I have a problem with WinForms application connecting to WCF service using NTLM authentication.
<LongStory-optional>
Original application was written by me in 2005 as my first C# code. With small modifications it worked well. Web service was asmx with DataSets. Recently a time has come to upgrade it because of: performance issues and Windows 10 upgrade on client (Crystal Reports 10.5.37 upgrade was required to x64 and there is no official runtime download on SAP site). I've rewrote it using WCF, .NET 4.8, replacing Crystal with library to create Excel files. In developer environment new version works well except 500 code. Rest and .NET Core was not considered (too difficult to explain; not technical reasons).
When user launched new version first immediate problem was "Access denied". Then it was started as administrator. Error code: "The application has failed to start because its side-by-side configuration is incorrect". Then I've tried to get more info in Event Viewer without success: there was no information. sxstrace tool raised access denied. After few days I've got it: I made a comment in config file containing national non-English characters. After removing comment an error 500 during connection has occured.
<\LongStory-optional>
Application makes a call to Verify service which just returns constant value 1.
Error message: "The content type text/html of the response message does not match the content type of the binding (text/xml; charset=utf-8).
If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first 75 bytes of the response were:
The page cannot be displayed because an internal server error has occurred." . Https was not used.
Strange thing is that after opening .svc once in IE the error have disappeared until workstation reboot. This proves that client and server are working correctly. In the same time old application doesn't have such an issue. Because of that I've tried to use "Web reference" instead of "Service reference". It appears that "Web reference" works correctly. Next thing I've tried different settings on the client side. I've found that "Service reference" works after this change: client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
With fiddler tool I've found that messages exchange are almost the same except final result: before change I have statuses 401/401/500, after change 401/401/200, the other differences are time and NTLM base64 value, nothing else.
I think that it is not a solution but only a workaround. Do you know how to handle correctly NTLM authentication with WCF?
Essential bits of my code and configuration:
var client = new ServiceClient();
client.ClientCredentials.Windows.ClientCredential.UserName = Dialog1.textBox1.Text;
client.ClientCredentials.Windows.ClientCredential.Domain = Dialog1.textBox2.Text;
client.ClientCredentials.Windows.ClientCredential.Password = Dialog1.textBox3.Text;
try
{
i = client.Verify().Status;
} ...
Configuration:
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="basicEndpoint" sendTimeout="infinite" >
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://wro67zt2/AlsbWebServices/WindService/WindService.svc" binding="basicHttpBinding" bindingConfiguration="basicEndpoint" contract="WindService.IService" name="basicEndpoint"/>
</client>
</system.serviceModel>
I regard that server side configuration is unnecessary. It works well with Web reference so I can assume that everything is ok here. I've tried "Windows" instead "Ntlm" but problem remains the same, it changes string NTLM to Negotiate in request/response messages and also number of messages from 3 to 2 (401/500 or 401/200).
Edit - server configuration:
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.7.2" />
<httpRuntime targetFramework="4.7.2"/>
<globalization culture="en-GB" requestEncoding="utf-8" responseEncoding="utf-8"/>
<pages controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID"/>
<identity impersonate="false" />
</system.web>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="basicBinding" >
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" realm="XXXXX"/>
<message clientCredentialType="UserName" algorithmSuite="Default"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="WindService.Behavior" name="WindLibrary.Service">
<endpoint
address=""
binding="basicHttpBinding"
bindingConfiguration="basicBinding"
name="basicEndpoint"
bindingNamespace="http://XXXXX.com/services/prime/"
contract="WindLibrary.IService">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="WindService.Behavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<protocolMapping>
<add scheme="http" binding="basicHttpBinding" bindingConfiguration="HttpBinding" />
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<directoryBrowse enabled="false"/>
</system.webServer>
</configuration>