Error message on CCF clients that have the .NET Framework SP1 installed: "The authentication header received from the server was 'Negotiate'"

Applies to: .NET Framework 3.5 Service Pack 1

Symptoms


When you use an Agent Desktop application or the Microsoft Management Console (MMC) in an environment that is running the Microsoft Customer Care Framework (CCF), Windows clients that have the Microsoft .NET Framework 3.5 Service Pack 1 (SP1) installed receive the following error messages in the Event Viewer application log:

Error message 1
ListenerConfiguration has encountered a problem while trying to access the Configuration web service. The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate'.

Error message 2
ListenerConfiguration has encountered a problem while trying to access the Configuration web service. The HTTP request is unauthorized with client authentication scheme 'Negotiate,NTLM'. The authentication header received from the server was 'Negotiate'.
Additionally, if you use Agent Desktop, the application does not start.

This problem occurs if the endpoint URLs that are used in the Agent Desktop configuration files and in the CCFInfrastructure database point to the actual NetBIOS name of the server that hosts the CCF Web services.

If you use the MMC together with the actual NetBIOS name for the CCF Web server or with the fully qualified domain name (FQDN) that appears in the Connect to box, the connection is not successful. Additionally, you see an error message that resembles the following in the system event log:Note The CCF Web server is the server that runs Internet Information Services (IIS).

Cause


This problem occurs because of security and authentication changes that are related to the Windows Communication Framework (WCF) in the .NET Framework 3.5 Service Pack 1.

For more information, see Section 2.3.2 of the .NET 3.5 Service Pack 1 Readme file. To view this file, visit the following Microsoft Web site:

Resolution


To resolve this problem, follow these steps:
  1. Set up an alias that is named CNAME for the CCF IIS server in the DNS. To do this, follow these steps.

    Notes
    • The name is used in endpoint URLs in Agent Desktop, in the MMC, and in the Web services configuration files.
    • You must be a domain administrator and a DNS administrator to perform these steps.
    1. On the domain controller computer that is running DNS, click Start, point to All Programs, click Administrative Tools, and then click DNS.
    2. Expand the domain controller node.
    3. Expand the Forward Lookup Zones node.
    4. Click the CCF FQDN.
    5. Right-click in the right pane.
    6. Click New Alias (CNAME).
    7. In the New Resource Record dialog box, type the alias name. For example, type the name of the CCF IIS alias computer together with the FQDN of the CCF IIS server.
    8. Add the required host, and then click Done.
  2. On the client computer, add the HTTP URL of the CCF IIS alias computer and of the CCF IIS alias FQDN to the Local Intranet Sites list.
  3. Change all the server names in endpoint URLs from "CCF IIS actual server name or FQDN" to the CCF IIS alias name or to the CCF IIS alias FQDN. You must do this in the following files or URLs:
    • The Agentdesktop.exe.config file on the client.
    • The Mmc.exe.config file for the MMC.
    • All the CCF Web services Web.config files on the CCF IIS server.
    • All the endpoint URLs in the Microsoft SQL Server CCFInfrastructure database.
  4. At a command prompt, run the SetSpn command to register the service principal name (SPN) of the host/CCFAlias information and of the host/CCFAlias.fabrikam.com information for the account that is running the CCF Web services application pool in IIS. For example, use the SetSpn command to register the "ASPUSER" SPN.

    Note You must log on as a domain administrator to perform this step. To download the Setspn.exe support tool, click the following article number to view the article in the Microsoft Knowledge Base:

    970536 Setspn.exe support tool update for Windows Server 2003

    The following two examples show how to run the SetSpn command:
    setspn –S host/CCFIISAlias MyDomain\MyCCFAppPoolServiceAccount
    setspn –S host/CCFIISAlias.mydomain.com MyDomain\MyCCFAppPoolServiceAccount
  5. Do one of the following to purge tickets on the client:
    • Restart the client computers.
    • Wait for the Kerberos tickets to expire on the client computers.
    • Use the Kerbtray.exe file from the Windows Resource Kit.
  6. Test Agent Desktop and the MMC.

    Note In the MMC, make sure that you type the CCF IIS alias name instead of the CCF IIS server name in the Connect to box.
Note Web applications that run in IIS 7.0 use a new feature that is called Kernel Mode authentication to perform Windows authentication. This feature allows for simplified SPN configuration and for enhanced authentication performance. By default, IIS 7.0 enables this feature. IIS 7.0 does not use the application pool’s identity to decrypt Kerberos tickets during Windows authentication.

If you are using CCF 2009 together with IIS 7.0 or with Windows Server 2008, you must set a flag in the server that is running the IIS configuration file to use the application pool’s credentials for authorization. To set this flag, follow these steps:
  1. On the IIS 7.0 server, open a command prompt as the Administrator user.
  2. Run the following command:
    Notepad.exe C:\Windows\System32\inetsrv\config\applicationHost.config
  3. In the XML configuration, change the authentication configuration for all CCF services that are hosted in the application pool and that are running under the DOMAIN\CCFAppPoolSERVICEAccount USER account. The following is an example of the required configuration change:
       <location path="Default Web Site/Microsoft.Ccf.Csr.WebServices.AgentCredentials">
    <system.webServer>
    <directoryBrowse enabled="true" showFlags="Date, Time, Size, Extension" />
    <handlers accessPolicy="Read, Execute, Script" />
    <security>
    <authentication>
    <windowsAuthentication enabled="true" useKernelMode=”true” useAppPoolCredentials=”true”>
    <providers>
    <clear />
    <add value="Negotiate" />
    </providers>
    </windowsAuthentication>
    <anonymousAuthentication enabled="true" />
    <digestAuthentication enabled="false" />
    <basicAuthentication enabled="false" />
    </authentication>
    </security>
    <defaultDocument enabled="true">
    <files>
    <clear />
    <add value="Default.htm" />
    <add value="Default.asp" />
    <add value="index.htm" />
    <add value="index.html" />
    <add value="iisstart.htm" />
    <add value="default.aspx" />
    </files>
    </defaultDocument>
    </system.webServer>
    </location>
  4. Change all the CCF Web services configurations as described in this article. Replace the path attribute for each location element by using the appropriate path attribute.

    The CCF Web services in CCF 2009 are the following:
    • Microsoft.Ccf.Csr.WebServices.AgentCredentials
    • Microsoft.Ccf.Csr.WebServices.AdminConsole
    • Microsoft.Ccf.Csr.WebServices.ContactCenterAIF
    • Microsoft.Ccf.Csr.WebServices.ContactCenter
    • Microsoft.Ccf.Csr.WebServices.Customer
    • Microsoft.Ccf.WebServices.Gateway
    • Microsoft.Ccf.Samples.DemoWebApplication
    • Microsoft.Ccf.Samples.MultichannelServer
    • Microsoft.Ccf.Samples.MultichannelSite
    • Microsoft.Ccf.Csr.WebServices.ContactCenter.AgentLoginManager
    • Microsoft.Ccf.ConfigurationSystem.Server.ConfigurationService
    • Microsoft.Ccf.ConfigManagementDataService

More Information


Steps to reproduce the problem

  1. Make sure that the client computer has the following programs installed:
    • Windows XP Service Pack 3 (SP3)
    • The .NET Framework 3.5 SP1
    • Either CCF 2009 Agent Desktop or the MMC
  2. Make sure that one computer is a CCF Web server that is running Windows Server 2003 SP2 or Windows Server 2008. Make sure that the other computer has SQL server 2005 installed.
  3. Make sure that one computer is a domain controller that is running Windows Server 2003 SP2 or Windows Server 2008.
  4. Make sure that all the computers are configured for Kerberos authentication or for Windows authentication.
  5. On a client computer that has the following configuration, start Agent Desktop:
    • The .NET Framework 3.5 SP1 is installed.
    • CCF 2009 Agent Desktop is installed.
    • The endpoint URLs in the Agent Desktop configuration file (agentdesktop.exe.config) point to the actual NetBIOS name or FQDN of the CCF IIS server.

References


For more information about the SetSPN command, visit the following Microsoft Web site:For more information about Windows 2003 SP1 Support Tools, visit the following Microsoft Web site:For more information about the Kerbtray.exe file in the Windows 2003 Resource Kit, visit the following Microsoft Web site: