We have a test Windows Server 2012 Domain. There are two computers which are members of this Domain.
One computer is being developed by the Oracle Corporation and is running a version of Linux on a Virtual Machine. This machine is hosting a SPNego Kerberos authenticated Web Service presumably hosted by IBM WebSphere.
The other computer is a Windows XP Client hosted on a Microsoft Virtual Machine.
We created the SPN's inside of Active Directory to authenticate users using Kerberos.
We then tested the Web Service using a browser. The WSDL address brought back the SOAP data perfectly.
The Kerberos was turned off so Client Proxy code could be incorporated into a WCF 4.0 client and turned on again for testing authentication.
However, when trying to connect to the Web Service by using the methods provided in the Client Proxy, there's all kinds of Security related errors being raised:
The remote HTTP server did not satisfy the mutual authentication requirement.
The remote server returned an error: (405) Method Not Allowed.
Below, is the client-side App.config file used to connect to the Web Service:
<configuration>
<system.serviceModel>
<client>
<endpoint address="http://oag:8080/pos/GetStoreConfigurationService"
binding="wsFederationHttpBinding"
bindingConfiguration="wsFederationHttpBinding_ESLGetStoreConfigurationBinding"
behaviorConfiguration="ServiceBehavior"
contract="ESLGetStoreConfigurationPortType"
name="wsFederationHttpBinding_ESLGetStoreConfigurationPort" >
<identity>
<servicePrincipalName value="http/oag:8080"/>
</identity>
</endpoint>
</client>
<bindings>
<customBinding>
<binding name="UsernameBinding">
<binaryMessageEncoding />
<security authenticationMode="Kerberos"
requireSecurityContextCancellation ="false"
requireSignatureConfirmation="false"
messageProtectionOrder ="EncryptBeforeSign"
requireDerivedKeys="false"
enableUnsecuredResponse="true"
allowInsecureTransport="true"
securityHeaderLayout="Lax" >
</security>
<httpTransport authenticationScheme="Negotiate"
transferMode="Buffered"
maxReceivedMessageSize="67819876"/>
</binding>
</customBinding>
<wsFederationHttpBinding>
<binding name="wsFederationHttpBinding_ESLGetStoreConfigurationBinding" >
<security mode="Message">
<message negotiateServiceCredential="true"
establishSecurityContext="false"
algorithmSuite="Basic128" >
<issuer address="http://192.168.100.25"
bindingConfiguration="UsernameBinding"
binding="customBinding">
<identity>
<dns value="WIN-7TN6ALB4TVK.oag-dev.sei"/>
</identity>
</issuer>
</message>
</security>
</binding>
</wsFederationHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="ServiceBehavior">
<clientCredentials>
<windows allowedImpersonationLevel="Identification"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
<system.web>
<identity impersonate="false" userName="oag-server" password="Password!"/>
</system.web>
Providing Network Credentials was also done in code; but alas, to no avail.
Thank you.