+1  A: 

This is a bit off a curveball, but why is it falling back to NTLM. I've had significant difficulty with security in active directory and WCF all related to service principal names (SPNs).

Kerberos will fail if you are running the service as something other than Network Service unless you have an SPN declared in the domain for your service. To set the SPN you need the windows server administrative kit, which has the command setspn.

setspn -A HTTP\machinename domain\service_account

This will then allow Kerberos to share client credentials to your service within the domain.

Please do some reading, as you could break kerberos for any other services running on the same box depending on your setup.

Spence  2010-09-09 00:28:31
Well it's more that I want it to try Kerberos first and if that fails then use NTLM. I was hoping using Kerberos auth would automatically do this but it doesn't seem to.
Alex Angas  2010-09-09 01:28:44
My first assumption as well. The way to think about it is if any service in the enterprise was trusted, then you could have a rogue service steal credentials, impersonate and do naughty things. The SPN forces the enterprise admin to say that this service is trusted to have your kerberos credential, otherwise don't ask for it.
Spence  2010-09-09 02:11:53
That's good to know. I've reframed the question a little as I don't think it was quite clear. I need the web part to 'auto-select' the correct authentication depending on whether the service is hosted in Kerberos or Windows auth.
Alex Angas  2010-09-21 00:16:20
A: 

I had the same error msg which I posted about here and solved it by creating a dynamic endpoint like so:

public static SiteMembershipSvc.SiteMembershipServiceClient InitialiseSiteMembershipService(string url)
{
    //create endpoint
    EndpointAddress ep = new EndpointAddress(new Uri(string), EndpointIdentity.CreateUpnIdentity("MyDomain\WCFRunAsUser"));
    //create proxy with new endpoint
    SiteMembershipSvc.SiteMembershipServiceClient service = new SiteMembershipSvc.SiteMembershipServiceClient("wsHttp", ep);
    //allow client to impersonate user
    service.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
    //return our shiny new service
    return service;
}

I was running the WCF service as a specific Active Directory user rather than the default NETWORK_SERVICE.

JumpingJezza  2010-09-09 01:10:06
That's cool but I need to pass through the credentials of the current user to the web service.
Alex Angas  2010-09-09 01:29:25
A: 

Try setting:

proxy.ClientCredentials.Windows.AllowNTLM = true;

According to this, AllowNTLM is now obsolete - i'm not sure what the correct alternative is.

Alex Peck  2010-09-09 22:57:56
Luckily I'm using .NET 3.5 where it's not marked obsolete. I'll give it a try - thanks!
Alex Angas  2010-09-09 23:40:58
I checked this out and found that AllowNTLM defaults to true so unfortunately this didn't work. I've updated the question.
Alex Angas  2010-09-21 00:18:44
A: 

I guess you are using the full dns name of the server as the address of the service. Try using the NETBIOS name or the IP address. That should force it to use NTLM.

If you know what protocol the server is using you can configure your app to use either the full name or the ip.

Hope that works for you.

Cosmin Onea  2010-09-22 07:20:16
You're right, I am using the DNS name. That's my only option because the system is load balanced and I forgot to mention that the WCF service is hosted in SharePoint - it will only respond to requests on that DNS name.
Alex Angas  2010-09-23 23:30:01
A: 

If your Kerberos fail it will automatically default to NTLM, you don't have to do anything special.

http://www.windowsecurity.com/articles/Troubleshooting-Kerberos-SharePoint-environment-Part1.html

http://www.windowsecurity.com/articles/Troubleshooting-Kerberos-SharePoint-environment-Part2.html

http://www.windowsecurity.com/articles/Troubleshooting-Kerberos-SharePoint-environment-Part3.html

Inge Henriksen  2010-09-26 15:10:37
This isn't the case. If I specify `HttpClientCredentialType.Windows` I get the error written in the question.
Alex Angas  2010-09-27 00:09:39

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication