Login/Register
WCFTestClient The HTTP request is unauthorized with client authentication scheme 'Anonymous'
Asked Answered
wcfntlmanonymouswcftestclientnegotiate
H

10

77

I've created one WCF service and deployed it on Server. When I browse this service it gives me positive response with ?wsdl URL. Now I'm trying to test the service through WCF Test client. It shows proper metadata. But when I try to invoke any of the method from the service it shows me an exception... here are the erro details with stack trace..

The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.

Server stack trace:

at
System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory factory)
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.

Server stack trace:

at
System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory factory)

Client Bindings:

<bindings>
    <wsHttpBinding>
        <binding name="WSHttpBinding_IServiceMagicService" closeTimeout="00:01:00"
            openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
            bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
            maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
            messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
            allowCookies="false">
            <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                maxBytesPerRead="4096" maxNameTableCharCount="16384" />
            <reliableSession ordered="true" inactivityTimeout="00:10:00"
                enabled="false" />
            <security mode="None">
                <transport clientCredentialType="Windows" proxyCredentialType="None"
                    realm="" />
                <message clientCredentialType="Windows" negotiateServiceCredential="true"
                    establishSecurityContext="true" />
            </security>
        </binding>
    </wsHttpBinding>
</bindings>

Server Bindings:

<bindings>
  <wsHttpBinding>
    <binding name="WSHttpBinding_SEOService" closeTimeout="00:10:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="true" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="999524288" maxReceivedMessageSize="655360000" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
      <readerQuotas maxDepth="32" maxStringContentLength="900000" maxArrayLength="900000" maxBytesPerRead="900000" maxNameTableCharCount="900000" />
      <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
      <security mode="None">
        <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
        <message clientCredentialType="Windows" negotiateServiceCredential="true" establishSecurityContext="true" />
      </security>
    </binding>
    <binding name="WSHttpServiceMagicBinding" closeTimeout="00:10:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" bypassProxyOnLocal="true" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="999524288" maxReceivedMessageSize="655360000" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
      <readerQuotas maxDepth="32" maxStringContentLength="900000" maxArrayLength="900000" maxBytesPerRead="900000" maxNameTableCharCount="900000"/>
      <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false"/>
      <security mode="None">
        <transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
        <message clientCredentialType="Windows" negotiateServiceCredential="true" establishSecurityContext="true"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

Client's Client Section:

<client>
    <endpoint address="http://hydwebd02.solutions.com/GeoService.Saveology.com/ServiceMagicService.svc"
        binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IServiceMagicService"
        contract="IServiceMagicService" name="WSHttpBinding_IServiceMagicService" />
</client>

Server's Services Section:

<services>
    <service behaviorConfiguration="GeoService.Saveology.com.CityStateServiceProviderBehavior"
    name="GeoService.Saveology.com.CityStateServiceProvider">
    <endpoint binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_SEOService"
        contract="SEO.Common.ServiceContract.ICityStateService" />
    <endpoint address="mex" binding="mexHttpBinding" bindingConfiguration=""
        contract="IMetadataExchange" />
    </service>
    <service behaviorConfiguration="GeoService.Saveology.com.ServiceMagicServiceProviderBehavior"
    name="GeoService.Saveology.com.ServiceMagicServiceProvider">
    <endpoint binding="wsHttpBinding" bindingConfiguration="WSHttpServiceMagicBinding" 
        contract="SEO.Common.ServiceContract.IServiceMagicService">
    </endpoint>
    <endpoint address="mex" binding="mexHttpBinding" bindingConfiguration="" contract="IMetadataExchange" />
    </service>
</services>
Homogenesis answered 25/6, 2009 at 13:46 Comment(6)
What happens when you call these methods with a real client?Quietus
OK,thanks - but you'll need to ALSO post the server's <services> section, and the client's <client> section so we'll see how those endpoints are set up and how you're calling them......Disconcerted
With real client it works with no single issue.Homogenesis
I've posted both client's <client> sectiona dn server's <services> section as well.Homogenesis
It's symptomatic of the .Net world that you get so many (valid) different answers to the same question and not a single one explaining what parameters you are changing to and why. Does anyone understand what he/she is doing?Indemnity
Can happen because of the Incorrect password too.Whitver
R
85

I didn't have control over the security configuration for the service I was calling into, but got the same error. I was able to fix my client as follows.

  1. In the config, set up the security mode:

    <security mode="TransportCredentialOnly">
  <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
  <message clientCredentialType="UserName" algorithmSuite="Default" />
</security>

  2. In the code, set the proxy class to allow impersonation (I added a reference to a service called customer):

    Customer_PortClient proxy = new Customer_PortClient();
proxy.ClientCredentials.Windows.AllowedImpersonationLevel =    
         System.Security.Principal.TokenImpersonationLevel.Impersonation;
Rema answered 9/3, 2010 at 14:28 Comment(4)
If you do it programmatically, make sure you use Dim binding As New System.ServiceModel.BasicHttpBinding() instead of Dim binding As New System.ServiceModel.WSHttpBinding()Omniscience
I really do not know what a Customer_PortClient is, but setting the security mode helped me out.Monandrous
When using <security mode="TransportCredentialOnly"> it seems that you do not need to include configuration for message security; the SOAP message is sent unencrypted in plain text. The <message> tag seems to be ignored so it doesn't do any harm, it's just not needed. Source: msdn.microsoft.com/en-us/library/ff648505.aspxSaffian
Where is "the config"? I'm kind of a newby. EDIT: nvmd figured it out from here: learn.microsoft.com/en-us/dotnet/framework/wcf/…Chilt
E
13

I have a similar issue, have you tried:

proxy.ClientCredentials.Windows.AllowedImpersonationLevel =   
          System.Security.Principal.TokenImpersonationLevel.Impersonation;
Eyde answered 11/9, 2009 at 19:34 Comment(0)
S
11

Another possible solution to this error that I found. Might not have answered OP's exact question but may help others who stumble across this error message.

I was creating my Client in code using WebHttpBinding, in order to replicate the following line:

<security mode="TransportCredentialOnly">
  <transport clientCredentialType="Windows" proxyCredentialType="Windows" />
</security>

I had to do:

var binding = new WebHttpBinding(WebHttpSecurityMode.TransportCredentialOnly);
                binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
                binding.Security.Transport.ProxyCredentialType = HttpProxyCredentialType.Windows;

as well as setting proxy.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

Sedative answered 13/3, 2013 at 21:38 Comment(0)
I
8

I had a similar problem and tried everything suggested above. Then I tried changing the clientCreditialType to Basic and everything worked fine.

<basicHttpBinding>
    <binding name="BINDINGNAMEGOESHERE" >
      <security mode="TransportCredentialOnly">
        <transport clientCredentialType="Basic"></transport>
      </security>
    </binding>
  </basicHttpBinding>
Incrassate answered 9/10, 2015 at 10:14 Comment(0)
E
7

I see this isn't answered yet, this is an exact quote from here:

WSHttpBinding will try and perform an internal negotiate at the SSP layer. In order for this to be successful, you will need to allow anonymous in IIS for the VDir. WCF will then by default perfrom an SPNEGO for window credentials. Allowing anonymous at IIS layer is not allowing anyone in, it is deferring to the WCF stack.

I found this via: http://fczaja.blogspot.com/2009/10/http-request-is-unauthorized-with.html

After googling: http://www.google.tt/#hl=en&source=hp&q=+The+HTTP+request+is+unauthorized+with+client+authentication+scheme+%27Anonymous

Ellenaellender answered 8/2, 2010 at 14:3 Comment(1)
Hi @Irwin, Thanks for teh answer. Could you Please provide a more "official" source, like original documentation produced by Microsoft, for me to justify this, to an auditor? THANKS A LOT!! MarceloMonicamonie
F
3

Here's what I had to do to get this working. This means:

  1. Custom UserNamePasswordValidator (no need for a Windows account, SQLServer or ActiveDirectory -- your UserNamePasswordValidator could have username & password hardcoded, or read it from a text file, MySQL or whatever).
  2. https
  3. IIS7
  4. .net 4.0

My site is managed through DotNetPanel. It has 3 security options for virtual directories:

  1. Allow Anonymous Access
  2. Enable Basic Authentication
  3. Enable Integrated Windows Authentication

Only "Allow Anonymous Access" is needed (although, that, by itself wasn't enough).

Setting

proxy.ClientCredentials.Windows.AllowedImpersonationLevel =  System.Security.Principal.TokenImpersonationLevel.Impersonation;

Didn't make a difference in my case.

However, using this binding worked:

      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="Windows" />
        <message clientCredentialType="UserName" />
      </security>
Frontward answered 20/5, 2010 at 18:22 Comment(0)
P
2

I had the same error today, after deploying our service calling an external service to the staging environment in azure. Local the service called the external service without errors, but after deployment it didn't.

In the end it turned out to be that the external service has a IP validation. The new environment in Azure has another IP and it was rejected.

So if you ever get this error calling external services

It might be an IP restriction.

Pentecost answered 7/10, 2015 at 14:28 Comment(1)
I have the same issue. Please note that if the Azure App service plan is not dedicated then the outbound IP is virtual, it may change in the future.It
S
2

I had this error too , and finally this codes worked for me in dot net core 3.1

first install svcutil in command prompt : dotnet tool install --global dotnet-svcutil

Then close command prompt and open it again.

Then create the Reference.cs in command prompt :

dotnet-svcutil http://YourService.com/SayHello.svc

(It needs an enter key and UserName and Password)

Add a folder named Connected Services to project root.

Copy Reference.cs file to Connected Services folder.

Add these 4 lines to Reference.cs after lines where creating BasicHttpBinding and setting MaxBufferSize :

result.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
result.Security.Transport.ClientCredentialType = HttpClientCredentialType.Basic;
result.Security.Transport.ProxyCredentialType = HttpProxyCredentialType.None;
result.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.UserName;

Use this service in your Controller :

public async Task<string> Get()
    {
        try
        {
            var client = new EstelamClient();
            client.ClientCredentials.UserName.UserName = "YourUserName";
            client.ClientCredentials.UserName.Password = "YourPassword";
            var res = await client.EmployeeCheckAsync("service parameters");
            return res.ToString();
        }
        catch (Exception ex)
        {
            return ex.Message + " ************ stack : " + ex.StackTrace;
        }

    }

Do not forget install these packages in csproj :

<PackageReference Include="System.ServiceModel.Duplex" Version="4.6.*" />
<PackageReference Include="System.ServiceModel.Http" Version="4.6.*" />
<PackageReference Include="System.ServiceModel.NetTcp" Version="4.6.*" />
<PackageReference Include="System.ServiceModel.Security" Version="4.6.*" />
Shishko answered 18/12, 2020 at 7:35 Comment(3)
What is the type of result?Dermatogen
It's depends on that method you use. in my code EmployeeCheckAsync() return an object that it is in Reference.cs file that you maked by dotnet-svcutil command.Shishko
This solution helped me, specially the line "binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Basic". I have created a new binding and passed as a parameter to Client constructor.Fumigant
K
0

Just got this problem on a development machine (production works just fine). I modify my config in IIS to allow anonymous access and put my name and password as credential.

Not the best way I am sure but it works for testing purposes.

Kapp answered 21/1, 2010 at 18:31 Comment(2)
Can you please share the code snippet for the same here?Corrientes
I'll try to find it, but this post is from 7 years ago, so I don't know if I will find it...Kapp
R
0

Try providing username and password in your client like below

client.ClientCredentials.UserName.UserName = @"Domain\username";
client.ClientCredentials.UserName.Password = "password";
Rees answered 12/8, 2013 at 13:6 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.