WCF: Getting MessageSecurityException while calling webservice

Time flies and it looked like it was yesterday that i wrote my last post. Last couple of months have been very busy, so blogging was put on hold but everytime i got a case that i believe i should talk about it, i kept it. So expect a burst on posts.

Yesterday, I and a co-worker were troubleshooting an strange issue that didn´t occur in dev but in staging (if i get a cent every time i ear this) a MessageSecurityException was being thrown stating unauthorized access. If we allowed Anonymous Access then no exception was being thrown. Below is the scenario.

 Scenario

  • Single Machine environment
  • Windows 2003 and IIS6
  • Both WebApp and WebService on same pool and running under an account with privileges
  • WebApp calling locally WebService
  • Integrated Authentication (Anonymous not allowed)

Details

So, we decided to take a memory dump on System.ServiceModel.Security.MessageSecurityException using DebugDiag.(http://www.microsoft.com/downloadS/details.aspx?FamilyID=28bd5941-c458-46f1-b24d-f60151d875a3&displaylang=en)

Lets look at the faulting thread

0:025> !clrstack

OS Thread Id: 0x37c (25)

ESP EIP

1c44ec54 77e4bee7 [HelperMethodFrame: 1c44ec54]

1c44ecf8 1ba39e6d System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication

1c44ed1c 1af83ec3 System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(System.Net.HttpWebRequest, System.Net.HttpWebResponse, System.ServiceModel.Channels.HttpChannelFactory, System.Net.WebException)

1c44ed50 1af83e4e System.ServiceModel.Channels.HttpChannelFactory+HttpRequestChannel+HttpChannelRequest.WaitForReply(System.TimeSpan)

1c44ed90 1af82f24 System.ServiceModel.Channels.RequestChannel.Request(System.ServiceModel.Channels.Message, System.TimeSpan)

1c44ee04 1af82da7 System.ServiceModel.Dispatcher.RequestChannelBinder.Request(System.ServiceModel.Channels.Message, System.TimeSpan)

1c44ee18 1af95cb2 System.ServiceModel.Channels.ServiceChannel.Call(System.String, Boolean, System.ServiceModel.Dispatcher.ProxyOperationRuntime, System.Object[], System.Object[], System.TimeSpan)

1c44ef48 1af95af3 System.ServiceModel.Channels.ServiceChannel.Call(System.String, Boolean, System.ServiceModel.Dispatcher.ProxyOperationRuntime, System.Object[], System.Object[])

1c44ef68 1af95a03 System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(System.Runtime.Remoting.Messaging.IMethodCallMessage, System.ServiceModel.Dispatcher.ProxyOperationRuntime)

1c44ef8c 1af978e5 System.ServiceModel.Channels.ServiceChannelProxy.Invoke(System.Runtime.Remoting.Messaging.IMessage)

1c44efd0 792c128d System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(System.Runtime.Remoting.Proxies.MessageData ByRef, Int32)

1c44f270 79e71e04 [TPMethodFrame: 1c44f270]

Now, lets look at exception details

0:025> !pe

Exception object: 0e92a348

Exception type: System.ServiceModel.Security.MessageSecurityException

Message: The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate,NTLM'.

InnerException: System.Net.WebException, use !PrintException 0e929790 to see more

StackTrace (generated):

<none>

StackTraceString: <none>

HResult: 80131501

 

025> !pe 0e929790

Exception object: 0e929790

Exception type: System.Net.WebException

Message: The remote server returned an error: (401) Unauthorized.

InnerException: <none>

StackTrace (generated):

SP IP Function

1C44ED10 7AA9918E System_ni!System.Net.HttpWebRequest.GetResponse()+0x51123e

1C44ED50 1AF83D97 System_ServiceModel_ni!System.ServiceModel.Channels.HttpChannelFactory+HttpRequestChannel+HttpChannelRequest.WaitForReply(System.TimeSpan)+0x37

 

StackTraceString: <none>

HResult: 80131509

Also in IIS Logs we could see 401.1 unauthorized.

In our case the solution was to install security update 957097. More details, info on workaround or download update at

http://support.microsoft.com/default.aspx?scid=kb;EN-US;896861 (You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6)

After doing this we decided to look at dev environment, and surprise, this update was installed.

I know you all have eared this before, so here it goes again: it is very important to keep environments (dev, stage, production) the most similar to the extent possible.

 

Have fun.

Bruno