Home / server / Questions / 623931
In Process
Cᴏʀʏ
Asked: 2014-08-26 13:59:51 +0800 CST

Cross-server NTLM authentication failing

  • 772

I think this issue has less to do with software development and more to do with general network configuration, so I'm posting the question here initially.

I have an MVC4 application hosted in IIS 7.5 on a Windows 2008 R2 server (let's call it WS1). It is consuming a WCF service on a second identical server (WS2). Also on WS2 is a SharePoint 2007 installation. The WCF service interacts with SharePoint and as such needs to run as a user who has access to my SharePoint site. Because of that, the WCF service is set up to use Windows Authentication with NTLM as the only Windows Authentication provider (required by SharePoint). The MVC4 application on WS1 is also set up for Windows Authentication, NTLM as the only provider, and has WCF endpoint security settings to match:

<binding name="SpBasicHttp" ... >
  <security mode="TransportCredentialOnly">
    <transport clientCredentialType="Ntlm" />
  </security>
</binding>

WS1 and WS1 are both virtual machines and while they do not necessarily live on the same host, they are on the same domain.

Now, when I attempt to invoke a web service method from WS1 to WS2, I receive the following error:

Sharepoint web services — The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'

Yuck. So, I turned on NTLM auditing on WS2 and I found that basically no NTLM authentication request is reaching that server during the invocation of the web service.

Now, if I deploy the MVC4 application to WS2 and change nothing except the WCF service endpoint URL, everything works perfectly. Windows Authentication via NTLM works flawlessly, and there's an NTLM authentication audit entry plainly visible in the Event Viewer. It looks like:

Audit NTLM authentication in this domain
User: billybob
Domain: xyz
Workstation: MY-COMPUTER-NAME
PID: 4
Process: 
Logon type: 3
InProc: true
Mechanism: (NULL)

There are no group policy settings on either machine preventing outbound or inbound NTLM requests. The network I am developing in is not set up for Kerberos so that unfortunately isn't an option. I also don't have any access to Active Directory.

So, from a server administration perspective, what would be stopping an NTLM authentication request dead in its tracks between two servers where it works just fine confined to a single server?

Similar questions:

windows-server-2008-r2

0 Answers