WCF Client Behind ISA: HTTP Error 407

I am moving this thread to WCF from .NET Networking and Communication

Situation:

We have to connect to a 3rd party XML Web Service outside our LAN by adding a WCF Service Reference to a simple console application

Problem:

When attempting to invoke any of the generated client class methods, we recieve the following error: "The remote server returned an unexpected response: (407) Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. )."

In old style ASMX Web Reference:

TheServiceWse client = new TheServiceWse();

client.Proxy = new System.Net.WebProxy("ISA Server Name", 800);

client.Proxy.Credentials = System.Net.CredentialCache.DefaultCredentials;

Where client is an instance of the generated Web Reference Proxy Class

However in WCF Service Reference:

I am not sure where to define the credentials of the user to pass through the ISA server successfully. I've looked into the WCF Service Configuration Editor, opened the app.Config file of my console application, checked the following configurations but it didn't succeed:

Bindings node -> MyServicePort (basicHttpBinding) node -> Binding tab -> ProxyAddress = <empty>

Bindings node -> MyServicePort (basicHttpBinding) node -> Binding tab -> UseDefaultWebProxy = True

Bindings node -> MyServicePort (basicHttpBinding) node -> Security tab -> Mode = None

Bindings node -> MyServicePort (basicHttpBinding) node -> Security tab -> ProxyCredentialType = Windows

Bindings node -> MyServicePort (basicHttpBinding) node -> Security tab -> TransportClientCredentialType = Windows

TheServicePortClient client = new TheServicePortClient();

In this client instance, there is no proxy property that i can set or set its credentials

Any advice is highly appreciated amigos

Answer this question

WCF Client Behind ISA: HTTP Error 407

abi
In order to do proxy authentication, you have to explicitly tell WCF which authentication scheme to use. The authentication scheme is used to determine the proper credential to use for authentication. Unfortunately this ProxyAuthenticationScheme property is not surfaced at any standard binding, so you'd have to use CustomBinding and specify it directly on the HttpTransportBindingElement in code or on bindings/customBinding/binding/httpTransport in config. The credential for proxy authentication can be set at the place that corresponds to the proxy authentication scheme. If you don't set, the default process credential will be used. For example, if you are using Ntlm as ProxyAuthenticationScheme, you can set ClientCredentials.Windows.ClientCredential.

Hope this helps.

Hao
tom_7

Salam,

Finally I've come across the problem. It seems that the proxy authentication won't work if I set the bindings.customBinding.binding.httpTransport.useDefaultWebProxy="false" in the application configuration file. The proxy server Uri should be explicitly defined in configuration. Below is the configuration that worked for me

<bindings>

<customBinding>

<binding name="ProvisioningPort">

<textMessageEncoding />

<httpTransport proxyAddress=http://isaserver:800 proxyAuthenticationScheme="Negotiate"

useDefaultWebProxy="false" />

</binding>

</customBinding>

</bindings>

<client>

<endpoint address=http://server/webservices

binding="customBinding" bindingConfiguration="ServicePort"

contract="Namespace.ServicePort"

name="ServicePort" />

</client>
Fistandantilus282303
Since your config looked fine to me, I suspected that it's not being used. That's why I suggested you to write a plain client that supports client authentication to try it out. The client code can look like this:

ChannelFactory<ICalculator> proxy = new ChannelFactory<ICalculator>("configName");

ICalculator calc = proxy.CreateChannel();

calc.Add(1, 2)

In the client element of the config file, define an endpoint named configName that points to the same binding you had before with proxy authentication. (If you are stuck, you can find more samples around http://msdn2.microsoft.com/en-us/library/ms751400.aspx)
Kymagic
I was having the same problem and the code below worked for me.

Web.Services.Lists objPortalService = new Lists();
objPortalService .Proxy.Credentials = new System.Net.NetworkCredential("username", "password", "domain") ;
John1010

Thanks for the followup, below is the error message I get

Unhandled Exception: System.ServiceModel.ProtocolException: The remote server returned an unexpected response: (407) Proxy Authentication Required ( T
he ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. ). ---> System.Net.WebException: The remote s
erver returned an error: (407) Proxy Authentication Required.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---

Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFact
ory factory, WebException responseException)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, Ti
meSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at WcfClientBehindProxy.provisioning_etr_blackberry_net.ProvisioningPort.submitSync(ProvisionRequest provisionRequest)
at WcfClientBehindProxy.provisioning_etr_blackberry_net.ProvisioningPortClient.submitSync(ProvisionRequest provisionRequest) in H:\TechTest\WcfClie
ntBehindProxy\WcfClientBehindProxy\Service References\provisioning.etr.blackberry.net.cs:line 1036
at WcfClientBehindProxy.Program.Main(String[] args) in H:\TechTest\WcfClientBehindProxy\WcfClientBehindProxy\Program.cs:line 14
Praveena Karuturi
The config looks fine to me. What error do you get after this change
robinjam
Was your TheServicePortClient class generated using SvcUtil.exe When client proxies are generated using SvcUtil.exe, they inherit from System.ServiceModel.ClientBase<T> (http://msdn2.microsoft.com/en-us/library/ms576141.aspx).

These have a property called ClientCredentials (http://msdn2.microsoft.com/en-gb/library/system.servicemodel.description.clientcredentials.aspx) where you can specify the credentials you need.
Anthony Borton
Did you ever resolve this

I am having exactly the same issue, and cannot seem to make any progress regardless of the config settings.

Any advice would be appreciated.

Ben
Jamie Thomson

Thank you for the advice, however I tried it and couldn't get into a solution.

static void Main(string[] args)

{

proxies.TheServicePortClient client = new proxies.TheServicePortClient();

client.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;

client.WebMethod();

}

App.Config content, "IntegratedWindowsAuthentication" is not allowed for ProxyAuthenticationScheme, therefore I tried the rest and none of them worked. your advice is highly appreciated

< xml version="1.0" encoding="utf-8" >

<configuration>

<system.serviceModel>

<bindings>

<customBinding>

<binding name="TheServicePort">

<textMessageEncoding />

<httpTransport authenticationScheme="Anonymous" proxyAuthenticationScheme="Negotiate" />

</binding>

</customBinding>

</bindings>

<client>

<endpoint address=http://theserver/theservice

binding="customBinding" bindingConfiguration="TheServicePort"

contract="proxies.TheServicePort" name="TheServicePort" />

</client>

</system.serviceModel>

</configuration>
InfiniZac
Nice to know that this problem is resolved. It's interesting that you had to specify a proxy address explicitly. It seems that your default web proxy (the one set in IE) is pointing to a different proxy server that also requires authentication. Any idea why Negotiate authentication would fail against the default web proxy

JaceHon

Khubieb Al Omari wrote:

It is created using Visual Studio Add Service Reference which seems to use the SvcUtil in turn. The generated Client does inherit the System.ServiceModel.ClientBase<T>.

I did test it to set the client.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials and played with the binding configurations with multiple possible combinations and none of my trials succeeded. I did also try client.ClientCredentials.Windows.ClientCredential = new System.Net.NetworkCredential("username", "password", "domain") it didn't work as well.

Actually, the Visual Studio "Add Service Reference" feature is not using SvcUtil.exe tool, it duplicates certain basic features of the SvcUtil.exe tool, but lacks many complicated switches SvcUtil.exe tool provides. Usually, if you are having trouble generating proxy file using the "Add Service Reference" feature, the first thing you can try is to do the same with Svcutil.exe tool, and if successful, it might be a bug in the "Add Service Reference" feature itself.

Prasenna

It is created using Visual Studio Add Service Reference which seems to use the SvcUtil in turn. The generated Client does inherit the System.ServiceModel.ClientBase<T>.

I did test it to set the client.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials and played with the binding configurations with multiple possible combinations and none of my trials succeeded. I did also try client.ClientCredentials.Windows.ClientCredential = new System.Net.NetworkCredential("username", "password", "domain") it didn't work as well.
Jan Ku&#269;era

to pass through the proxy server, I use my domain user credentials. I've successfully communicated with the same service through the same proxy server using my domain credentials only by Web Service Web Reference in my sample application. I wanted to change the Web Service Web Reference to WCF Client Service Reference, this is where the problem with proxy authentication started. below is the code that works fine when adding web reference in visual studio

//TheServiceProxy is the type generated by Visual Studio when adding a web reference to my console application

TheServiceProxy client = new TheServiceProxy();

client.Proxy = new System.Net.WebProxy("proxyservername", 800);

client.Proxy.Credentials = System.Net.CredentialCache.DefaultCredentials;

client.TheWebMethod();

for the simple client you suggested, I didn't get your idea: what to do to test that the config is used, and how I would communicate with the server without the generated proxy code
A kid
Do you know what authentication the proxy server requires I suspect the error is because the config binding is not used. I suggest that you write a simple client without the generated proxy code just to make sure that the config is used. It's ok if you hit a different exception from the server, as long as you are able to go through the proxy.
WCF Client Behind ISA: HTTP Error 407

Answer this question