Using WCF to consume service and receieving varying errors depending on binding configuration

Question

I am attempting to consume an intranet web service with WCF. I added reference to the service via the Add Service Reference feature in VS2008. In doing so I was prompted for network credentials to access the service which I provided and the service reference was added.

I then wrote some code that I would expect to fail as it doesn't pass credentials along with the call of the service:

FooServiceClient proxy = new FooServiceClient();
bool isValid = proxy.ValidateBar(baz);

When I use this code I receieve the exception:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'.
The authentication header received from the server was 'Basic realm="Kerberos"'.
Which is the same error I receieve when using either of the two code examples below.

FooServiceClient proxy = new FooServiceClient();
proxy.ClientCredentials.UserName.UserName = "USERNAME";
proxy.ClientCredentials.UserName.Password = "PASSWORD";
bool isValid = proxy.ValidateBar(baz);

or

FooServiceClient proxy = new FooServiceClient();

NetworkCredential creds = new NetworkCredential("USERNAME", "PASSWORD");

proxy.ClientCredentials.Windows.AllowedImpersonationLevel =
  TokenImpersonationLevel.Identification;
proxy.ClientCredentials.Windows.AllowNtlm = false;
proxy.ClientCredentials.Windows.ClientCredential = creds;

bool isValid = proxy.ValidateBar(baz);

My gut tells me that I have the security mode configured incorrectly. According to the server manager the end point that I am attempting to bind to is looking for a Basic Http Credential via SSL. Which after reading about WCF-BasicHttp Transport Properties lead me to believe that I should use this configuration:

<security mode="Transport">
  <transport clientCredentialType="Windows" />
  <message clientCredentialType="UserName" algorithmSuite="Default" />
</security>

Unfortunately, I continued to receive the same error.

Again, I am sure my troubles have to do with a configuration issue on my part as I've previously consumed this service in other projects with the outdated Add Web Reference.

Answer 1

You have to really understand what the endpoint on the other end is configured under. If it is self hosted and running under SSL then it should be Transport, but if its running under IIS with SSL then it could possibly be TransportWithMessageCredentials and the Transport credentials might be "None".

It is very tricky to get this to bind correctly.

As far as the Exception you are getting

The provided URI scheme 'https' is invalid; expected 'http'. Parameter name:

When you use TransportCredentialOnly you have to use HTTP binding rather than HTTPS, and I am sure you didn't change your endpoint address to HTTP because that's not what the service reference is.

Answer 2

What binding are you using for your intranet scenario? The recommended best practice would be NetTCP with transport security and Windows credentials (assuming all your callers are intranet-clients with an account in your corporate Active Directory)

That would avoid any of the http/https mess.

However, to host netTcp, you either needs WAS (Windows Process Activation Server) which is part of IIS7 and that only runs on Windows Server 2008 (Vista Server) or 2008 R2 (Win7 Server). Or you need to host your service yourself in a e.g. NT Service.

Lots of information still missing! Please update your question accordingly. Thanks!

Answer 3

The below WCF binding configuration ended up being the solution.

<security mode="Transport">
  <transport clientCredentialType="Basic" proxyCredentialType="None"
     realm="" />
  <message clientCredentialType="UserName" algorithmSuite="Default" />
</security>