information just in case it gives a much clear picture.
The site is configured for SSL, but the SSL certificate is installed on a load balancer which i have no access to.
Now from the error message, it would seem like i have to configure Host Headers and Secure Site Bindings in IIS, but can i really do this from IIS when the SSL certificate is installed and managed from the load balancer?
IT looks like the https binding are what is missing because i can reproduce the exact same error message from my development machine if i temporarily remove the https binding i created following this link.
http://weblogs.asp.net/scottgu/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.
So would i be right to think that i need that https binding on the load balancer rather than in IIS because the site has no SSL certificate of its own in IIS?
I ran into this problem. Basically, the URL identity associated with the certificate doesn't match the URL of the website from which it comes ... at least that was my problem.
I was able to work around this client-side security check by specifically setting (in code) the System.ServiceModel.EndPointIdentity to the URL I was connecting to.
There's a CreateDNSIdentity() function to which you give the URL of the website you're hitting.
Here's a link to the MS documentation: http://msdn.microsoft.com/en-us/library/system.servicemodel.endpointidentity.creatednsidentity(v=vs.110).aspx
I'm not sure how you'd configure this without using code.
String sFullURL = "http://MyDNSServer:8001/SomeService"
String sDNS = "MyDNSServer";
System.ServiceModel.EndpointAddress Endpoint;
System.ServiceModel.EndpointIdentity Identity = default (System.ServiceModel.EndpointIdentity);
Identity = System.ServiceModel.EndpointIdentity.CreateDnsIdentity(sDNS);
EndPoint = new System.ServiceModel.EndpointAddress(new Uri(sFullURL), Identity);
UPDATE
OK, so imagine you had a web service and the public address for this web service was IP https:// 10.134.116.161:8001/MyService. The certificate below would pass the client-side cert verification check and you would not get an error. But if this certificate shown in the picture below is deployed on public URL https:// XZYCorp:8001/MyService, you'll get that error. So you either need to override the client side cert verification check or change the cert on the LB.
We have working ASP.Net web application with WCF. wcf service hosted as a windows service. All is fine. Then we made a change so that service contract will have different namespace (From Namespace1.IserviceContract to Namespace2.IserviceContract). After the change we deployed to the server and getting following error when we try to instantiate the service object.
System.InvalidOperationException: An endpoint configuration section for contract 'Namespace2.IserviceContract' could not be loaded because more than one endpoint configuration for that contract was found. Please indicate the preferred endpoint configuration section by name.
Generated: Fri, 06 Jul 2012 21:02:56 GMT
System.Web.HttpUnhandledException: Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.InvalidOperationException: An endpoint configuration section for contract 'Namespace2.IserviceContract' could not be loaded because more than one endpoint configuration for that contract was found. Please indicate the preferred endpoint configuration section by name.
at System.ServiceModel.Description.ConfigLoader.LookupChannel(String configurationName, String contractName, Boolean wildcard)
at System.ServiceModel.Description.ConfigLoader.LoadChannelBehaviors(ServiceEndpoint serviceEndpoint, String configurationName)
at System.ServiceModel.ChannelFactory.ApplyConfiguration(String configurationName, Configuration configuration)
at System.ServiceModel.ChannelFactory.ApplyConfiguration(String configurationName)
at System.ServiceModel.ChannelFactory.InitializeEndpoint(String configurationName, EndpointAddress address)
at System.ServiceModel.ChannelFactory`1..ctor(String endpointConfigurationName, EndpointAddress remoteAddress)
at System.ServiceModel.EndpointTrait`1.CreateSimplexFactory()
at System.ServiceModel.EndpointTrait`1.CreateChannelFactory()
at System.ServiceModel.ClientBase`1.CreateChannelFactoryRef(EndpointTrait`1 endpointTrait)
at System.ServiceModel.ClientBase`1.InitializeChannelFactoryRef()
at System.ServiceModel.ClientBase`1..ctor()
at TestApplication.ManagementWrapper.VerifyAuthentication(Int32 appId, String Token)
at TestApplication.VerifyAuthentication(String tokenstring)
we did a research about this issue and found that this type if exception shows up if we have two client endpoints defined in our web.config file. however we are certain that we have only one client endpoint defined. More over this exception shows up only in the server. local works fine. here is our service model:
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="NetTcpBinding_Management" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions" hostNameComparisonMode="StrongWildcard" listenBacklog="10" maxBufferPoolSize="4194304" maxBufferSize="2147483647" maxConnections="10" maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="32768" maxNameTableCharCount="2147483647" />
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
<security mode="None" />
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://servername:9010/Management/service/ManagementService" binding="netTcpBinding" bindingConfiguration="NetTcpBinding_Management" contract="Namespace2.IserviceContract" name="NetTcpBinding_IserviceContract" />
</client>
</system.serviceModel>
we also tried to restart IIS and application pool. Still getting the same exception.
Try searching your web.config for another that is using the web address as your ManagementService. Also, search the web.config for any reference to the old namespace (contract="Namespace1.IserviceContract"). Don't forget to check for extra .config files. That little gotcha has burned me before.
Whatever protocol is being called like basic, net.tcp or wshttp, that address should be in web config file remove other addresses from client section in app.config file, in my case i am calling the service as htp://machinename:700/test.svc but in the client section there were addresses with net.tcp and wshttp configurations, removed those addresses and issue is fixed for me.
Please right click on svc file of your wcf service and click on View markup.
then modify namespace there also. It should work fine then.
If everything in your web.config appears to be correct, this error can be caused by another application on the same server. I spent several days troubleshooting a similar issue.
In my case, the environment had a large number of WCF services deployed as web applications in IIS under a single website as follows.
/Root Website
/Service1
/Service2
/Service3
/ServiceX
One of the child services was mistakenly deployed to the root website physical folder rather than to it's own physical folder. This bad deployment contained a client endpoint definition that was common to all of the services and caused all of the child services to break. Apparently, the same client endpoint cannot be used by the parent website and a child web application.
Removing the client endpoint from the root website fixed the issue for me.
I have imported an axis based wsdl into a VS 2008 project as a service reference.
I need to be able to pass security details such as username/password and nonce values to call the axis based service.
I have looked into doing it for wse, which i understand the world hates (no issues there)
I have very little experience of WCF, but have worked how to physically call the endpoint now, thanks to SO, but have no idea how to set up the SoapHeaders as the schema below shows:
<S:Envelope
xmlns:S="http://www.w3.org/2001/12/soap-envelope"
xmlns:ws="http://schemas.xmlsoap.org/ws/2002/04/secext">
<S:Header>
<ws:Security>
<ws:UsernameToken>
<ws:Username>aarons</ws:Username>
<ws:Password>snoraa</ws:Password>
</ws:UsernameToken>
</wsse:Security>
•••
</S:Header>
•••
</S:Envelope>
Any help much appreciated
Thanks, Mark
In order to call these kind of services, you will typically use either basicHttpBinding (that's SOAP 1.1 without WS-* implementations) or then wsHttpBinding (SOAP 1.2, with WS-* implementations).
The main issue will be getting all the security parameters right. I have a similar web service (Java-based) that I need to call - here's my settings and code:
app./web.config
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="SoapWithAuth" useDefaultWebProxy="false">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic" proxyCredentialType="None" realm="" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint name="SoapWithAuth"
address="http://yourserver:port/YourService"
binding="basicHttpBinding"
bindingConfiguration="SoapWithAuth"
contract="IYourService" />
</client>
</system.serviceModel>
and then in your client's code when calling the service, you need this snippet of code:
IYourServiceClient client = new IYourServiceClient();
client.ClientCredentials.UserName.UserName = "username";
client.ClientCredentials.UserName.Password = "top-secret";
Does that help at all?
The WCF client proxy doesn't support the password digest option. The only way to do this is to build the UsernameToken yourself and then inject it into the SOAP headers before the message is sent.
I had a similar problem which is described here, which should be enough to help you solve your same issue.
I ended up using the old WSE3.0 library for the UsernameToken, rather than coding the hashing algorithm myself and then using a custom behavior to alter the SOAP headers.
Hi All
I am currently having an issue calling a WCF service from a windows service. My Application Solution looks like this.
Web Administration Console (Web Project)
Central Control (Windows Service)
WCF service so the Web Administration Console can connect to it and configure it
Several Calls to use WCF on the Node (Window Service)
Node (Windows Service)
WCF service to allow the Central Control Windows service configure it
The Web Administration Console can access the Central Control WCF but the Central Control Times Out when ever it tries to connect to the Node. In testing this I created a Launcher app which is a simple Windows Form Project which creates an instance of each service and has a couple of buttons which use a WCF function in each of the windows services (just to see what was failing) this Launcher app couldn’t speak to either of the Windows Services. This was confused me so I added the same buttons to a Web Form in the Web Administration Console and it connected to both Windows Services perfectly through WCF. I know the WCF stuff is working as I can hit it through IE and see all of the wonderful XML (and obviously the fact that the calls work from the web app are a good indication of it being up and running)
In short
My web apps can use the WCF services in my Windows Services but Windows Forms and Windows services cannot. Why is this!?
I have pretty much already run out of time on this project so speedy replies would be awesome!
Tech/Code details
I am not using config files in the applications. Everything is being created through code and I have been using the same code to make my WCF calls every where. Also I have tried to turn security off everywhere in case that was the issue. Also I am using the same svcutil generated proxy files everywhere as well to keep it all consistent
Example of a call to the Node
Dim Bind As New WSHttpBinding(SecurityMode.None, True)
Bind.CloseTimeout = New TimeSpan(0, 0, 10)
Bind.OpenTimeout = New TimeSpan(0, 0, 10)
Bind.SendTimeout = New TimeSpan(0, 0, 10)
Dim client As New BN.BNodeServiceClient(Bind, New EndpointAddress("http://localhost:27374/Node"))
client.sendMessage("Test Message")
client.Close()
The Node opening its WCF
BNodeHost = New ServiceHost(GetType(iBNodeService))
BNodeHost.AddServiceEndpoint(GetType(BNodeService), New WSHttpBinding(SecurityMode.None, True), New Uri("http://localhost:27374/Node"))
Dim metadataBehavior As ServiceModel.Description.ServiceMetadataBehavior
metadataBehavior = BNodeHost.Description.Behaviors.Find(Of _
ServiceModel.Description.ServiceMetadataBehavior)()
If metadataBehavior Is Nothing Then
metadataBehavior = New ServiceModel.Description.ServiceMetadataBehavior()
metadataBehavior.HttpGetEnabled = True
metadataBehavior.HttpGetUrl = New Uri("http://localhost:27374/Node")
BNodeHost.Description.Behaviors.Add(metadataBehavior)
Else
BNodeHost.Description.Behaviors.Add(metadataBehavior)
End If
BNodeHost.Open()
This was all working before I made the different bits proper Windows Services and tried to add installers to it. The installers work fine and install the services which start and allow me to see all the WCF XML in IE.
As you might be able to tell, I am very new to WCF and this is my first application using it. The fundamental bits have been pretty much Copy/Paste/Alter jobs from a sample that doesn’t use config files.
Any help would be greatly appreciated.
verify that all the endpoints in the appconfig match the settings in the admin webapp's webconfig. each one sets various timeout values, ie:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ILookupService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows" negotiateServiceCredential="true"
algorithmSuite="Default" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="LargeEndpointBehavior">
<dataContractSerializer ignoreExtensionDataObject="true" maxItemsInObjectGraph="2147483647"/>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="http://localhost:59599/LookupService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ILookupService"
contract="FEEALookupServiceReference.ILookupService" name="WSHttpBinding_ILookupService">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</client>
</system.serviceModel>
hope that helps. good luck.
I couldn't work this one out properly. There seemed to be an issue with Windows Service to Windows Service communication. There is a way of making it happen somewhere but I ran out of time so I solved it by turning one of the bits (the Central Control) into a normal windows application and installed it that way. Works fine and the client is happy :)
Check the permissions for the users that the Windows Services are running under - they like to default to Network Service which may not have sufficient permissions. Run them as a dedicated user with the correct permissions.
And check Windows Firewall. It loves to block some of your web connections. I usually just turn it off.