The HTTP request is unauthorized with client authentication scheme Negotiate. The authentication header received from the server was Negotiate oX…Q=

gotorg 21 Reputation points
2021-08-12T14:53:56.91+00:00

I am using a desktop application on a client pc to communicate with an IIS WCF web service running on a server, using WsHttpBinding to pass over the Windows user credentials. The application has worked well for many years, but now we are trying to have it communicate over HTTPS instead of just HTTP.

On the server side, we add an SSL certificate to the IIS website and change the WCF web.config to use Transport security for the binding definition: 

  <wsHttpBinding>  
    <binding name="WSHttpBinding_IService1">  
      <readerQuotas maxArrayLength="2147483647" />  
      <security mode="Transport" />  
    </binding>  
  </wsHttpBinding>

On the client side, the client object used to connect to the service uses Transport security mode to account for the HTTPS communication mode: 

Dim serverURL as String = ReadServerURL()  
Dim client As Service1Client  
Dim binding As Channels.Binding  
Dim dcso As ServiceModel.Description.DataContractSerializerOperationBehavior  
  
binding = New WSHttpBinding("WSHttpBinding_IService1")  
  
If serverURL.ToLower.StartsWith("https://") Then  
  CType(binding, WSHttpBinding).Security.Mode = SecurityMode.Transport  
Else  
  CType(binding, WSHttpBinding).Security.Mode = SecurityMode.Message  
End If  
  
CType(binding, WSHttpBinding).Security.Message.ClientCredentialType = MessageCredentialType.Windows  
CType(binding, WSHttpBinding).Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows   
  
binding.ReceiveTimeout = New TimeSpan(0, 10, 0)  
  
client = New Service1Client(binding, New EndpointAddress(serverURL))  
  
client.ClientCredentials.Windows.ClientCredential = CType(CredentialCache.DefaultCredentials, NetworkCredential)  
client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Delegation

Some customers use Kerberos to pass the Windows credentials to another server, which is why we use Delegation.

Most customers have opted to use self-signed certificates because they are only using internal servers.

In IIS, the WCF site has Windows Authentication enabled, with both Negotiate and NTLM providers enabled.

122807-image.png

This approach seems to work fine at most customer sites, but at least one is experiencing this error:

The HTTP request is unauthorized with client authentication scheme 'Negotiate. The authentication header received from the server was 'Negotiate oXlwcKADCgEBomkEZ2....oZSQ='.

I am not sure where this alternate 'Negotiate oXlwcK...' provider is coming from in IIS or how to configure the client to properly communicate with it. Is this an IIS configuration issue, an issue with the WCF service code and/or the client application code, or could it be a network/domain issue? Any help is greatly appreciated.

Internet Information Services
.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,363 questions
VB
VB
An object-oriented programming language developed by Microsoft that is implemented on the .NET Framework. Previously known as Visual Basic .NET.
2,569 questions
.NET Runtime
.NET Runtime
.NET: Microsoft Technologies based on the .NET software framework.Runtime: An environment required to run apps that aren't compiled to machine language.
1,118 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Towhidul Islam 0 Reputation points
    2024-03-31T09:13:40.4933333+00:00

    I know this question is old, but the solution to my application, was different to the already suggested answers. If anyone else like me still have this issue, and none of the above answers works, this might be the problem solution:

    

var binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly);
    // Configure transport security
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
binding.Security.Transport.ProxyCredentialType = HttpProxyCredentialType.Windows;
binding.Security.Transport.Realm = "";

// Configure message security
binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.UserName;

binding.MaxReceivedMessageSize = 10485760; //10MB limit
EndpointAddress endpointAddress = new EndpointAddress(SSRSReportExecutionUrl);

//Create the execution service SOAP Client
var rsExec = new ReportExecutionServiceSoapClient(binding, endpointAddress);




if (rsExec.ClientCredentials != null)
{

    rsExec.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
    // rsExec.ClientCredentials.Windows.ClientCredential = clientCredentials;
    rsExec.ClientCredentials.UserName.UserName = "Your PC Login USERNAME";
    rsExec.ClientCredentials.UserName.Password = "Your PC Login PASSWORD";
}

//This handles the problem of "Missing session identifier"
rsExec.Endpoint.EndpointBehaviors.Add(new ReportingServicesEndpointBehavior());

await rsExec.LoadReportAsync(null, "/" + "YOUR_REPORT_FOLDER_PATH"+ "/" + "REPORT_NAME", null);

    This Solution

    0 comments