2

After I moved WCF service and ASP.NET Core website to server I get following error:

The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate, NTLM'.

I have enabled only Windows Authentication on WCF service with following web.config:

<system.serviceModel>
    <client />
    <behaviors>
      <serviceBehaviors>
        <behavior name="authBehavior">
          <serviceAuthorization principalPermissionMode="UseWindowsGroups">
            <authorizationPolicies>
              <add policyType="WCF.AuthorizationPolicy, WCF" />
            </authorizationPolicies>
          </serviceAuthorization>
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WCF.IdentityValidator, WCF" />
            <serviceCertificate findValue="16E86CCAFFE6211DAE6E841B984F71FB7609D349" storeLocation="LocalMachine" x509FindType="FindBySerialNumber" storeName="My" />
          </serviceCredentials>
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <bindings>
      <basicHttpsBinding>
        <binding name="basicHttpsEndpointBinding" maxReceivedMessageSize="1073741824" maxBufferSize="1073741824" maxBufferPoolSize="1073741824">
          <readerQuotas maxDepth="32" maxArrayLength="1073741824" maxStringContentLength="1073741824" />
          <security mode="Transport">
            <transport clientCredentialType="Ntlm" />
          </security>
        </binding>
      </basicHttpsBinding>
    </bindings>
    <services>
      <service name="WCF.MyService" behaviorConfiguration="authBehavior">
        <endpoint address="" binding="basicHttpsBinding" bindingConfiguration="basicHttpsEndpointBinding" contract="WCF.IMyService">
          <identity>
            <dns value="example.com" />
          </identity>
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>

ASP.NET Core client:

BasicHttpsBinding binding = new BasicHttpsBinding
   {
        MaxBufferPoolSize = 1073741824,
        MaxBufferSize = 1073741824,
        MaxReceivedMessageSize = 1073741824
   };
   binding.ReaderQuotas.MaxDepth = 32;
   binding.ReaderQuotas.MaxArrayLength = 1073741824;
   binding.ReaderQuotas.MaxStringContentLength = 1073741824;
   binding.Security.Mode = BasicHttpsSecurityMode.Transport;
   binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;

   MyServiceClient client = new MyServiceClient(binding, new EndpointAddress(new Uri("https://example.com/MyService.svc"), new DnsEndpointIdentity("mydomain.com")));
   client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

   client.ClientCredentials.Windows.ClientCredential.Domain = Configuration.GetSection("WCF")["MyServiceDomain"];
   client.ClientCredentials.Windows.ClientCredential.UserName = Configuration.GetSection("WCF")["MyServiceUserName"];
   client.ClientCredentials.Windows.ClientCredential.Password = Configuration.GetSection("WCF")["MyServicePassword"];

   // client call

I run out of ideas what could be wrong. If I change Ntlm to Windows in config/code then I get error with client authentication scheme 'Negotiate'. Can I somehow use both or I have to remove somehow Negotiate/Ntlm from IIS?

Thanks for any idea!

SOLUTION!

Method 1 from article https://blogs.msdn.microsoft.com/distributedservices/2009/11/10/wcf-calling-wcf-service-hosted-in-iis-on-the-same-machine-as-client-throws-authentication-error/

Requires server reboot!

user1085907
  • 1,009
  • 2
  • 16
  • 40
  • You may find [this post](https://stackoverflow.com/questions/48522849/what-replaces-wcf-in-net-core) insightful. – R. Richards Dec 14 '18 at 20:55
  • Well its too bad if another project is already written and it works on localhost but not on server :D Anyway I solved issue by reading article: https://blogs.msdn.microsoft.com/distributedservices/2009/11/10/wcf-calling-wcf-service-hosted-in-iis-on-the-same-machine-as-client-throws-authentication-error/ which solved my problem – user1085907 Dec 14 '18 at 21:16
  • 1
    Post the solution as answer and accept it. – Lex Li Dec 14 '18 at 22:45
  • Sure.. I have to wait only 2 days to accept it :D – user1085907 Dec 15 '18 at 00:15

1 Answers1

0

I found this article which offers solution for my issue

Article: https://blogs.msdn.microsoft.com/distributedservices/2009/11/10/wcf-calling-wcf-service-hosted-in-iis-on-the-same-machine-as-client-throws-authentication-error/

Use method 1. Requires server reboot!

In registry I used CNAME like

mySubdomain
mySubdomain.myDomain.com
localhost
192.168.0.xxx
192.168.0.1 (default gateway)
xx.xx.xx.xx (my ip address)
user1085907
  • 1,009
  • 2
  • 16
  • 40