question

Janet90-6741 avatar image
0 Votes"
Janet90-6741 asked JiayaoWu-MSFT commented

HTTP and HTTPS / The HTTP request was forbidden with client authentication scheme 'Negotiate'. (403) Forbidden.

Hi,

Can someone please kindly help young lady with low skills in setting WebServices with a kind detailed advice, please.

I am getting an error:

System.ServiceModel.Security.MessageSecurityException: 'The HTTP request was forbidden with client authentication scheme 'Negotiate'.'

WebException: The remote server returned an error: (403) Forbidden.

The fun stuff is if in Internet browser I use link in as "HTTPS" I can open the service, however not as "HTTP".

I have tried to change as HTTPS in the config file, but it does not work and and asking for some sort of URI to be set-up.

I have tried to change security from "Windows" to "Ntlm", and even set it to "None" in the C# programme code, but I had no any luck. Scheme just changes to "Anonymous" and access is still forbiden.

The config file is like that:

<?xml version="1.0" encoding="utf-8" ?>

<configuration>

    <startup>

        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />

    </startup>

    <system.serviceModel>

        <bindings>

            <basicHttpBinding>

                <binding name="NDataAccessSoap" />

            </basicHttpBinding>

            <customBinding>

                <binding name="NDataAccessSoap12">

                    <textMessageEncoding messageVersion="Soap12" />

                    <httpTransport />

                </binding>

            </customBinding>

        </bindings>

        <client>

            <endpoint address="http://XXXXX/YYYYY/VVVVV.asmx"

                binding="basicHttpBinding" bindingConfiguration="NDataAccessSoap"

                contract="devCARE.NDataAccessSoap" name="NDataAccessSoap" />

            <endpoint address="http://XXXXX/YYYYY/VVVVV.asmx"

                binding="customBinding" bindingConfiguration="NDataAccessSoap12"

                contract="devCARE.NDataAccessSoap" name="NDataAccessSoap12" />

        </client>

    </system.serviceModel>

  <connectionStrings>

   

    <add name="CARELive_ConnectionString" connectionString="Data Source=SERVER1;Initial Catalog=DATABASE1;Integrated Security=True;" />

    <add name="CARE_UserDefined_ConnectionString" connectionString="Data Source= SERVER2;Initial Catalog=DATABASE2;Integrated Security=True;" />

    <add name="CAREUserDefined_DEV_ConnectionString" connectionString="Data Source=SERVER3;Initial Catalog=DATABASE3;Integrated Security=True;" />

   

  </connectionStrings>

  <appSettings>

    <add key="DeleteWebService_RunFile_Path"  value="\\ZZZ\Run.txt"/>

    <add key="DeleteWebService_URL"  value="http://XXXXX/YYYYY/VVVVV.asmx"/>

    <add key="GetContactsForDeletion_SPName"  value="dbo.sp_1"/>

    <add key="WritToLog_SPName"  value="dbo.sp_2"/>

    <add key="CheckRecordAfterWSDelete_SPName"  value="dbo.sp_3"/>

    <add key="Public_Delete_SPName"  value="dbo.sp_4"/>

    <add key="ShowOutput" value ="Y"/>

    <add key="KeepOutputWindowOpen" value ="N"/>

  </appSettings>

</configuration>

C# Console Application programme code is like that:

static void Main(string[] args)

        {

            BasicHttpBinding binding = new BasicHttpBinding();

            binding.MaxBufferPoolSize = 65535;

            binding.MaxBufferSize = 65535;

            binding.MaxReceivedMessageSize = 65535;

            binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;

            binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;

                        var endpoint = new EndpointAddress(ConfigurationManager.AppSettings["DeleteWebService_URL"].ToString());

                        //string showOutput = ConfigurationManager.AppSettings["ShowOutput"].ToString();

                        string sKeepWindowOpen = ConfigurationManager.AppSettings["KeepOutputWindowOpen"].ToString();

                        devCARE.NDataAccessSoapClient service = new devCARE.NDataAccessSoapClient(binding, endpoint);

                        var database = service.GetAvailableDatabases(string.Empty).ToString();

            if (sKeepWindowOpen.ToUpper() == "Y")

                Console.ReadLine();

        }

static private void TESTPublicDelete(string pPublic_Delete)

        {

            SqlConnection sqlConn = null;

            SqlCommand sqlComm = null;

                        string sCareConnection = ConfigurationManager.ConnectionStrings["CARE_UserDefined_ConnectionString"].ConnectionString;

                        string sRecordsForDeletionSP = ConfigurationManager.AppSettings["TestSP"].ToString();

            try

            {

                sqlConn = new SqlConnection(sCareConnection);

                sqlComm = new System.Data.SqlClient.SqlCommand(sRecordsForDeletionSP, sqlConn);

                sqlComm.CommandType = CommandType.StoredProcedure;

                sqlConn.Open();

                sqlComm.ExecuteNonQuery();

            }

            catch (Exception ex)

            {

                string err = ex.Message;

            }

            finally

            {

                sqlComm.Dispose();

                if (sqlConn.State == ConnectionState.Open)

                    sqlConn.Close();

                sqlConn.Dispose();

            }

        }

Thank you very much,

Jane.

dotnet-csharpdotnet-cliwindows-wcfdotnet-aspnet-core-security
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Your code is very confusing. It looks like you are trying to consume an existing ASMX services? But, configuration looks like WCF? Why are you manually configuring a connection when Visual Studio can create a service reference (proxy)? You can simply call methods on the SOAP service directly through the code generated proxy.

If you are not forced to use SOAP services then I recommend Web API which is a modern REST service and much easier to use. SOAP services like ASMX and WCF are older technologies. If you are creating a new service then implement Web API.


0 Votes 0 ·

Please first check IIS log files to see what exactly was the status code/substatus code for that 403 error response, https://docs.microsoft.com/en-us/troubleshoot/iis/http-status-code If you hit things like 403.4 or 403.5, then that's desired.

0 Votes 0 ·

Hi @Janet90-6741 ,
I have a few suggestions about this problem:

  1. You can start by looking at the detailed log of errors reported first.The log information you provide is not enough to be accurate.

  2. Check that the network and service references are correct and available.

  3. You may inspect the LocalComputer\Trusted Root Certification Authorities server-side, and remove any NON-ROOT CA's (i.e. those that should not be there, IssuedTo NOT EQUALS IssuedBy),the client-cert itself did not need to be installed on the server, only a Root CA that can validate it has to be installed in LocalComputer\Trusted Root Certification Authorities server-side.


0 Votes 0 ·

1 Answer

cooldadtx avatar image
0 Votes"
cooldadtx answered

The error indicates an authentication mismatch. To figure this out you need to start with the server side. There is a good write-up on WCF authentication here. The Negotiate scheme indicates that the client and server will negotiate between the legacy NTLM and modern Kerberos protocols. This pretty much indicates that you're using Windows auth to me.

Let's start with that devCARE client type you have. Where did you get it? If you installed a third party library that added it then you'll have to look in the docs for it to see how to configure. If you instead used VS's Service Reference feature then your work is pretty much done. You just need to clean up your code.

If you are using Service Reference then get rid of all that configuration code in your Main function. You should be able to just create an instance of the client and call it. It should automagically pull its configuration data from your app's configuration file (app.config) correctly and work.

If you are not using a Service Reference then you have to build that configuration by hand. You'll want to put it in your app.config file so you can make changes without recompiling your code. Therefore you're still going to remove all the code from Main outside the creation of the client itself. To get the configuration settings to use requires some work. Again, a Service Reference, will auto generate all this for you and is easiest but if you cannot go that route then it is a manual process of trial and error.

Take a look at the WCF service you're trying to call. Ideally if you have the code then look there but if it isn't your service then use the WcfTestClient that is installed as part of VS to connect to the endpoint instead. Once you successfully connect then you can right click the endpoint in the test client and see what configuration they are using. Copy this configuration information into your client app's configuration file. Once you've copied the configuration changes into your app.config then you can remove all that configuration code you wrote in the Main function.

When you're done your Main function should be something simple like this.

static void Main(string[] args)
{
    string sKeepWindowOpen = ConfigurationManager.AppSettings["KeepOutputWindowOpen"].ToString();


   //Should pull configuration from your app.config file. Might need to pass it the name of the endpoint in the config though
   //using (devCARE.NDataAccessSoapClient service = new devCARE.NDataAccessSoapClient("endpointnamefromconfig"))
   using (devCARE.NDataAccessSoapClient service = new devCARE.NDataAccessSoapClient())
   {
      var database = service.GetAvailableDatabases(string.Empty).ToString();
      if (sKeepWindowOpen.ToUpper() == "Y")
         Console.ReadLine();
   }
}


Note that clients, especially if you installed a library to get it, can be quite different in their configuration so without additional information we'll just be guessing at exactly how to get this code to compile correctly for you.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.