21

I have a WCF service with net.tcp binding, hosted on the server as a Windows service. I am not able to access this service. However I was able to do so, when I hosted it on my local network.

Error Recieved

Message:** The server has rejected the client credentials.

Inner Exception: 

System.Security.Authentication.InvalidCredentialException:
The server has rejected the client credentials.
---> System.ComponentModel.Win32Exception:
The logon attempt failed --- End of inner exception stack trace
--- at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, ChannelBinding binding, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)

Tried searching for the solution, but found none that fits my requirements, hence posted here.

What could be the problem?

If I make my security mode to None on the client

<security mode="None"></security>

I get another error:

Error: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:59.5149722'.

Community
  • 1
  • 1
Bravo
  • 3,341
  • 4
  • 28
  • 43
  • You should specify in which account the windows service runs. Is it system account / user account? In addition, what kind of WCF authentication do you use? – Yuval Peled Dec 20 '11 at 18:09
  • windows service runs under Local System Account and there is no WCF authentication used. In case you need any other info, let me know – Bravo Dec 21 '11 at 07:04
  • probably NTLM credentials fail. Try running the service as the same client user. And also look at: http://msdn.microsoft.com/en-us/library/ms730301(VS.90).aspx for annonymous secure connections – Yuval Peled Dec 21 '11 at 23:23

7 Answers7

27

I just had this same issue trying to get a server in the DMZ talking to a service inside my network. The solution that fixed it for me was to add the following to the app.config:

Note the security node.

<bindings>
  <netTcpBinding>
    <binding name="customTcpBinding" maxReceivedMessageSize="20480000" transferMode="Streamed" >
      <security mode="None"></security>
    </binding>
  </netTcpBinding>
</bindings>
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
spinner_den_g
  • 941
  • 1
  • 8
  • 14
  • if i make my security mode to None on the client i get another error."The socket connection was aborted..." – Bravo Jan 13 '12 at 09:24
  • 1
    Try adding that node to both the client and the server config file. – spinner_den_g Jan 14 '12 at 00:46
  • yes, that did the trick. Now i am able to communicate with the WCF service. However now i am trying to implement some sort of security on the service... thanks & enjoy the Bounty :) – Bravo Jan 16 '12 at 08:58
6

The error is a TokenImpersonation error.

What appear to be happening is that the call comes in, some code on the server side requires that the user is impersonated by the server code.

The server code is running as the local system account, it is therefore not able to impersonate a domain user.

You have 2 basic options:

  • Run the service in the security context of a user that is allowed to impersonate another user
  • Rewrite your application such that impersonation is not required
Shiraz Bhaiji
  • 64,065
  • 34
  • 143
  • 252
4

I know this has already been answered with "turn off security". But in case anyone is interested I did manage to get WCF Transport Windows authentication using NetTcpBinding in an Intranet environment working myself after a great deal of pain.

Essentially it came down to using this configuration:

<security mode="Transport">
  <transport clientCredentialType="Windows" />
</security>

You can see a little more detail in the blog post WCF Transport Windows authentication using NetTcpBinding in an Intranet environment.

Vojtěch Dohnal
  • 7,867
  • 3
  • 43
  • 105
John Reilly
  • 5,791
  • 5
  • 38
  • 63
2

Ours is a Windows-based applicaton connecting to a WCF service within the local intranet. The security level has been set to Windows authentication. We got this error occasionally. On investigation, we found out that the Windows password had expired. After changing the password, all worked as normal...

It is a simple check if you are getting this error occasionally.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
vonbalaji
  • 249
  • 2
  • 10
  • 1
    We had this issue recently as well, service/application A communicating with service/application B via WCF, both running as user U. Changing the password of user U doesn't cause any problems at first (until you restart service or application pool), WCF communication however fails with the error message from the question. – janv8000 Jan 30 '14 at 08:19
1

It seems the client request is not authenticated on the server. You could find useful information here and here.

Community
  • 1
  • 1
Anand
  • 14,545
  • 8
  • 32
  • 44
0

Similar to @vonbalaji, I've seen this when the account has been locked out due to having entered the password incorrectly several times.

user2871239
  • 1,499
  • 2
  • 11
  • 27
0

The second error you got that "Socket connection was aborted" usually comes when you try to pump too much of data from your service.

I recommend user impersonation to get the credentials working right first, then think about the reminder of the issue.

You can find some useful information about impersonation in How to: Impersonate a Client on a Service.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Sagar Bhat
  • 111
  • 7