WCF Client not able to negotiate security access with Service running in a different machine


I'm trying to host a WCF Service with binding "wsDualHttpBinding". When I run my client and service(hosted in IIS) from the same machine it works fine. But, when I host the service in a different machine my client fails to register with the service. The following errors are coming…

The caller was not authenticated by
the service. And inner exception: The
request for security token could not
be satisfied because authentication

When trying to run from a different machine in another workgroup the following error appears

"Client is unable to finish the
security negotiation within the
configured time(00:00:00)"

In the IIS6.0 I turned off the Integrated Authentication and allowed anonymous access.

My Service's Web.Config follows:

        <messageLogging logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true"/>
            <binding name="StatTickerHttpBinding" bypassProxyOnLocal="false" useDefaultWebProxy="true" receiveTimeout="23:59:59">
                <reliableSession ordered="true" inactivityTimeout="00:30:00"/>
        <service name="StatTickerService" behaviorConfiguration="ServiceBehavior">
            <!-- Service Endpoints -->
            <endpoint address="" binding="wsDualHttpBinding" bindingConfiguration="StatTickerHttpBinding" contract="IBroadCastService">
              Upon deployment, the following identity element should be removed or replaced to reflect the 
              identity under which the deployed service runs.  If removed, WCF will infer an appropriate identity 

                        <dns value="localhost"/>
                    </identity> -->
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
            <behavior name="ServiceBehavior">
                <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
                <serviceMetadata httpGetEnabled="true"/>
                <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
                <serviceDebug includeExceptionDetailInFaults="false"/>

My Client App.Config follows…

            <binding name="WSDualHttpBinding_StatTickerBroadcastService" 
                closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" 
                bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" 
                maxBufferPoolSize="524288" maxReceivedMessageSize="65536" 
                messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" 
                    maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
                <reliableSession ordered="true" inactivityTimeout="00:30:00"/>
                <security mode="Message">
                    <message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default"/>
        <endpoint address="" binding="wsDualHttpBinding" 
                <servicePrincipalName value="host/"/>

The Client side config is done by using svcutil.

I searched and tried all the solutions given in the google for the past 4 days but no luck. Please help urgently.

Best Solution

If I understand your issue, it sounds like you're having problems with delegation.

Here's what I think you're trying to do:

  • User connects to web service
  • User authenticates with windows authentication (kerberos)
  • Webserver impersonates user
  • Webserver connects to backend via WCF
  • Webserver authenticates with backend using the user's credentials (kerberos)
  • Backend accepts credentials and serves up data

What needs to happen is your backend has to trust your web server to act on your behalf, called delegation. This is controlled by the domain and not freely given.

If both machines are on the same domain, the domain controller has to configure the web server as able to delegate for users. Without this, no machines on the network will trust your web server acting on a user's behalf. If this all takes place on the same machine, it does its own delegation.

If both machines are in a workgroup, I don't know what you would do.