Web service HTTP request is unauthorized with scheme digest

Question

I'm having some trouble with a web service call from my C# client. Occasionally it will return the following error:

WWW-Authenticate: Basic realm="[SomeRealm]"'. --->
System.ServiceModel.Security.MessageSecurityException: 
The HTTP request is unauthorized with client authentication scheme 'Digest'. 
The authentication header received from the server was 'Digest realm="[SomeRealm]",
nonce="00000717Y382188758809db0bcc622bdf37def3deabb93", stale=FALSE, qop="auth"
WWW-Authenticate: Basic realm="[SomeRealm]"'. ---> 
System.Net.WebException: The remote server returned an error: (401) Unauthorized.

But I can't figure out why and it is really hard to reproduce and therefore very tricky to debug. Most of the time the calls to the web service works just fine. Anyone got any ideas why this happens? Or any tips on how to debug and get more info on the problem?

UPDATE:

Ok, so I tried out looking at the communication that goes on using fiddler, but it didn't make me any wiser.

This is a vaild request/challenge/request/response

Request

POST http://192.168.1.3/api/services HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8;
action="http://www.domain.com/api/ws/event1/GetScheduledEvents"
Host: 192.168.1.3
Content-Length: 482
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Challenge

HTTP/1.1 401 Unauthorized
Date: Wed, 14 Aug 2013 07:45:49 GMT
Accept-Ranges: bytes
Connection: close
WWW-Authenticate: Digest realm="[SomeRealm]",
once="00025a89Y1892894c7fb9fe5f9de425b40c72d72de3227", stale=FALSE, qop="auth"
WWW-Authenticate: Basic realm="[SomeRealm]"
Content-Length: 180
Content-Type: text/html; charset=ISO-8859-1

<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY><H1>401 Unauthorized</H1>
Your client does not have permission to get URL /api/services from this server.
</BODY></HTML>

Request

POST http://192.168.1.3/api/services HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8; action="http://www.domain.com/api/ws/event1/GetScheduledEvents"
Accept-Encoding: gzip, deflate
Authorization: Digest username="UserName",realm="[SomeRealm]",nonce="00025a89Y1892894c7fb9fe5f9de425b40c72d72de3227",uri="/api/services",cnonce="abff70e14c8f89b09abac9eaaa9de8ce",nc=00000001,qop="auth",response="df71769f9fb2bb5e1396546b7422d5fd"
Host: 192.168.1.3
Content-Length: 482
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Authentication-Info: qop=auth, rspauth="51832dfe63819c551bf666409f58b08c", cnonce="abff70e14c8f89b09abac9eaaa9de8ce", nc=00000001
Server: gSOAP/2.7
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 3752
Connection: close

And this is one of the failing request/challenge/request/response

Request

POST http://192.168.1.3/api/services HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8; action="http://www.domain.com/api/ws/event1/GetScheduledEvents"
Host: 192.168.1.3
Content-Length: 482
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Challenge

HTTP/1.1 401 Unauthorized
Date: Wed, 14 Aug 2013 07:45:49 GMT
Accept-Ranges: bytes
Connection: close
WWW-Authenticate: Digest realm="[SomeRealm]", nonce="00025a89Y3757607d2e481c5c24cb20f1a46b129a37218", stale=FALSE, qop="auth"
WWW-Authenticate: Basic realm="[SomeRealm]"
Content-Length: 180
Content-Type: text/html; charset=ISO-8859-1

<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY><H1>401 Unauthorized</H1>
Your client does not have permission to get URL /api/services from this server.
</BODY></HTML>

Request

POST http://192.168.1.3/api/services HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8; action="http://www.domain.com/api/ws/event1/GetScheduledEvents"
Accept-Encoding: gzip, deflate
Authorization: Digest username="UserName",realm="[SomeRealm]",nonce="00025a89Y3757607d2e481c5c24cb20f1a46b129a37218",uri="/api/services",cnonce="9daae13f56820d9edf12cbf7e41f894b",nc=00000001,qop="auth",response="18d885af71eb74d1476da0f3668bf00e"
Host: 192.168.1.3
Content-Length: 482
Connection: Keep-Alive

Response

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="[SomeRealm]", nonce="00025a89Y412766b2f55e4fc54dbd441b95cc713e08ccb", stale=FALSE, qop="auth"
WWW-Authenticate: Basic realm="[SomeRealm]"
Server: gSOAP/2.7
Content-Type: text/xml; charset=utf-8
Content-Length: 0
Connection: close

Answer 1

So it seems that the error was actually on the server side. As far as I've heard it was some threading issue which seems plausible since I hit the server with a lot of requests.

Answer 2

I had plenty of problems while setting up security on my WCF end point, and the easiest way to find the cause of obscure errors (I had plenty) was to turn on the log traces for the web service, both on the host and client sides. I also found using Fiddler as a message interceptor/proxy worked well. Using these tools, you'll get much more information about what's happening within the web service.

Here's a link to turning on the tracing: How to turn on WCF tracing?

Here's a link to using fiddler to sniff out problems: How to use Fiddler to monitor WCF service

Best of luck.

Answer 3

What type of Authentication you are using for web service Basic or Digest . Because Digest is not supported by all the browsers