I am new to web services and I have following problem. I have a WCF service that is running in Windows Authentication mode on IIS 7.5 and Windows 2008 R2. It works good when I call it directly from the IIS machine. But when I try to call service from local computer then I get following error: 401 - Unauthorized: Access is denied due to invalid credentials.

The service was working on local computers for few days and suddenly it stopped (I am not sure but it is possible that some configuration was changed).

I call service directly from IExplorer: http://serveriis/ssopension/service.svc

web.config:

 <?xml version="1.0" encoding="UTF-8"?>
<configuration>

  <connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>O8jBoF9YUW3sZtSN+L/Xxhzss=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>C+EeTszivHho8Ujk2oIQ==</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>


<system.web>
    <compilation targetFramework="4.0" />

    <authentication mode="Windows" />

    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" />
  </system.web>

  <system.serviceModel>

    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpEndpointBinding">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>

    <services>
      <service behaviorConfiguration="SSO_Pension.ServiceBehavior" name="SSO_Pension.Service">
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpEndpointBinding" name="BasicHttpEndpoint" contract="SSO_Pension.IService">
          <identity>
            <dns value="localhost" />
          </identity>
        </endpoint>

      </service>
    </services>

    <behaviors>
      <serviceBehaviors>
        <behavior name="SSO_Pension.ServiceBehavior">
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false" />
        </behavior>
      </serviceBehaviors>
    </behaviors>

    </system.serviceModel>


    <system.webServer>
        <defaultDocument>
            <files>
                <add value="Service.svc" />
            </files>
        </defaultDocument>
    </system.webServer>

</configuration>

I found the solution on http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/c9239a89-fbee-4adc-b72f-7a6a9648331f/

To whoever this may help, this saved my life...

IIS 7 was difficult for figuring out why i was getting the 401 - Unauthorized: Access is denied due to invalid credentials... until i did this...

1.) Open iis and select the website that is causing the 401

2.) Open the "Authentication" property under the "IIS" header

3.) Click the "Windows Authentication" item and click "Providers"

4.) For me the issue was that Negotiate was above NTLM. I assume that there was some kind of handshake going on behind the scenes, but i was never really authenticated. I moved the NTLM to the top most spot, and BAM that fixed it.

Thanks man!

I've been searching everywhere for this, including these two articles:

http://blogs.msdn.com/b/distributedservices/archive/2009/11/10/wcf-calling-wcf-service-hosted-in-iis-on-the-same-machine-as-client-throws-an-authentication-error.aspx

http://support.microsoft.com/default.aspx?scid=kb;EN-US;926642

This solved my problem.