If I run both client and self-hosting code locally (on same server), everything works fine.
Other relavent data:
I'm also using NtlmSelfHostConfiguration (set's http binding mode to TransportCredentialsOnly and HttpClientCredentialType to NTLM) on host.
Breakpoint never hits in controller code.
Remote host server running IIS6 but client code works fine locally there.
Using Port 8080.
Firewalls down on client desktop and host server.
I did Wireshark capture and saw the following packet description. I was not able to see what WireShark did with client and host on same server since WireShark can't see localhost transactions. I believe the "401 Unauthorized" is a normal response from the
host and that the client is supposed to then provide credentials - which it does.
161 06:32:48.145647 [client IP] [host IP] HTTP 157 GET /api/Mailbox/GetMBPerms HTTP/1.1
162 06:32:48.146546 [host IP] [client IP] HTTP 199 HTTP/1.1 401 Unauthorized
... ACKS
166 06:32:48.154280 [client IP] [host IP] TCP 1434 [TCP segment of a reassembled PDU] - a series of these which provide credentials
[host does ACK]
174 06:32:48.156386 [client IP] [host IP] HTTP 157 GET /api/Mailbox/GetMBPerms HTTP/1.1 - client does request again
[host does ACK] 176 06:32:48.158496 [host IP] [client IP] HTTP 380 KRB Error: KRB5KRB_AP_ERR_MODIFIED
198 06:32:48.294791 [client IP] [host IP] TCP 1434 [TCP segment of a reassembled PDU] - client does a series of these like it did above (see 166)
[host ACK PDU segments] 210 06:32:48.300014 [host IP] [client IP] HTTP 360 KRB Error: KRB5KRB_AP_ERR_MODIFIED - again
[host ACKs]
212 06:32:48.342070 130.97.35.171 130.97.213.67 TCP 54 52025 > http-alt [FIN, ACK] Seq=18337 Ack=633 Win=65536 Len=0 - cleint gives up
If I'm correct, the Kerberos error indicates I need to set up an SPN but in previous applications like this for which I've used WCF, I only needed SPN's set up if I was doing a double-hop - I may be using an IIS server but this is self-hosted so no double-hop.
billjam54
Member
3 Points
14 Posts
Getting "Unauthorized" returned to client from a self-hosting remote server
May 09, 2012 02:16 PM|LINK
If I run both client and self-hosting code locally (on same server), everything works fine.
Other relavent data:
I'm also using NtlmSelfHostConfiguration (set's http binding mode to TransportCredentialsOnly and HttpClientCredentialType to NTLM) on host.
Breakpoint never hits in controller code.
Remote host server running IIS6 but client code works fine locally there.
Using Port 8080.
Firewalls down on client desktop and host server.
I did Wireshark capture and saw the following packet description. I was not able to see what WireShark did with client and host on same server since WireShark can't see localhost transactions. I believe the "401 Unauthorized" is a normal response from the host and that the client is supposed to then provide credentials - which it does.
161 06:32:48.145647 [client IP] [host IP] HTTP 157 GET /api/Mailbox/GetMBPerms HTTP/1.1
162 06:32:48.146546 [host IP] [client IP] HTTP 199 HTTP/1.1 401 Unauthorized
... ACKS
166 06:32:48.154280 [client IP] [host IP] TCP 1434 [TCP segment of a reassembled PDU] - a series of these which provide credentials
[host does ACK]
174 06:32:48.156386 [client IP] [host IP] HTTP 157 GET /api/Mailbox/GetMBPerms HTTP/1.1 - client does request again
[host does ACK]
176 06:32:48.158496 [host IP] [client IP] HTTP 380 KRB Error: KRB5KRB_AP_ERR_MODIFIED
198 06:32:48.294791 [client IP] [host IP] TCP 1434 [TCP segment of a reassembled PDU] - client does a series of these like it did above (see 166)
[host ACK PDU segments]
210 06:32:48.300014 [host IP] [client IP] HTTP 360 KRB Error: KRB5KRB_AP_ERR_MODIFIED - again
[host ACKs]
212 06:32:48.342070 130.97.35.171 130.97.213.67 TCP 54 52025 > http-alt [FIN, ACK] Seq=18337 Ack=633 Win=65536 Len=0 - cleint gives up
If I'm correct, the Kerberos error indicates I need to set up an SPN but in previous applications like this for which I've used WCF, I only needed SPN's set up if I was doing a double-hop - I may be using an IIS server but this is self-hosted so no double-hop.
Ideas anyone?
billjam54
Member
3 Points
14 Posts
Re: Getting "Unauthorized" returned to client from a self-hosting remote server
May 21, 2012 01:00 PM|LINK
I tried this SPN, still didn't work. Anyone?
setspn -A http/devServer devServer