WCF service call - problem when behind ISA Server proxy

Discussion in 'ASP .Net Web Services' started by SESDev, May 14, 2009.

  1. SESDev

    SESDev Guest

    We have a WCF service which works just fine until it has to call through a
    proxy server and then we're havign problems.


    Network with ISA Server acting as proxy, notebook attached to network - not
    part of the domain but using a domain account to authenticate with the ISA
    Server for Internet access.


    We have small application that performs some local tasks and then calls an
    IIS hosted WCF service to update stats essentially.

    When outside of the above setup (i.e. in the development environment which
    has no such proxy) all works just fine and the stats are updated with the WCF
    service call.

    When on the notebook and behind the proxy we are getting problems. Firstly
    we were not using the default proxy and getting an error:

    System.ServiceModel.ProtocolException: The remote server returned an
    unexpected response: (407) Proxy Authentication Required ( The ISA Server
    requires authorization to fulfill the request. Access to the Web Proxy
    service is denied. ). ---> System.Net.WebException: The remote server
    returned an error: (407) Proxy Authentication Required.
    at System.Net.HttpWebRequest.GetResponse()
    at
    System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
    --- End of inner exception stack trace ---


    After adding the following to the app.config

    <system.net>
    <defaultProxy
    useDefaultCredentials="true">
    <proxy autoDetect="True"/>
    </defaultProxy>
    </system.net>


    We now get the following error:

    System.ServiceModel.Security.SecurityNegotiationException: The caller was
    not authenticated by the service. ---> System.ServiceModel.FaultException:
    The request for security token could not be satisfied because authentication
    failed.
    at
    System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message
    message, EndpointAddress target)
    at
    System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
    --- End of inner exception stack trace ---



    My biggest problem is that I am remote to the network and do not have direct
    access - I have someone on the inside as my hands & eyes, so debugging has
    been a slow process.


    <system.serviceModel>

    <diagnostics>
    <messageLogging maxMessagesToLog="30000"
    logEntireMessage="true"
    logMessagesAtServiceLevel="false"
    logMalformedMessages="true"
    logMessagesAtTransportLevel="true">
    </messageLogging>
    </diagnostics>

    <bindings>
    <wsHttpBinding>

    <binding name="WSHttpBinding_IDEService"
    closeTimeout="00:01:00"
    openTimeout="00:05:00" receiveTimeout="00:10:00"
    sendTimeout="00:05:00"
    bypassProxyOnLocal="false" transactionFlow="false"
    hostNameComparisonMode="StrongWildcard"
    maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
    messageEncoding="Text" textEncoding="utf-8"
    useDefaultWebProxy="true"
    allowCookies="false">
    <readerQuotas maxDepth="32"
    maxStringContentLength="8192" maxArrayLength="16384"
    maxBytesPerRead="4096" maxNameTableCharCount="16384"
    />
    <reliableSession ordered="true"
    inactivityTimeout="00:10:00"
    enabled="false" />
    <security mode="Message">
    <transport clientCredentialType="Windows"
    proxyCredentialType="None"
    realm="" />
    <message clientCredentialType="Windows"
    negotiateServiceCredential="true"
    algorithmSuite="Default"
    establishSecurityContext="true" />
    </security>
    </binding>
    </wsHttpBinding>
    </bindings>
    <client>
    <endpoint
    address="http://dev.thedomain.com/DEService/DEService.svc"
    binding="wsHttpBinding"
    bindingConfiguration="WSHttpBinding_IDEService"
    contract="SESDEService.IDEService"
    name="WSHttpBinding_IDEService">
    <identity>
    <dns value="localhost" />
    </identity>
    </endpoint>
    </client>
    </system.serviceModel>

    <system.diagnostics>
    <sources>
    <source name="System.ServiceModel" switchValue="Warning,
    ActivityTracing" propagateActivity="true" >
    <listeners>
    <add name="xml" />
    </listeners>
    </source>
    <source name="System.ServiceModel.MessageLogging" switchValue="Warning">
    <listeners>
    <add name="xml" />
    </listeners>
    </source>
    </sources>
    <sharedListeners>
    <add name="xml" type="System.Diagnostics.XmlWriterTraceListener"
    initializeData="c:\temp\TaskRunner.svclog" />
    </sharedListeners>
    <trace autoflush="true" />
    </system.diagnostics>


    <system.net>
    <defaultProxy
    useDefaultCredentials="true">
    <proxy autoDetect="True"/>
    </defaultProxy>
    </system.net>

    We've tried the various (5) options for proxyCredentialType="???" with no
    success for any of them. I've also noticed that the binding.ProxyAddress is
    not set on the client (when outputting it in code).

    I've added tracing to the client app and can provide the trace (I am not
    quite sure what to do with that - any help is greatly appreciated) -
    http://www.swiftest.com/taskrunner.zip

    Please help asap!!

    --
    SES Development
    SESDev, May 14, 2009
    #1
    1. Advertising

  2. SESDev

    SESDev Guest

    I don't think that's the right direction to be looking in for this problem -
    we may have clients who run without a proxy server and as such can configure
    their client accordingly (as per the dev machines which work).

    I am aware that certain changes should be reflected in the configuration on
    both the client and the hosting server, but I would not think that something
    such as using a proxy (MS ISA Serevr in this case) at the client end would
    require changes on the server.

    Surely the whole idea behind configuration of WCF is to allow such
    differences to be changed on the client in the app.config file?



    --
    SES Development



    "Mr. Arnold" wrote:

    >
    > "> After adding the following to the app.config
    > >
    > > <system.net>
    > > <defaultProxy
    > > useDefaultCredentials="true">
    > > <proxy autoDetect="True"/>
    > > </defaultProxy>
    > > </system.net>
    > >
    > >
    > > We now get the following error:
    > >
    > > System.ServiceModel.Security.SecurityNegotiationException: The caller was
    > > not authenticated by the service. ---> System.ServiceModel.FaultException:
    > > The request for security token could not be satisfied because
    > > authentication
    > > failed.
    > > at
    > > System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message
    > > message, EndpointAddress target)
    > > at
    > > System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message
    > > incomingMessage, SspiNegotiationTokenProviderState sspiState)
    > > --- End of inner exception stack trace ---
    > >

    >
    >
    > Your error message kind of indicates that you have to make the same changes
    > in the app.config on the WCF service side that you made to the WCF client
    > side app.config.
    >
    > This is not your particular situation in the link provided. However, it is
    > talking about under what type of conditions that you must deal with the WCF
    > client and service side config files so that they contain the same
    > information on both sides.
    >
    > <http://blog.scorpiotek.com/2009/01/02/how-to-increase-the-maxarraylength-in-a-wcf-component/>
    >
    >
    >
    >
    >
    >
    >
    >
    > __________ Information from ESET NOD32 Antivirus, version of virus signature database 4075 (20090514) __________
    >
    > The message was checked by ESET NOD32 Antivirus.
    >
    > http://www.eset.com
    >
    >
    >
    >
    SESDev, May 14, 2009
    #2
    1. Advertising

  3. SESDev

    Steven Cheng Guest

    Hi sesdev,

    From your description and the error callstack you provided, I think the
    problem you encounter is due to your client machine is calling the WCF
    service out-side a firewall/ISA server which demand proxy
    authentication(and your client's local logon account is not sufficient to
    pass the proxy authentication).

    One means to supply a dedicated proxy authentication credentials for WCF
    service client is to customize the default WebProxy that application use. I
    have ever written a blog entry explaining this:

    #[WCF]How to supply dedicated credentials for webproxy authentication in
    WCF client
    http://blogs.msdn.com/stcheng/archive/2008/12/03/wcf-how-to-supply-dedicated
    -credentials-for-webproxy-authentication.aspx

    You can try using the code to specify a domain account(validatable for the
    remote isa server) for proxy authentication.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.




    --------------------
    >From: =?Utf-8?B?U0VTRGV2?= <>
    >Subject: WCF service call - problem when behind ISA Server proxy
    >Date: Thu, 14 May 2009 09:38:01 -0700


    >
    >We have a WCF service which works just fine until it has to call through a
    >proxy server and then we're havign problems.
    >
    >
    >Network with ISA Server acting as proxy, notebook attached to network -

    not
    >part of the domain but using a domain account to authenticate with the ISA
    >Server for Internet access.
    >
    >
    >We have small application that performs some local tasks and then calls an
    >IIS hosted WCF service to update stats essentially.
    >
    >When outside of the above setup (i.e. in the development environment which
    >has no such proxy) all works just fine and the stats are updated with the

    WCF
    >service call.
    >
    >When on the notebook and behind the proxy we are getting problems.

    Firstly
    >we were not using the default proxy and getting an error:
    >
    >System.ServiceModel.ProtocolException: The remote server returned an
    >unexpected response: (407) Proxy Authentication Required ( The ISA Server
    >requires authorization to fulfill the request. Access to the Web Proxy
    >service is denied. ). ---> System.Net.WebException: The remote server
    >returned an error: (407) Proxy Authentication Required.
    > at System.Net.HttpWebRequest.GetResponse()
    > at
    >System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChan

    nelRequest.WaitForReply(TimeSpan timeout)
    > --- End of inner exception stack trace ---
    >>We've tried the various (5) options for proxyCredentialType="???" with no

    >success for any of them. I've also noticed that the binding.ProxyAddress

    is
    >not set on the client (when outputting it in code).
    Steven Cheng, May 15, 2009
    #3
  4. SESDev

    SESDev Guest

    I think you are missing the point of my question - it is not that the service
    itself is rejecting the request, but rather that the proxy server that sits
    between the client and the service is rejecting it due to the authentication
    required with it (which is a completely seperate issue to any security on the
    service itself).

    --
    SES Development



    "Mr. Arnold" wrote:

    >
    > "SESDev" <> wrote in message
    > news:...
    > >I don't think that's the right direction to be looking in for this
    > >problem -
    > > we may have clients who run without a proxy server and as such can
    > > configure
    > > their client accordingly (as per the dev machines which work).
    > >
    > > I am aware that certain changes should be reflected in the configuration
    > > on
    > > both the client and the hosting server, but I would not think that
    > > something
    > > such as using a proxy (MS ISA Serevr in this case) at the client end
    > > would
    > > require changes on the server.
    > >
    > > Surely the whole idea behind configuration of WCF is to allow such
    > > differences to be changed on the client in the app.config file?
    > >
    > >

    >
    > > System.ServiceModel.Security.SecurityNegotiationException: The caller was
    > > not authenticated by the service. ---> System.ServiceModel.FaultException:
    > > The request for security token could not be satisfied because
    > > authentication
    > > failed.
    > > at
    > > System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message
    > > message, EndpointAddress target)
    > > at

    >
    > To me, that error message clearly indicates what is wrong. The client is
    > making it to the WCF service, but the WCF service is rejecting it. Somewhere
    > either on the client or server side authentication is out of sync. I suspect
    > it's on the server side due the WCF service is not configured properly
    > through the WCF.config.
    >
    > It maybe working on your dev machines on the domain or your p2p LAN, but
    > it's another matter if it's over the WAN/Internet through the FW.
    >
    > I am no expert here. But that's where I think the problem is at on the
    > server side, if you're not telling what the authentication is about.
    > ..
    >
    >
    > __________ Information from ESET NOD32 Antivirus, version of virus signature database 4077 (20090514) __________
    >
    > The message was checked by ESET NOD32 Antivirus.
    >
    > http://www.eset.com
    >
    >
    >
    >
    SESDev, May 15, 2009
    #4
  5. SESDev

    SESDev Guest

    Hi Steven,

    Thanks v much for this response - just what I needed. I've added a custom
    config section for this service on the client to specify whether a proxy is
    used and if so whether the user credentials are provided or taken from
    DefaultNetworkCredentials.

    I had searched around and not come across your post - but then I was
    searching against the errors I was getting (perhaps you could update to
    include them as possible errors and others will get to your solution).

    Cheers

    Shaun

    --
    SES Development



    ""Steven Cheng"" wrote:

    > Hi sesdev,
    >
    > From your description and the error callstack you provided, I think the
    > problem you encounter is due to your client machine is calling the WCF
    > service out-side a firewall/ISA server which demand proxy
    > authentication(and your client's local logon account is not sufficient to
    > pass the proxy authentication).
    >
    > One means to supply a dedicated proxy authentication credentials for WCF
    > service client is to customize the default WebProxy that application use. I
    > have ever written a blog entry explaining this:
    >
    > #[WCF]How to supply dedicated credentials for webproxy authentication in
    > WCF client
    > http://blogs.msdn.com/stcheng/archive/2008/12/03/wcf-how-to-supply-dedicated
    > -credentials-for-webproxy-authentication.aspx
    >
    > You can try using the code to specify a domain account(validatable for the
    > remote isa server) for proxy authentication.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    > Delighting our customers is our #1 priority. We welcome your comments and
    > suggestions about how we can improve the support we provide to you. Please
    > feel free to let my manager know what you think of the level of service
    > provided. You can send feedback directly to my manager at:
    > .
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    >
    >
    >
    >
    > --------------------
    > >From: =?Utf-8?B?U0VTRGV2?= <>
    > >Subject: WCF service call - problem when behind ISA Server proxy
    > >Date: Thu, 14 May 2009 09:38:01 -0700

    >
    > >
    > >We have a WCF service which works just fine until it has to call through a
    > >proxy server and then we're havign problems.
    > >
    > >
    > >Network with ISA Server acting as proxy, notebook attached to network -

    > not
    > >part of the domain but using a domain account to authenticate with the ISA
    > >Server for Internet access.
    > >
    > >
    > >We have small application that performs some local tasks and then calls an
    > >IIS hosted WCF service to update stats essentially.
    > >
    > >When outside of the above setup (i.e. in the development environment which
    > >has no such proxy) all works just fine and the stats are updated with the

    > WCF
    > >service call.
    > >
    > >When on the notebook and behind the proxy we are getting problems.

    > Firstly
    > >we were not using the default proxy and getting an error:
    > >
    > >System.ServiceModel.ProtocolException: The remote server returned an
    > >unexpected response: (407) Proxy Authentication Required ( The ISA Server
    > >requires authorization to fulfill the request. Access to the Web Proxy
    > >service is denied. ). ---> System.Net.WebException: The remote server
    > >returned an error: (407) Proxy Authentication Required.
    > > at System.Net.HttpWebRequest.GetResponse()
    > > at
    > >System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChan

    > nelRequest.WaitForReply(TimeSpan timeout)
    > > --- End of inner exception stack trace ---
    > >>We've tried the various (5) options for proxyCredentialType="???" with no

    > >success for any of them. I've also noticed that the binding.ProxyAddress

    > is
    > >not set on the client (when outputting it in code).

    >
    >
    SESDev, May 15, 2009
    #5
  6. SESDev

    Steven Cheng Guest

    Hi Shaun,

    Thanks for your prompt reply.

    I've also received your email sent from my blog.:)

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    Delighting our customers is our #1 priority. We welcome your comments and
    suggestions about how we can improve the support we provide to you. Please
    feel free to let my manager know what you think of the level of service
    provided. You can send feedback directly to my manager at:
    .

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.


    --------------------
    >From: =?Utf-8?B?U0VTRGV2?= <>
    >References: <>

    <>
    >Subject: RE: WCF service call - problem when behind ISA Server proxy
    >Date: Fri, 15 May 2009 00:32:01 -0700


    >
    >Hi Steven,
    >
    >Thanks v much for this response - just what I needed. I've added a custom
    >config section for this service on the client to specify whether a proxy

    is
    >used and if so whether the user credentials are provided or taken from
    >DefaultNetworkCredentials.
    >
    >I had searched around and not come across your post - but then I was
    >searching against the errors I was getting (perhaps you could update to
    >include them as possible errors and others will get to your solution).
    >
    >Cheers
    >
    >Shaun
    >
    >--
    >SES Development
    >
    >
    >
    >""Steven Cheng"" wrote:
    >
    >> Hi sesdev,
    >>
    >> From your description and the error callstack you provided, I think the
    >> problem you encounter is due to your client machine is calling the WCF
    >> service out-side a firewall/ISA server which demand proxy
    >> authentication(and your client's local logon account is not sufficient

    to
    >> pass the proxy authentication).
    >>
    >> One means to supply a dedicated proxy authentication credentials for

    WCF
    >> service client is to customize the default WebProxy that application

    use. I
    >> have ever written a blog entry explaining this:
    >>
    >> #[WCF]How to supply dedicated credentials for webproxy authentication in
    >> WCF client
    >>

    http://blogs.msdn.com/stcheng/archive/2008/12/03/wcf-how-to-supply-dedicated
    >> -credentials-for-webproxy-authentication.aspx
    >>
    >> You can try using the code to specify a domain account(validatable for

    the
    >> remote isa server) for proxy authentication.
    >>
    >> Sincerely,
    >>
    >> Steven Cheng
    >>
    >> Microsoft MSDN Online Support Lead
    >>
    >>
    >> Delighting our customers is our #1 priority. We welcome your comments

    and
    >> suggestions about how we can improve the support we provide to you.

    Please
    >> feel free to let my manager know what you think of the level of service
    >> provided. You can send feedback directly to my manager at:
    >> .
    >>
    >> ==================================================
    >> Get notification to my posts through email? Please refer to
    >>

    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    >>
    >>
    >>
    >>
    >> --------------------
    >> >From: =?Utf-8?B?U0VTRGV2?= <>
    >> >Subject: WCF service call - problem when behind ISA Server proxy
    >> >Date: Thu, 14 May 2009 09:38:01 -0700

    >>
    >> >
    >> >We have a WCF service which works just fine until it has to call

    through a
    >> >proxy server and then we're havign problems.
    >> >
    >> >
    >> >Network with ISA Server acting as proxy, notebook attached to network -

    >> not
    >> >part of the domain but using a domain account to authenticate with the

    ISA
    >> >Server for Internet access.
    >> >
    >> >
    >> >We have small application that performs some local tasks and then calls

    an
    >> >IIS hosted WCF service to update stats essentially.
    >> >
    >> >When outside of the above setup (i.e. in the development environment

    which
    >> >has no such proxy) all works just fine and the stats are updated with

    the
    >> WCF
    >> >service call.
    >> >
    >> >When on the notebook and behind the proxy we are getting problems.

    >> Firstly
    >> >we were not using the default proxy and getting an error:
    >> >
    >> >System.ServiceModel.ProtocolException: The remote server returned an
    >> >unexpected response: (407) Proxy Authentication Required ( The ISA

    Server
    >> >requires authorization to fulfill the request. Access to the Web Proxy
    >> >service is denied. ). ---> System.Net.WebException: The remote server
    >> >returned an error: (407) Proxy Authentication Required.
    >> > at System.Net.HttpWebRequest.GetResponse()
    >> > at

    >>

    >System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChan
    >> nelRequest.WaitForReply(TimeSpan timeout)
    >> > --- End of inner exception stack trace ---
    >> >>We've tried the various (5) options for proxyCredentialType="???" with

    no
    >> >success for any of them. I've also noticed that the

    binding.ProxyAddress
    >> is
    >> >not set on the client (when outputting it in code).

    >>
    >>

    >
    Steven Cheng, May 15, 2009
    #6
  7. manjerekar annaji rao, Oct 29, 2009
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Simon
    Replies:
    0
    Views:
    1,007
    Simon
    Oct 13, 2009
  2. Cindy Lee
    Replies:
    1
    Views:
    2,102
    Mr. Arnold
    Mar 19, 2010
  3. luowh

    Deploy web service behind an ISA firewall

    luowh, Aug 8, 2003, in forum: ASP .Net Web Services
    Replies:
    1
    Views:
    257
    Kris Spurling
    Aug 19, 2003
  4. Andrew Jocelyn
    Replies:
    0
    Views:
    672
    Andrew Jocelyn
    Nov 29, 2008
  5. Andrew Jocelyn
    Replies:
    1
    Views:
    2,881
    Steven Cheng
    Dec 3, 2008
Loading...

Share This Page