Thursday, 12 November 2009

WCF Fix-The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'NTLM'.

I thought I'd done a post on this error previously, but I double checked google and I obviously hadn't.

The Problem
When calling WSS / SharePoint web services (such as Lists.asmx) via WCF, you will normally get this error if you leave the settings as configured by the “Add Service Reference Wizard” :

“The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'NTLM'.”

The Solution

You must specify a non-anonymous impersonation level for your ClientCredentials. Just specifying a username and password for your WCF Service reference's ClientCredentials.UserName.UserName and ClientCredentials.UserName.Password is not sufficient to resolve the problem.

In particular (When SharePoint server is on different domain):

ServiceReference1.ListsSoapClient client = new ServiceReference1.ListsSoapClient();
client.ClientCredentials.Windows.ClientCredential = new System.Net.NetworkCredential("username", "password", "domain");
client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Identification;
client.GetListCollection();


Of course, when on same domain, don’t have to pass in the Windows.ClientCredential information. You can also set the above values in app.config configuration elements rather than code, but I won't cover that here.

You can use (with descending levels of security):
System.Security.Principal.TokenImpersonationLevel.Identification
System.Security.Principal.TokenImpersonationLevel.Impersonation
System.Security.Principal.TokenImpersonationLevel.Delegation

Details on these impersonation levels can be found at: http://msdn.microsoft.com/en-us/library/system.security.principal.tokenimpersonationlevel.aspx

Config Changes


<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="ListsSoap">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
<client>
<endpoint address="http://servername/_vti_bin/Lists.asmx"
binding="basicHttpBinding" bindingConfiguration="ListsSoap"
contract="ServiceReference1.ListsSoap" name="ListsSoap1" />
</client>
</system.serviceModel>
</configuration>

20 comments:

Hardy said...

I used similar code to call to CRM4.0 service in a different domain, but I still did not make it work. I got message "The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.".

pranam said...

Hi David,
You really saved my day today

I used the same security settings NTLM for my web.config file.
it resolved the error which i used to get
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'

DRU said...

Thanks David,

You really saved a lot of my time with this post!
Your solution worked for me.

Best regards,
Dmitry

mknopf said...

thanks a ton man, saved me from pulling my hair out on this one.

John said...

Thanks a million, this really helped me!

Kjell W. said...

Great post! Saved me a lot of time.

Thanks!!

Ravi said...

Thanks David, you save my time.

kaviya Balasubramanian said...

After changing the all it shown following error.
Could not load file or assembly 'Indx.Xhq.Client.Solution, Version=100.38.0.4, Culture=neutral, PublicKeyToken=145342ae5acb8abb' or one of its dependencies. Access is denied.

could you please help out this?

kaviya Balasubramanian said...

After changing the all it shown following error.
Could not load file or assembly 'Indx.Xhq.Client.Solution, Version=100.38.0.4, Culture=neutral, PublicKeyToken=145342ae5acb8abb' or one of its dependencies. Access is denied.

could you please help out this?

Amandeep Sharma said...

Thank you

You saved a lot of my time. Your blog is really helpful

Anything Interesting said...

Saved my time too..

Anything Interesting said...

Saved my time too...

Sihle Dlamini said...

You saved my behind, thanks :-)

BlogBrett said...

Still didn't fix it for me :(

Sqiar BI said...

Tableau Data Visualization Software
SQIAR (http://www.sqiar.com/solutions/technology/tableau) is a leading Business Intelligence company and provides Tableau Software consultancy across United Kingdom and USA.

Shconer Design said...

Can I set default cridential programmatically, I use multiple wcf client with NTLM Authentication, so i can set once cridential for all wcf client

Julka Hendri said...

Can I set default cridential programmatically, I use multiple wcf client with NTLM Authentication, so i can set once cridential for all wcf client

Julka Hendri said...

Can I set default cridential programmatically, I use multiple wcf client with NTLM Authentication, so i can set once cridential for all wcf client

Azam Murtuza said...

Thanks this helped a lot, I was using basic authentication, so only used the web.config part and provided user Id and Password like this:

MyService client = new Myservice();

client.ClientCredentials.UserName.UserName = @"domain\UserName";
client.ClientCredentials.UserName.Password = "Password";
var response = client.GetCurrentTransmissions("F2FD76FD-5DF7-4915-972D-703C403F932E");

And My web.config looks like this :

"







"

thetmyo naing said...

How to call without username and password? But i will use window authentication. Please.