Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

The HTTP request is unauthorized with client authentication scheme 'Ntlm'

Tags:

c#

.net

windows

wcf

silverlight

While calling a web service I get the following error:

The HTTP request is unauthorized with client authentication scheme 'NTLM'. The authentication header received from the server was 'NTLM'. The HTTP request is unauthorized with client authentication scheme 'NTLM'. The authentication header received from the server was 'NTLM'.

I have a Silverlight 4 application that calls a WCF web service, both on my IIS (7). my WCF web service calls another ASMX web service, installed on a different web server, using NTLM (Windows Authentication). Both servers, mine and the one hosting the ASMX web service are in the same domain.

When the Silverlight client opens the application from the server using http://localhost/MySiteName everything works fine. But when the Silverlight client opens the application from a different client, which is not the server but still in the same domain, using http://MyServerName/MySiteName then I get the error.

Windows Authentication is enabled in my IIS. Anonymous Authentication is disabled in my IIS.

Binding configuration for calling my WCF web service is:

    <binding name="winAuthBasicHttpBinding">
      <security mode="TransportCredentialOnly">
        <transport clientCredentialType="Windows" />
      </security>
    </binding>

Binding configuration for calling the ASMX web service is:

    <binding name="ClNtlmBinding">
      <security mode="TransportCredentialOnly">
        <transport clientCredentialType="Ntlm" />
      </security>
    </binding>
like image 537
kruvi Avatar asked Feb 07 '11 09:02

kruvi

People also ask

What is http NTLM authentication?

NT LAN Manager (NTLM) authentication is a challenge-response scheme that is a securer variation of Digest authentication. NTLM uses Windows credentials to transform the challenge data instead of the unencoded user name and password. NTLM authentication requires multiple exchanges between the client and server.

Why is NTLM not secure?

NTLM was subject to several known security vulnerabilities related to password hashing and salting. In NTLM, passwords stored on the server and domain controller are not “salted” — meaning that a random string of characters is not added to the hashed password to further protect it from cracking techniques.

Is NTLM authentication same as Windows authentication?

Current applications. NTLM authentication is still supported and must be used for Windows authentication with systems configured as a member of a workgroup. NTLM authentication is also used for local logon authentication on non-domain controllers.

1 Answers

OK, here are the things that come into mind:

  • Your WCF service presumably running on IIS must be running under the security context that has the privilege that calls the Web Service. You need to make sure in the app pool with a user that is a domain user - ideally a dedicated user.
  • You can not use impersonation to use user's security token to pass back to ASMX using impersonation since my WCF web service calls another ASMX web service, installed on a **different** web server
  • Try changing Ntlm to Windows and test again.

OK, a few words on impersonation. Basically it is a known issue that you cannot use the impersonation tokens that you got to one server, to pass to another server. The reason seems to be that the token is a kind of a hash using user's password and valid for the machine generated from so it cannot be used from the middle server.

UPDATE

Delegation is possible under WCF (i.e. forwarding impersonation from a server to another server). Look at this topic here.

like image 76
Aliostad Avatar answered Sep 18 '22 07:09

Aliostad
Sign in to Comment

Related questions

How to open Visual Studio Code with admin privileges to make effect of the installed extensions
Can't get claims from JWT token with ASP.NET Core
Difference between enabled, isActiveAndEnabled and activeInHierarchy in Unity
false-positive: Fix this implementation of IDisposable to conform to the dispose pattern
Breakpoints not being hit in JetBrains Rider?
How to hook up SignalR with an Angular 7 application
Unit Test Custom AuthenticationHandler Middleware
CollectionBase vs generics
Facial recognition/merging software [closed]
Use the [Serializable] attribute or subclassing from MarshalByRefObject?
Is there a way to use TransactionScope with an existing connection?
Is there any way to create indexed events in C# (or some workaround)?
C# - Replace Every UpperCase Letter with Underscore and the Letter
Silverlight 4 Data Binding with anonymous types
Passing array values in an HTTP request in .NET
Entity Framework - Expecting non-empty string for 'providerInvariantName' parameter
Getting/Creating an Outlook Application in Windows 7
Case-insensitive GetMethod?
Design Patterns with C# [closed]
How to Initialize Values to a HashSet<String[,]> in C#

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!