This project is read-only.

“The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.”

Topics: Technical Questions, Usage Scenarios
Feb 9, 2010 at 11:22 AM
Edited Feb 9, 2010 at 11:44 AM

We have configured a virtual service in MSE. We have applied right policies to flow windows credentials through to the physical service. When we test the virtual service using a client program (setting the right impersonation leve)l running from the same machine as  MSE, we get the right results. But when we run the client program from a different machine, we are getting the below error.

“The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.”

Client Configuration File

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="BasicHttpBinding_svc_DemoService" closeTimeout="00:01:00"
                    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                    allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                    useDefaultWebProxy="true">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <security mode="TransportCredentialOnly">
                        <transport clientCredentialType="Windows" proxyCredentialType="None"
                            realm="" />
                        <message clientCredentialType="UserName" algorithmSuite="Default" />
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
        <client>
            <endpoint address="http://ctsintcovsods1:99/DemoService" binding="basicHttpBinding"
                bindingConfiguration="BasicHttpBinding_svc_DemoService" contract="MSE_DEMO.svc_DemoService"
                name="BasicHttpBinding_svc_DemoService">
                <identity>
                    <servicePrincipalName value="spn" />
                </identity>
            </endpoint>
        </client>
    </system.serviceModel>
</configuration>

 

Client Code

            MSE_DEMO.svc_DemoServiceClient sc = new WindowsFormsApplication1.MSE_DEMO.svc_DemoServiceClient();
            sc.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

            MessageBox.Show(sc.GetName("161503"));

            MSE_DEMO.TestDC tdc = new WindowsFormsApplication1.MSE_DEMO.TestDC();
            tdc.Age = "30";
            tdc.Designation = "Architect";
            MSE_DEMO.GetTestRequest gtr = new WindowsFormsApplication1.MSE_DEMO.GetTestRequest();
            gtr.TestDC = tdc;
            MSE_DEMO.GetTestResponse res = sc.GetTest(gtr);
            MessageBox.Show(res.TestReturnDC.Name);

 

Any ideas?

Sujesh

 

Feb 10, 2010 at 1:26 PM

It sounds like the physical service is on a third machine.  When client & MSE are on one machine, impersonation is ok, but when the client is moved off of that machine you are now in double-hop territory and need to perform Kerberos delegation rather than simple impersonation.  The error indicates Kerberos wasn’t used to authenticate (NTLM was used).

 The following link has information on how to ensure you are setup for Kerberos delegation

http://msdn.microsoft.com/en-us/library/bb463274.aspx