System.ServiceModel.Security.MessageSecurityException occurred Message="The HTTP request is unauthorized with client authentication scheme ‘Negotiate’. The authentication header received from the server was ‘Negotiate

As described in this bug report Microsoft classifies this as a known issue, with the bug being resolved as ‘By Design’.

Your fix is to add an identity element to the WCF endpoint like this.

<identity>
    <userPrincipalName value="WcfServiceAccount@domain" />
</identity>

But the problem with CCF is that the url for some of the endpoints are read through code from a database and set through the proxy class. Now when you do this the identity from the config file does not flow through resulting in the same exception you see above.

One option is to uninstall the service pack on the client. This is not as easy as it seems because the the 3.5 service pack also updates assemblies in the 2.0 and 3.0 frameworks to their SP2 levels.

To get back to pre 3.5 SP1 you need to uninstall all the frameworks and re-install them again avoiding the 3.5 SP1. The exact steps to do this is outlined here by Microsoft engineer, Aaron Stebner.

But what if you don’t have the luxury of walking all your end-users through the uninstall? A suggested fix from Microsoft (targeting CCF) is as follows:

1. Set up a cNAME in DNS for the servername you are using in database urls.
2. Use setspn -a HOST/CNAME domain\apppooluser
3. Change all the database urls to this CNAME
4. Do an iisreset
5. Test

For example if the database urls are http://ccfserver/…..

1. Create a  CNAME CCFALIAS in DNS
2. setspn -a HOST/CCFALIAS ccf\aspuser
3. Change all database urls to ccfalias
4. iisreset
5. Test if you reach /urls with this alias from web servers and from clients

Be careful not to set HOST/CCFSERVER spn for aspuser. Note we are setting HOST/CCFALIAS spn which is CNAME for ccfserver in DNS. If by mistake you set host/ccfserver it can wreak havoc  for Kerberos.