INTERNET APPLICATION DEVELOPMENT
MID MARKET ERP DEVELOPMENT
by Derek Du
After my last blog post about using Cert-based Message security for WCF web service, we started to look into using Windows Authentication for a different system that also sits behind a load balancer/SSL handler. Windows Authentication provides a much easier integration option – the client side can simply provide a domain user account to be authenticated, whereas in Cert-based authentication, each client needs to install a certificate. This increases the difficulty for clients to develop against the service and is our motivation to look into utilizing Windows Authentication, instead.
With the experience of cert-based authentication, I was pretty sure it wasn’t going to be easy to use Windows Authentication in a load-balanced environment. The first thing we tried, of course, is to follow Microsoft’s guide to use wsHttpBinding with Windows Authentication and Message Security, with one difference, that our client needs to use Transport security instead of Message because it must use HTTPS.
Like we thought, this setup didn’t work because the service expect to use Message security but the client is using Transport security. We then tried TransportWithMessage credentials and some other settings. None of them worked. We were stuck on this error message “The HTTP request is unauthorized with client authentication scheme ‘Ntlm’. The authentication header received from the server was ‘Negotiate,NTLM’.“, which unfortunately is one of those error messages that do not make sense.
In the painful process of pursuing the truth, we came across some post raising the problem level to the load balancer level, which discouraged us from researching it further. It seemed more reasonable to find an alternative at that point, and we did find out that using BasicHttpBinding with Windows Authentication and TransportCredentialOnly worked in our environment.
Here is our client setup:
The problem is that the credentials of the client is passed in clear text. Although the message before the land balancer is protected by HTTPs, still we want a true end-to-end protection on the credentials. So this solution is off the table. We decided to go back to our original plan.
I will just skip to the end of the story ...because I like magic!… we eventually found a solution that worked in the load balanced environment. Custom binding once again saved the world! I didn’t find any article about this configuration, which makes it more important to share it with everyone.
This blog originally appeared in Derek's blog, Stuff.