While calling a web service I get the following error:
The HTTP request is unauthorized with client authentication scheme 'NTLM'. The authentication header received from the server was 'NTLM'. The HTTP request is unauthorized with client authentication scheme 'NTLM'. The authentication header received from the server was 'NTLM'.
I have a Silverlight 4 application that calls a WCF web service, both on my IIS (7). my WCF web service calls another ASMX web service, installed on a different web server, using NTLM (Windows Authentication). Both servers, mine and the one hosting the ASMX web service are in the same domain.
When the Silverlight client opens the application from the server using http://localhost/MySiteName
everything works fine. But when the Silverlight client opens the application from a different client, which is not the server but still in the same domain, using http://MyServerName/MySiteName
then I get the error.
Windows Authentication is enabled in my IIS. Anonymous Authentication is disabled in my IIS.
Binding configuration for calling my WCF web service is:
<binding name="winAuthBasicHttpBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
Binding configuration for calling the ASMX web service is:
<binding name="ClNtlmBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" />
</security>
</binding>
OK, here are the things that come into mind:
my WCF web service calls another ASMX web service, installed on a **different** web server
Ntlm
to Windows
and test again.OK, a few words on impersonation. Basically it is a known issue that you cannot use the impersonation tokens that you got to one server, to pass to another server. The reason seems to be that the token is a kind of a hash using user's password and valid for the machine generated from so it cannot be used from the middle server.
Delegation is possible under WCF (i.e. forwarding impersonation from a server to another server). Look at this topic here.
Thanks. When i set a domain user to the app pool it works well, but now all my calls to the WS are executed under the app pool domain user. Can't I call the ASMX ws using impersonation, so the call is executed under the client's user security token ?
BTW, i forgot to mention that when using impersonation with a specific user (the same user that is logged in to the client) everything works well: client = new ClCustomersServiceClient(); client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation; client.ClientCredentials.Windows.ClientCredential = new NetworkCredential("username", "password", "domain"); response = client.ClCustomersQuery(request);
Well, you are using username password on the WCF server to impersonate on the ASMX server. This is possible but you cannot pass the windows authentication used to get to WCF, to get to ASMX.
Aliostad - Thanks for your help.