WCF and HTTP request is unauthorized with client authentication scheme ‘Ntlm’

Posted on by
 This turned out to be “fun”, so I thought I’d share.  OK, i have a few WCF services that call each other, all on the same network.  I create dynamic proxies (not anything generated by svcutil) as i needed the flexibility, but still using straight up WCF stuff, nothing too fancy.   The consumers might be .net or java, or php, so to keep things open to all, I went with the httpBasicBinding, and figured I’d stick with Windows Authentication to keep things simple (we can always come back later and make things more custom/complicated as needed).   So, I set up the binding as follows, and this worked fine (for a while):

<binding name=ServiceBindingBasic sendTimeout=00:1:00 maxReceivedMessageSize=10000000>
<readerQuotas maxArrayLength=10000000 maxStringContentLength=10000000/>
<security mode=TransportCredentialOnly>
<transport clientCredentialType=Windows />
</security>
</binding>

Then, after a few months, I started seeing this message on my [somewhat new] XP machine:
The HTTP request is unauthorized with client authentication scheme ‘Ntlm’. The authentication header received from the server was ‘Negotiate,NTLM’.
Yet, when these services were installed on Windows Server 2003 sp1, no issues.  At the end of the day, the credentials were’nt flowing correctly from one machine to another, and when I finally found a small article that had one tidbit that worked,  I got past this thing.  I needed to set this on my dynamic proxy:
client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
So, if you ever see this error message, or a derivative of it, don’t go chasing down things like this crap until you’ve ensure your TokenImpersonationLevel meets whatever your requirements are.

I must admit, WCF security is a huge topic, and I certainly don’t lay claim to expertise in this area, so also consult others!

J

 

18 thoughts on “WCF and HTTP request is unauthorized with client authentication scheme ‘Ntlm’

  1. Jason,

    Yes, this did work. It is interesting that this can be set in configuration, but when the proxy object is created it seems to be ignored. I would think the config below when applied to the proxy should work.

    Reply

  3. OMG!

    Ive been googling all day to find out how to connect to Reporting Services 2005 web service from VS 2008! You saved my life. Thanks!

    Reply

  4. Yeah, I’ve been wasting half the day trying to figure out this stupid credentials thing, getting way too deep for no reason. Thanks man.

    Reply

  5. If you don’t want to do this in code, of course it can also be done in the configuration file by defining a custom endpoint behavior, for example, by adding:
    <behavior name=”ImpersonationClientCredentialsBehavior”>
    <clientCredentials>
    <windows allowedImpersonationLevel=”Impersonation” />
    </clientCredentials>
    </behavior>
    and then adding a behaviorConfiguration=”ImpersonationClientCredentialsBehavior” attribute to your client endpoint.

    Reply

  6. Pingback: Listen to yourself sometimes « Jason Harper’s blog

  7. HI after using the code service.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation; i am getting the error like The HTTP request is unauthorized with client authentication scheme ‘Negotiate’. The authentication header received from the server was ‘Negotiate oYGTMIGQoAMKAQGigYgEgYVggYIGCSqGSIb3EgECAgMAfnMwcaADAgEFoQMCAR6kERgPMjAwOTAxMjMxNDE0MzdapQUCAwFCS6YDAgEpqRMbEUFNRVIuQ09SUC5FRFMuQ09NqjEwL6ADAgEDoSgwJhsEaG9zdBsedXNhaHN2dWxtMTkyLmFtZXIuY29ycC5lZHMuY29t’. Can you please help me on this one.Really 3 days i am struggling with this problem

    Reply

  8. hi ram your problem is an issue of .net 3.5 sp1 , see microsoft documentation, you have to add a identity tag to de endpoint client tags

    Reply

  11. Nice post, I was having the same error and it only took me to log off and login back to windows again. In my case I started getting this error when I changed my password.

    Regards!

    Reply

  16. Thank You so Much for the post.I was getting an error when i call basicHttpBinding WCF service from web application. I was getting the error that the uri has to be Https instead of htpp. This error is fixed by changing the Security Mode to

    Reply

Leave a comment