.net – ‘Negotiate’. The authentication header received from the server was ‘Negotiate,NTLM’

authenticationiisnetweb serviceswindows-authentication

I am using Windows Authentication Mode/Negotiate

Server 2012R2 – IIS8.5. windows authentication and asp.Net impersonation is on
WebServer is calling an ASMX on serviceServer

In case if site is hosted on default web site (URL is http:/Test/access.apx) called the Service server asmx working fine.

But if host the website at (http://Test/access.apx) on same and mapped the Domain if http://Test to .
it opened the 1st page but calls to is failing.
Getting following error.

The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'

I tried wireshark intersting
in case of URL is "http:/Test/access.apx)" its sending negotiate security data. but in case of (http://Test/access.apx) its sending NTLM security context.

Also I set the domain to
Delegation to : "Trust this computer for delegation to any service"
than tried with SPN "Trust this account for delegation to any service"
as per
http://blogs.msdn.com/b/chiranth/archive/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis.aspx

Please suggest how to pass the windows authentication/Negotiate context to the asmx in case of non server name websites.
Thanks

Best Answer

In my case I had a http website (A), calling https website (B), which was supposed to call back http website (A). But the problem was that URL address in web.config of B pointed to https, therefore it didn't work.

So I changed binding of original website (A) to https and everything started working.

Visual Studio 2005

Create a new console application project in Visual Studio
Add a "Web Reference" to the Lists.asmx web service.
- Your URL will probably look like: http://servername/sites/SiteCollection/SubSite/_vti_bin/Lists.asmx
- I named my web reference: ListsWebService
Write the code in program.cs (I have an Issues list here)

Here is the code.

using System;
using System.Collections.Generic;
using System.Text;
using System.Xml;

namespace WebServicesConsoleApp
{
    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                ListsWebService.Lists listsWebSvc = new WebServicesConsoleApp.ListsWebService.Lists();
                listsWebSvc.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;
                listsWebSvc.Url = "http://servername/sites/SiteCollection/SubSite/_vti_bin/Lists.asmx";
                XmlNode node = listsWebSvc.GetList("Issues");
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex.ToString());
            }
        }
    }
}

Visual Studio 2008

Create a new console application project in Visual Studio
Right click on References and Add Service Reference
Put in the URL to the Lists.asmx service on your server
- Ex: http://servername/sites/SiteCollection/SubSite/_vti_bin/Lists.asmx
Click Go
Click OK
Make the following code changes:

Change your app.config file from:

<security mode="None">
    <transport clientCredentialType="None" proxyCredentialType="None"
        realm="" />
    <message clientCredentialType="UserName" algorithmSuite="Default" />
</security>

To:

<security mode="TransportCredentialOnly">
  <transport clientCredentialType="Ntlm"/>
</security>

Change your program.cs file and add the following code to your Main function:

ListsSoapClient client = new ListsSoapClient();
client.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;
client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
XmlElement listCollection = client.GetListCollection();

Add the using statements:

using [your app name].ServiceReference1;
using System.Xml;

Reference: http://sharepointmagazine.net/technical/development/writing-caml-queries-for-retrieving-list-items-from-a-sharepoint-list

C# – The HTTP request is unauthorized with client authentication scheme ‘Ntlm’

OK, here are the things that come into mind:

Your WCF service presumably running on IIS must be running under the security context that has the privilege that calls the Web Service. You need to make sure in the app pool with a user that is a domain user - ideally a dedicated user.
You can not use impersonation to use user's security token to pass back to ASMX using impersonation since my WCF web service calls another ASMX web service, installed on a **different** web server
Try changing Ntlm to Windows and test again.

OK, a few words on impersonation. Basically it is a known issue that you cannot use the impersonation tokens that you got to one server, to pass to another server. The reason seems to be that the token is a kind of a hash using user's password and valid for the machine generated from so it cannot be used from the middle server.

UPDATE

Delegation is possible under WCF (i.e. forwarding impersonation from a server to another server). Look at this topic here.

The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'

Best Answer

Related Solutions

C# – The HTTP request is unauthorized with client authentication scheme ‘Ntlm’ The authentication header received from the server was ‘NTLM’

Visual Studio 2005

Visual Studio 2008

C# – The HTTP request is unauthorized with client authentication scheme ‘Ntlm’

UPDATE

Related Topic