Calling SharePoint web services using Visual Studio 2008, WCF, and Windows Authentication

January 10, 2008 06:46 by trents

Invoking SharePoint web services from WCF is fairly easy to do, but I did run in to a few minor gotchas on the way there that beat me up a bit that I would like to share. The SharePoint web services are .NET ASMX web services and the steps to getting this working with Visual Studio 2008 are slightly different than that of Visual Studio 2005.

We start by right-clicking on the "Service References" or "References" from "Solution Explorer" for our solution and selecting "Add Service Reference" from the context menu. This will open the "Add Service Reference" dialog allowing us to enter the necessary information to generate our WCF client code. Also note that you can still add a "Web Reference" and generate proxy code based on the .NET framework 2.0 web services technology, by clicking the "Advanced..." button at the bottom of the "Add Service Reference Dialog" and then clicking the "Add Web Reference..." button at the bottom of the "Service Reference Settings" dialog that will show up. After adding the service reference some configurations will be added to app.config and code will be generated in your projects service reference directory.

If you are using Windows Authentication with SharePoint and you attempt to invoke the service via the newly added reference you will likely receive the following error. "The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'." We will need to modify the app.config so that the service reference relies on the transport for authentication and uses windows authentication. To do this simply open your application configuration which should look similar to the following:

Then change the security and transport settings as follows:

And finally you are going to have to set the token impersonation level on your client proxy object in your code:

SearchService.QueryServiceSoapClient client = new SearchService.QueryServiceSoapClient();
client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

I have not tested and verified this yet, but you should be able to set the app.config settings for the security mode and transport from code as well.

Currently rated 5.0 by 4 people

Currently 5/5 Stars.
1
2
3
4
5

Tags:
Categories: SharePoint | WCF
Actions: E-mail | Permalink | Comments (24) | Comment RSS RSS comment feed

Windows Azure SampleThe contract name 'CONTRACT' could not be found in the list of contracts implemented by the service 'SERVICE'Hello WorldThe description is used as the meta description as well as shown in the related posts. It is recomme...

Comments

February 5. 2008 02:57

Great article - exactly what I was looking for. I've been scratching my head for hours over this!

Powlo

February 21. 2008 07:34

I've been fighting this same problem. Almost nothing out there about it. I tried your suggestion exactly but I still get:

"The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'NTLM'."

My app.config contains:

<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>

I have the AllowedImpersonationLevel on the client object set to TokenImpersonationLevel.Impersonation. Can you think of anything else I should try?

Thanks!

Arian

June 2. 2008 07:54

Being unable to connect to Reporting Services web service from VS 2008 I have been googling all day till I got this line:

client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

Thanks a lot, you have to know that you saved my day.

Rigster

September 30. 2008 22:08

It worked! Thanks!

oriol

January 13. 2009 14:38

I have a requirement to access a MOSS site (internet enabled/ customer facing) to get the names of all the people in a particular site through the object model. Its working fine with a normal class library, but giving issues when we register this as a service running out of IIS.

The service is running on anonymous access whereas the MOSS runs on integrated windows. When accessing through the service, an exception says that the site is not found. Is it something to do with the access rights?

Note:A normal BO is there which is invoked by the service class to query MOSS. Is this a concern?

Any help is appreciated!

prathibha

February 4. 2009 21:15

Trent, I found that this works if you are logged into a machine on the same domain as the sharepoint server and if the login credentials have permissions on that sharepoint server. However, it does not work if you try to connect to a sharepoint server on another domain. Do you know if there a way to set and pass user credentials either in the app.config or in the code?

Steve

May 2. 2009 08:09

Pingback from patrikluca.blogspot.com/.../...ist-april-2009.html

Patrik

May 19. 2009 17:50

i also met this issue while calling a webservice,
"The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'NTLM'."
following is my app.config
<binding name="SQLMSE_WSSoap" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="Digest"
realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://msetestserver/msewebservicetest/sqlmse_ws.asmx"
binding="basicHttpBinding" bindingConfiguration="SQLMSE_WSSoap"
contract="SQLMSE_WSSoap.SQLMSE_WSSoap" name="SQLMSE_WSSoap" behaviorConfiguration="ImpersonationBehavior" />
</client>

it still doesn't work,why.give me some advice about it,thanks.

Haibo Ye

June 23. 2009 17:29

Excellent article.Thanks for sharing the information with us...

SEO

June 28. 2009 20:26

Thank you for another great article. Where else could anyone get that kind of information in such a perfect way of presentation.

SEO

June 29. 2009 01:23

Thank you very much for posting this. The magic line compared with other examples is definitely the " myProxy.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;" which fixed a type initializer problem for me. Much appreciated.

Colin

Colin Millar

July 12. 2009 03:42

This works. Most of the code I found was for VS 2005, and I spent hours trying to figure out why it did not work. Thanks!

chrisb

July 16. 2009 23:59

How to difference between sites and subsites in SharePoint Object Model?

SEO

July 19. 2009 22:29

Do we have a default tab control in Visual Studio 2008?

internet marketing

July 20. 2009 21:31

Haibo,

change your
clientCredentialType="Windows"
to
clientCredentialType="NTLM"
in the app.config.

/M

Magnus

July 31. 2009 21:33

Hi,

At first I was gettiing;

The authentication header received from the server was 'NTLM

Now I've updated the app.config file to;

<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm" realm=""/>
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>

I get the following error;

The NTLM authentication scheme was specified, but the target credential does not allow NTLM.

We use AD integration for authentication with our WSS enviroment I'm wondering if this is causing the problem.

Cheers

Carl
[:TILL THE END:]

Carl

August 5. 2009 23:16

It worked for me by setting clientCredentialType in the app.config to "Ntlm"

Wimme

August 9. 2009 23:46

You have done a marvellous job by exploring this subject with such an honesty and depth. Thanks for sharing it with us!

Transfer of Equity

August 22. 2009 18:05

I admit, I have not been on this webpage in a long time... however it was another joy to see It is such an important topic and ignored by so many, even professionals.,

London Escort Agencies

September 2. 2009 06:31

Thanks a lot.
Your solution was the best.

Thierry

Thierry

September 9. 2009 04:07

This is such a great resource that you are providing and you give it away for free. I love seeing websites that understand the value of providing a quality resource for free. It’s the old what goes around comes around routine. Did you acquired lots of links and I see lots of trackbacks??

Prince2 Training

September 14. 2009 10:39

Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts.Any way Ill be subscribing to your feed and I hope you post again soon

payday online

September 15. 2009 19:34