wcfbiztalkwcf-binding

"The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate'"


I need to call a web service and for easy testing purposes I’ve created a console application for that. But it needs to work in BizTalk, and it doesn't.

It’s a pretty simple configuration in the app.config file:

<basicHttpBinding>
    <binding name="XXXWebService_Binding"  textEncoding="utf-16">
        <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
        </security>
    </binding>
</basicHttpBinding>

Before calling the web service, I need to specify the Windows credentials:

proxy.ClientCredentials.Windows.ClientCredential.Domain = "xxx";
proxy.ClientCredentials.Windows.ClientCredential.UserName = "xxx";
proxy.ClientCredentials.Windows.ClientCredential.Password = "xxx";

This works as it should work.

So I need to get this working in BizTalk. I use the WCF custom adapter with basicHttpBinding, with the same configuration as my console application:

BizTalk basicHttpBinding

To specify the credentials, I insert them in the Credentials tab.

BizTalk Credentials

When I test this, I get this error message:

System.Net.WebException: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate'.

What could this be?

On MSDN (for the WCF-BasicHttp Adapter) I found this:

Windows: Windows integrated authentication. The user account under which this send port runs is used for services to authenticate this send port.

Could it be that the right credentials are ignored and the credentials of the host instance are used (even though I can find the right credentials in the context properties of the ‘Transmission Failure’-message)?


Solution

  • Windows authentication will use the account of the logged-in user for the executing process. In the case of BizTalk, that would be the Host Instance Service account.

    The Credentials box is for basic authentication only. That's just how it's wired up.

    I've never gone down this path, but I think you'll need to use a custom binding element, like a Behavior, to set the alternate Windows credentials.