WCF service call - problem when behind ISA Server proxy

[SESDev]

We have a WCF service which works just fine until it has to call through a
proxy server and then we're havign problems.


Network with ISA Server acting as proxy, notebook attached to network - not
part of the domain but using a domain account to authenticate with the ISA
Server for Internet access.


We have small application that performs some local tasks and then calls an
IIS hosted WCF service to update stats essentially.

When outside of the above setup (i.e. in the development environment which
has no such proxy) all works just fine and the stats are updated with the WCF
service call.

When on the notebook and behind the proxy we are getting problems. Firstly
we were not using the default proxy and getting an error:

System.ServiceModel.ProtocolException: The remote server returned an
unexpected response: (407) Proxy Authentication Required ( The ISA Server
requires authorization to fulfill the request. Access to the Web Proxy
service is denied. ). ---> System.Net.WebException: The remote server
returned an error: (407) Proxy Authentication Required.
at System.Net.HttpWebRequest.GetResponse()
at
System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---


After adding the following to the app.config

<system.net>
<defaultProxy
useDefaultCredentials="true">
<proxy autoDetect="True"/>
</defaultProxy>
</system.net>


We now get the following error:

System.ServiceModel.Security.SecurityNegotiationException: The caller was
not authenticated by the service. ---> System.ServiceModel.FaultException:
The request for security token could not be satisfied because authentication
failed.
at
System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message
message, EndpointAddress target)
at
System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
--- End of inner exception stack trace ---



My biggest problem is that I am remote to the network and do not have direct
access - I have someone on the inside as my hands & eyes, so debugging has
been a slow process.


<system.serviceModel>

<diagnostics>
<messageLogging maxMessagesToLog="30000"
logEntireMessage="true"
logMessagesAtServiceLevel="false"
logMalformedMessages="true"
logMessagesAtTransportLevel="true">
</messageLogging>
</diagnostics>

<bindings>
<wsHttpBinding>

<binding name="WSHttpBinding_IDEService"
closeTimeout="00:01:00"
openTimeout="00:05:00" receiveTimeout="00:10:00"
sendTimeout="00:05:00"
bypassProxyOnLocal="false" transactionFlow="false"
hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32"
maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384"
/>
<reliableSession ordered="true"
inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="None"
realm="" />
<message clientCredentialType="Windows"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint
address="http://dev.thedomain.com/DEService/DEService.svc"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_IDEService"
contract="SESDEService.IDEService"
name="WSHttpBinding_IDEService">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</client>
</system.serviceModel>

<system.diagnostics>
<sources>
<source name="System.ServiceModel" switchValue="Warning,
ActivityTracing" propagateActivity="true" >
<listeners>
<add name="xml" />
</listeners>
</source>
<source name="System.ServiceModel.MessageLogging" switchValue="Warning">
<listeners>
<add name="xml" />
</listeners>
</source>
</sources>
<sharedListeners>
<add name="xml" type="System.Diagnostics.XmlWriterTraceListener"
initializeData="c:\temp\TaskRunner.svclog" />
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>


<system.net>
<defaultProxy
useDefaultCredentials="true">
<proxy autoDetect="True"/>
</defaultProxy>
</system.net>

We've tried the various (5) options for proxyCredentialType="???" with no
success for any of them. I've also noticed that the binding.ProxyAddress is
not set on the client (when outputting it in code).

I've added tracing to the client app and can provide the trace (I am not
quite sure what to do with that - any help is greatly appreciated) -
http://www.swiftest.com/taskrunner.zip

Please help asap!!

 

[SESDev]

I don't think that's the right direction to be looking in for this problem -
we may have clients who run without a proxy server and as such can configure
their client accordingly (as per the dev machines which work).

I am aware that certain changes should be reflected in the configuration on
both the client and the hosting server, but I would not think that something
such as using a proxy (MS ISA Serevr in this case) at the client end would
require changes on the server.

Surely the whole idea behind configuration of WCF is to allow such
differences to be changed on the client in the app.config file?

 

[Steven Cheng]

Hi sesdev,

From your description and the error callstack you provided, I think the
problem you encounter is due to your client machine is calling the WCF
service out-side a firewall/ISA server which demand proxy
authentication(and your client's local logon account is not sufficient to
pass the proxy authentication).

One means to supply a dedicated proxy authentication credentials for WCF
service client is to customize the default WebProxy that application use. I
have ever written a blog entry explaining this:

#[WCF]How to supply dedicated credentials for webproxy authentication in
WCF client
http://blogs.msdn.com/stcheng/archive/2008/12/03/wcf-how-to-supply-dedicated
-credentials-for-webproxy-authentication.aspx

You can try using the code to specify a domain account(validatable for the
remote isa server) for proxy authentication.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.




--------------------

From: =?Utf-8?B?U0VTRGV2?= <[email protected]>
Subject: WCF service call - problem when behind ISA Server proxy
Date: Thu, 14 May 2009 09:38:01 -0700

We have a WCF service which works just fine until it has to call through a
proxy server and then we're havign problems.


Network with ISA Server acting as proxy, notebook attached to network - not
part of the domain but using a domain account to authenticate with the ISA
Server for Internet access.


We have small application that performs some local tasks and then calls an
IIS hosted WCF service to update stats essentially.

When outside of the above setup (i.e. in the development environment which
has no such proxy) all works just fine and the stats are updated with the WCF
service call.

When on the notebook and behind the proxy we are getting problems. Firstly
we were not using the default proxy and getting an error:

System.ServiceModel.ProtocolException: The remote server returned an
unexpected response: (407) Proxy Authentication Required ( The ISA Server
requires authorization to fulfill the request. Access to the Web Proxy
service is denied. ). ---> System.Net.WebException: The remote server
returned an error: (407) Proxy Authentication Required.
at System.Net.HttpWebRequest.GetResponse()
at
System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChan

nelRequest.WaitForReply(TimeSpan timeout)

 

[SESDev]

I think you are missing the point of my question - it is not that the service
itself is rejecting the request, but rather that the proxy server that sits
between the client and the service is rejecting it due to the authentication
required with it (which is a completely seperate issue to any security on the
service itself).

 

[SESDev]

Hi Steven,

Thanks v much for this response - just what I needed. I've added a custom
config section for this service on the client to specify whether a proxy is
used and if so whether the user credentials are provided or taken from
DefaultNetworkCredentials.

I had searched around and not come across your post - but then I was
searching against the errors I was getting (perhaps you could update to
include them as possible errors and others will get to your solution).

Cheers

Shaun

--
SES Development

Hi sesdev,

From your description and the error callstack you provided, I think the
problem you encounter is due to your client machine is calling the WCF
service out-side a firewall/ISA server which demand proxy
authentication(and your client's local logon account is not sufficient to
pass the proxy authentication).

One means to supply a dedicated proxy authentication credentials for WCF
service client is to customize the default WebProxy that application use. I
have ever written a blog entry explaining this:

#[WCF]How to supply dedicated credentials for webproxy authentication in
WCF client
http://blogs.msdn.com/stcheng/archive/2008/12/03/wcf-how-to-supply-dedicated
-credentials-for-webproxy-authentication.aspx

You can try using the code to specify a domain account(validatable for the
remote isa server) for proxy authentication.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.




--------------------

From: =?Utf-8?B?U0VTRGV2?= <[email protected]>
Subject: WCF service call - problem when behind ISA Server proxy
Date: Thu, 14 May 2009 09:38:01 -0700

We have a WCF service which works just fine until it has to call through a
proxy server and then we're havign problems.


Network with ISA Server acting as proxy, notebook attached to network - not
part of the domain but using a domain account to authenticate with the ISA
Server for Internet access.


We have small application that performs some local tasks and then calls an
IIS hosted WCF service to update stats essentially.

When outside of the above setup (i.e. in the development environment which
has no such proxy) all works just fine and the stats are updated with the WCF
service call.

When on the notebook and behind the proxy we are getting problems. Firstly
we were not using the default proxy and getting an error:

System.ServiceModel.ProtocolException: The remote server returned an
unexpected response: (407) Proxy Authentication Required ( The ISA Server
requires authorization to fulfill the request. Access to the Web Proxy
service is denied. ). ---> System.Net.WebException: The remote server
returned an error: (407) Proxy Authentication Required.
at System.Net.HttpWebRequest.GetResponse()
at
System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChan

nelRequest.WaitForReply(TimeSpan timeout)

--- End of inner exception stack trace ---
success for any of them. I've also noticed that the binding.ProxyAddress is
not set on the client (when outputting it in code).

 

[Steven Cheng]

Hi Shaun,

Thanks for your prompt reply.

I've also received your email sent from my blog.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.


--------------------

From: =?Utf-8?B?U0VTRGV2?= <[email protected]>
References: <[email protected]>

Subject: RE: WCF service call - problem when behind ISA Server proxy
Date: Fri, 15 May 2009 00:32:01 -0700

Hi Steven,

Thanks v much for this response - just what I needed. I've added a custom
config section for this service on the client to specify whether a proxy is
used and if so whether the user credentials are provided or taken from
DefaultNetworkCredentials.

I had searched around and not come across your post - but then I was
searching against the errors I was getting (perhaps you could update to
include them as possible errors and others will get to your solution).

Cheers

Shaun

--
SES Development

Hi sesdev,

From your description and the error callstack you provided, I think the
problem you encounter is due to your client machine is calling the WCF
service out-side a firewall/ISA server which demand proxy
authentication(and your client's local logon account is not sufficient to
pass the proxy authentication).

One means to supply a dedicated proxy authentication credentials for WCF
service client is to customize the default WebProxy that application use. I
have ever written a blog entry explaining this:

#[WCF]How to supply dedicated credentials for webproxy authentication in
WCF client
http://blogs.msdn.com/stcheng/archive/2008/12/03/wcf-how-to-supply-dedicated
-credentials-for-webproxy-authentication.aspx

You can try using the code to specify a domain account(validatable for the
remote isa server) for proxy authentication.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.




--------------------

From: =?Utf-8?B?U0VTRGV2?= <[email protected]>
Subject: WCF service call - problem when behind ISA Server proxy
Date: Thu, 14 May 2009 09:38:01 -0700

We have a WCF service which works just fine until it has to call through a
proxy server and then we're havign problems.


Network with ISA Server acting as proxy, notebook attached to network - not
part of the domain but using a domain account to authenticate with the ISA
Server for Internet access.


We have small application that performs some local tasks and then calls an
IIS hosted WCF service to update stats essentially.

When outside of the above setup (i.e. in the development environment which
has no such proxy) all works just fine and the stats are updated with

the
WCF

service call.

When on the notebook and behind the proxy we are getting problems. Firstly
we were not using the default proxy and getting an error:

System.ServiceModel.ProtocolException: The remote server returned an
unexpected response: (407) Proxy Authentication Required ( The ISA Server
requires authorization to fulfill the request. Access to the Web Proxy
service is denied. ). ---> System.Net.WebException: The remote server
returned an error: (407) Proxy Authentication Required.
at System.Net.HttpWebRequest.GetResponse()
at

System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChan
nelRequest.WaitForReply(TimeSpan timeout)

--- End of inner exception stack trace ---
We've tried the various (5) options for proxyCredentialType="???" with no
success for any of them. I've also noticed that the

binding.ProxyAddress
is

not set on the client (when outputting it in code).

 

[manjerekar annaji rao]

Hi All,

i'm facing the same issue and tried to access the below url's,
unfortunately these url's are not active. can anyone of u pls
help me.

http://blogs.msdn.com/stcheng/archive/2008/12/03/wcf-how-to-
supply-dedicated

http://blog.scorpiotek.com/2009/01/02/how-to-increase-the-
maxarraylength-in-a-wcf-component/

Manjerekar