Geek Answers Handbook

Getting a 403 forbidden error. An HTTP request was denied using the Anonymous client authentication scheme

This problem that I encountered does not occur for all clients who access our services, but what is consistent is that when an error occurs, this happens when a service is called for several clients.

The following are information about the exception:

System.ServiceModel.Security.MessageSecurityException An HTTP request was denied using the Anonymous client authentication scheme. System.ServiceModel.Security.MessageSecurityException: An HTTP request was denied using the Anonymous client authentication scheme. ---> System.Net.WebException: The remote server responded with an error: (403) Forbidden. in System.Net.HttpWebRequest.GetResponse () in System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply (TimeSpan timeout) --- End of internal exception stack check --- System trace.SerMode: Server trace.Service: Security.IssuanceTokenProviderBase 1.DoNegotiation(TimeSpan timeout) at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.TlsnegoTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(SecurityTokenProvider tokenProvider, TimeSpan timeout) at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory 1.DoNegotiation(TimeSpan timeout) at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.TlsnegoTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityUtils.OpenTokenProviderIfRequired(SecurityTokenProvider tokenProvider, TimeSpan timeout) at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory 1 1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout) at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionClientSettings 1.ClientSecuritySessionChannel.OnOpenMenSpanel.PerformancePerformanceSensory.OpenOpenModel.Performance.Time timeout) in System.ServiceModel. Channels.ServiceChannel.OnOpen (TimeSpan timeout)
in System.ServiceModel.Channels.CommunicationObject.Open (TimeSpan timeout) in System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call (ServiceChannel channel, SystemSerlode TimeSpanl). Channels.ServiceChannel.CallOnceManager.CallOnce (TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.EnsureOpened (TimeSpan timeout) in System.ServiceModel.Channels.ServiceChannel.Calluntan Object, StringOpement, Boolean action ] ins, Object [], TimeSpan timeout) in System.ServiceModel.Channels.ServiceChannel.Call (String action, Boolean oneway, operation ProxyOperationRuntime, Object [] ins, Outs object []) in System.ServiceModel.Channels.ServiceChannelProxy .InvokeService (IMethodCallMessage method Call, ProxyOperationRuntime) under System.ServiceModel.Channels.ServiceChannelProxy.Inv oke (iMessage message) Exception thrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage (iMessage reqMsg, IMessage retMsg) in System.Runtime.Remoting.Proxies.RealProxy.PrivateInvata Message ( Int32) with Proxy.FileTransferService.IFileTransferService.EstablishProxy (DownloadRequest request) in Proxy.FileTransferService.FileTransferServiceClient. Proxy.FileTransferService.IFileTransferService.EstablishProxy (DownloadRequest request) in NormalFileTransferServiceClient.Download (Int32 packageId, IStreamWriter loader, archiver archiver) in LoggingFileTransferServiceClient.Download (Int32 packageId, ISt

This exception is thrown by the client.

Client proxy configuration for IFileTransferService:

 <binding name="WSHttpBinding_IFileTransferService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Mtom" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" /> <security mode="Message"> <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" /> <message clientCredentialType="UserName" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" /> </security> </binding> <endpoint address="http://[hostname]/FileTransferService.svc/FileTransfer" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IFileTransferService" contract="Proxy.FileTransferService.IFileTransferService" name="WSHttpBinding_IFileTransferService"> <identity> <certificate encodedValue="a long string"/> </identity> </endpoint>

Service Configuration

 <service behaviorConfiguration="ServiceBehavior" name="Services.FileTransferService"> <endpoint name="WSHttpBinding_IFileTransferService" binding="wsHttpBinding" bindingConfiguration="MtomWSHttpBinding" contract="Services.IFileTransferService" address="/FileTransfer"/> <endpoint binding="basicHttpBinding" bindingConfiguration="FileTransferServicesBinding" contract="Services.IFileTransferService"/> <host> <baseAddresses> <add baseAddress="http://[hostname]/FileTransferService.svc"/> </baseAddresses> </host> </service> <binding name="wsHttpBinding" maxReceivedMessageSize="2147483647" receiveTimeout="5" useDefaultWebProxy="false"> <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" /> <security mode="Message"> <message clientCredentialType="UserName" /> </security> </binding> <basicHttpBinding> <binding name="FileTransferServicesBinding" maxReceivedMessageSize="10067108864" messageEncoding="Mtom" transferMode="Streamed" useDefaultWebProxy="false"> <security mode="None"> <message clientCredentialType="UserName" /> </security> </binding> </basicHttpBinding>

Note. Several clients use basicHttpBinding (if I configured everything correctly). In a later release of the client, which may not have been fully distributed (so I must support version 2), I changed the proxy server to use the wsHttpBinding endpoint instead. I am wondering if this error I am getting is specific to basicHttp, and if so, maybe I don't have the appropriate settings. I believe that clients who receive this 403 error use wsHttpBinding.

Here is the service code:

 public RemoteBinaryInfo EstablishProxy(DownloadRequest request) { int packageId = request.PackageId; System.IO.MemoryStream stream = new System.IO.MemoryStream(packageRepository.GetPackageBinary(packageId)); DisposeStreamWhenOperationIsComplete(stream, OperationContext.Current); RemoteBinaryInfo result = new RemoteBinaryInfo(); result.Length = stream.Length; result.MemoryByteStream = stream; return result; } private static void DisposeStreamWhenOperationIsComplete(System.IO.MemoryStream stream, OperationContext clientContext) { clientContext.OperationCompleted += new EventHandler(delegate(object sender, EventArgs args) { if (stream != null) stream.Dispose(); }); }

Does anyone know if this is handling this exception, something like my control? Are there any configuration changes that I can make to client or service configuration files?

If you need more information from me, please let me know.

+8
c # wcf
source share
3 answers

In my case, this error was from our HTTP proxy organization. Found from: MessageSecurityException.InnerException.Response.Headers :

{Mime-Version: 1.0
X-Squid Error: ERR_ACCESS_DENIED 0
X-Cache: MISS from <
X-Cache-Lookup: NONE from <Proxy Server-Addresses>
Proxy Connection: Close
Content Length: 2165
Content-Type: text / html
Date: Wed, 25 Apr 2012 10:55:39 GMT
Server: squid / 3.0.STABLE25
Via: 1.0 <proxy-server-address> (squid / 3.0.STABLE25)
}

In my case, this also happened for a file transfer method that transfers file fragments to a byte array of size 16384. When reducing the size to 10000, the error was resolved. This means that the proxy server is set to a certain size.

On a machine with direct Internet access, the file transfer method never succeeded with this error even for array sizes> 16384.

Since only some of your clients are facing this problem, maybe they are behind a firewall / proxy server that actually blocks access and returns this error?

+3
source

It seems to me that clients receiving MessageSecurityException do not provide the correct username / password with their request.

See the following msdn section http://msdn.microsoft.com/en-us/library/ms733131.aspx

0
source

So you have a web service configured in IIS using anonymous authentication, and you get a 403 forbidden error for only a few users.

From my own experience, this is usually caused by an access denied exception when accessing a system resource controlled by an ACL, such as a file system.

Each user connected anonymously will process his request (subject to IIS 7) by the w3wp.exe process, which usually has an application pool identifier (IIS APPPOOL / AppPoolName), if this identifier is not added to any required access control lists, exclusion is excluded will cause IIS to respond with a 403 error.

I usually add the application pool identifier to the group, and then add the group to any required resources.

If you cannot figure out what resources might throw an exception, try looking in the Security Event Log for Audit Failure entries for tips. You may need to configure a local security policy to log security events.

luck

0
source

More articles:


All Articles