The HTTP request is unauthorized with client authentication scheme Ntlm The authentication header received from the server was NTLM

Question

I know there s a lot of questions on SO similar to this  but I couldn t find one for this particular issue  A couple of points  first   I have no control over our Sharepoint server  I cannot tweak any IIS settings  I believe our IIS server version is IIS 7 0  Our Sharepoint Server is anticipating requests via NTLM  Our Sharepoint Server is on the same domain as my client computer  I am using  NET Framework 3 5  Visual Studio 2008  I am trying to write a simple console app to manipulate Sharepoint data using Sharepoint Web Services  I have added the Service Reference  and the following is my app config   lt system serviceModel gt       lt bindings gt           lt basicHttpBinding gt               lt binding name  quot ListsSoap quot  closeTimeout  quot 00 01 00 quot  openTimeout  quot 00 01 00 quot                  receiveTimeout  quot 00 10 00 quot  sendTimeout  quot 00 01 00 quot  allowCookies  quot false quot                  bypassProxyOnLocal  quot false quot  hostNameComparisonMode  quot StrongWildcard quot                  maxBufferSize  quot 65536 quot  maxBufferPoolSize  quot 524288 quot  maxReceivedMessageSize  quot 65536 quot                  messageEncoding  quot Text quot  textEncoding  quot utf-8 quot  transferMode  quot Buffered quot                  useDefaultWebProxy  quot true quot  gt                   lt readerQuotas maxDepth  quot 32 quot  maxStringContentLength  quot 8192 quot  maxArrayLength  quot 16384 quot                      maxBytesPerRead  quot 4096 quot  maxNameTableCharCount  quot 16384 quot    gt                   lt security mode  quot Transport quot  gt                       lt transport clientCredentialType  quot Ntlm quot  proxyCredentialType  quot Ntlm quot    gt                   lt  security gt               lt  binding gt           lt  basicHttpBinding gt       lt  bindings gt       lt client gt           lt endpoint address  quot https   subdomain companysite com subsite  vti bin Lists asmx quot              binding  quot basicHttpBinding quot  bindingConfiguration  quot ListsSoap quot              contract  quot ServiceReference1 ListsSoap quot  name  quot ListsSoap quot    gt       lt  client gt   lt  system serviceModel gt   This is my code  static void Main string   args        using  var client   new ListsSoapClient                  client ClientCredentials Windows ClientCredential   new NetworkCredential  quot username quot    quot password quot    quot domain quot            client GetListCollection             When I call GetListCollection    the following MessageSecurityException gets thrown  The HTTP request is unauthorized with client authentication scheme  Ntlm   The authentication header received from the server was  NTLM    With an inner WebException   quot The remote server returned an error   401  Unauthorized  quot   I ve tried various bindings and various code tweaks to try to authenticate properly  but to no avail  I ll list those below   I ve tried the following steps  Using a native Win32 Impersonator before creating the client using  new Impersonator Impersonator  quot username quot    quot password quot    quot domain quot    using  var client   new ListsSoapClient          client ClientCredentials Windows ClientCredential   new NetworkCredential  quot dpincas quot    quot password quot    quot domain quot        client GetListCollection       This produced the same error message   Setting TokenImpersonationLevel for my client credentials using  var client   new ListsSoapClient          client ClientCredentials Windows AllowedImpersonationLevel   TokenImpersonationLevel Impersonation      client GetListCollection       This produced the same error message   Using security mode TransportCredentialOnly  lt security mode  quot TransportCredentialOnly quot  gt       lt transport clientCredentialType  quot Ntlm quot    gt   lt  security gt   This resulted in a different error message  The provided URI scheme  https  is invalid  expected  http   Parameter name  via  However  I need to use https  so I cannot change my URI scheme   I ve tried some other combinations that I can t remember  but I ll post them when I do  I m really at wits end here  I see a lot of links on Google that say  quot switch to Kerberos quot   but my server seems to only be accepting NTLM  not  quot Negotiate quot   as it would say if it was looking for Kerberos   so that is unfortunately not an option  Any help out there  folks

User · Answer

I would try to connect to your Sharepoint site with this tool here. If that works you can be sure that the problem is in your code / configuration. That maybe does not solve your problem immediately but it rules out that there is something wrong with the server. Assuming that it does not work I would investigate the following:

Does your user really have enough rights on the site?
Is there a proxy that interferes? (Your configuration looks a bit like there is a proxy. Can you bypass it?)

I think there is nothing wrong with using security mode Transport, but I am not so sure about the proxyCredentialType="Ntlm", maybe this should be set to None.

User · Answer

Visual Studio 2005   Create a new console application project in Visual Studio Add a  Web Reference  to the Lists asmx web service    Your URL will probably look like  http   servername sites SiteCollection SubSite  vti bin Lists asmx I named my web reference  ListsWebService  Write the code in program cs  I have an Issues list here    Here is the code   using System  using System Collections Generic  using System Text  using System Xml   namespace WebServicesConsoleApp       class Program               static void Main string   args                        try                               ListsWebService Lists listsWebSvc   new WebServicesConsoleApp ListsWebService Lists                    listsWebSvc Credentials   System Net CredentialCache DefaultNetworkCredentials                  listsWebSvc Url    http   servername sites SiteCollection SubSite  vti bin Lists asmx                   XmlNode node   listsWebSvc GetList  Issues                              catch  Exception ex                                Console WriteLine ex ToString                                         Visual Studio 2008   Create a new console application project in Visual Studio Right click on References and Add Service Reference Put in the URL to the Lists asmx service on your server   Ex  http   servername sites SiteCollection SubSite  vti bin Lists asmx  Click Go Click OK Make the following code changes    Change your app config file from    lt security mode  None  gt       lt transport clientCredentialType  None  proxyCredentialType  None          realm      gt       lt message clientCredentialType  UserName  algorithmSuite  Default    gt   lt  security gt    To    lt security mode  TransportCredentialOnly  gt     lt transport clientCredentialType  Ntlm   gt   lt  security gt    Change your program cs file and add the following code to your Main function   ListsSoapClient client   new ListsSoapClient    client ClientCredentials Windows ClientCredential   System Net CredentialCache DefaultNetworkCredentials  client ClientCredentials Windows AllowedImpersonationLevel   System Security Principal TokenImpersonationLevel Impersonation  XmlElement listCollection   client GetListCollection      Add the using statements   using  your app name  ServiceReference1  using System Xml    Reference  http   sharepointmagazine net technical development writing-caml-queries-for-retrieving-list-items-from-a-sharepoint-list

User · Answer

After many answers that did not work  I finally found a solution when Anonymous access is Disabled on the IIS server   Our server is using Windows authentication  not Kerberos   This is thanks to this blog posting   No changes were made to web config   On the server side  the  SVC file in the ISAPI folder uses MultipleBaseAddressBasicHttpBindingServiceHostFactory  The class attributes of the service are    BasicHttpBindingServiceMetadataExchangeEndpointAttribute   AspNetCompatibilityRequirements RequirementsMode   AspNetCompatibilityRequirementsMode Required   public class InvoiceServices   IInvoiceServices           On the client side  the key that made it work was the http binding security attributes   EndpointAddress endpoint     new EndpointAddress new Uri  http   SharePointserver  vti bin InvoiceServices svc     BasicHttpBinding httpBinding   new BasicHttpBinding    httpBinding Security Mode   BasicHttpSecurityMode TransportCredentialOnly  httpBinding Security Transport ClientCredentialType   HttpClientCredentialType Ntlm  InvoiceServicesClient myClient   new InvoiceServicesClient httpBinding  endpoint   myClient ClientCredentials Windows AllowedImpersonationLevel   System Security Principal TokenImpersonationLevel Impersonation     call service    I hope this works for you

User · Answer

After a lot of trial and error  followed by a stagnant period while I waited for an opportunity to speak with our server guys  I finally had a chance to discuss the problem with them and asked them if they wouldn t mind switching our Sharepoint authentication over to Kerberos   To my surprise  they said this wouldn t be a problem and was in fact easy to do  They enabled Kerberos and I modified my app config as follows    lt security mode  Transport  gt       lt transport clientCredentialType  Windows    gt   lt  security gt    For reference  my full serviceModel entry in my app config looks like this    lt system serviceModel gt       lt bindings gt           lt basicHttpBinding gt               lt binding name  TestServerReference  closeTimeout  00 01 00  openTimeout  00 01 00               receiveTimeout  00 10 00  sendTimeout  00 01 00  allowCookies  false               bypassProxyOnLocal  false  hostNameComparisonMode  StrongWildcard               maxBufferSize  2000000  maxBufferPoolSize  2000000  maxReceivedMessageSize  2000000               messageEncoding  Text  textEncoding  utf-8  transferMode  Buffered               useDefaultWebProxy  true  gt                   lt readerQuotas maxDepth  32  maxStringContentLength  8192  maxArrayLength  16384                   maxBytesPerRead  4096  maxNameTableCharCount  16384    gt                   lt security mode  Transport  gt                       lt transport clientCredentialType  Windows    gt                   lt  security gt               lt  binding gt           lt  basicHttpBinding gt       lt  bindings gt       lt client gt           lt endpoint address  https   path to site  vti bin Lists asmx           binding  basicHttpBinding  bindingConfiguration  TestServerReference           contract  TestServerReference ListsSoap  name  TestServerReference    gt       lt  client gt   lt  system serviceModel gt    After this  everything worked like a charm  I can now  finally   utilize Sharepoint Web Services  So  if anyone else out there can t get their Sharepoint Web Services to work with NTLM  see if you can convince the sysadmins to switch over to Kerberos

User · Answer

I had exactly the same issue last week - WCF program behaves strangely on one server - why    For me the solution was rather simple  Sharepoint has its own set of permissions  My client tried to log on as a user that wasn t explicitly given access to the webservice through Sharepoint s administration panel   I added the user to Sharepoint s whitelist and bang - it just worked   Even if that isn t the issue  please note that  The HTTP request is unauthorized with client authentication scheme    Ntlm     The authentication header received from the server was    NTLM      Means  in English  that you simply don t have permission  Your protocol is probably right - your user just doesn t have permissions

User · Answer

I have the same setup that you do  and this works fine for me   I think that maybe the problem lies somewhere on your moss configuration or on your network     You said that moss resides on the same domain as your application   If you have access to the site with your user  that is logged into your machine     have you tried   client ClientCredentials Windows ClientCredential   System Net CredentialCache DefaultNetworkCredentials

User · Answer

If I recall correctly  there are some issues with adding SharePoint web services as a VS2K8  Service Reference    You need to add it as an old-style  Web Reference  to work properly

User · Answer

I have had this issue before   client ClientCredentials Windows AllowedImpersonationLevel   TokenImpersonationLevel Impersonation    do this against your wcf proxy before making the call

User · Answer

Try this   lt client gt     lt endpoint gt       lt identity gt         lt servicePrincipalName value      gt       lt  identity gt     lt  endpoint gt   lt  client gt    I ve encountered this error before when working in a webfarm and this fixed it for me

User · Answer

This issue was even more strange for us  Everything worked if you had previously visited the sharepoint site from the browser  before you made the SOAP call  However  if you did the SOAP call first we d throw the above error   We were able to resolve this issue by installing the sharepoint certificate on the client and adding the domain to the local intranet sites

[c#] The HTTP request is unauthorized with client authentication scheme 'Ntlm' The authentication header received from the server was 'NTLM'

Examples related to c#

Examples related to .net

Examples related to sharepoint

Examples related to authentication

Examples related to ntlm