4

I am authenticating a user on to a WCF service via IIS7 using Windows Authentication and ASP.NET Impersonation.

When debugging locally I am able to see the System.Security.Principal.WindowsIdentity.GetCurrent().Name as equal to my Windows credentials. When I deploy this service to a server, the WCF fails to run unless Anonymous Authentication is enabled.

So, how do we get this WCF service to run on a server with Anonymous Authentication disabled?

UPDATE 1: Error message after trying both suggestions:

The authentication schemes configured on the host ('IntegratedWindowsAuthentication') do not allow those configured on the binding 'WebHttpBinding' ('Anonymous'). Please ensure that the SecurityMode is set to Transport or TransportCredentialOnly. Additionally, this may be resolved by changing the authentication schemes for this application through the IIS management tool, through the ServiceHost.Authentication.AuthenticationSchemes property, in the application configuration file at the element, by updating the ClientCredentialType property on the binding, or by adjusting the AuthenticationScheme property on the HttpTransportBindingElement.

UPDATE 2: The authentication has been set in the following way:

Application Pool:

  • Identity = NetworkService

Web Site:

  • Anonymous Authentication = disabled
  • ASP.NET Authentication = enabled
  • Windows Authentication = enabled

WCF Application:

  • Anonymous Authentication = disabled
  • ASP.NET Authentication = enabled
  • Windows Authentication = enabled
Steven
  • 166,672
  • 24
  • 332
  • 435
aleafonso
  • 2,244
  • 8
  • 38
  • 58

3 Answers3

4

this is a common problem. You need to set the security mode and corresponding transport element - If you use basicHttpBinding - put following text in config

<basicHttpBinding>
   <binding>
     <security mode="TransportCredentialOnly">
     <transport clientCredentialType="Windows" />
     </security>
   </binding>
</basicHttpBinding>

Read following posts - http://blogs.msdn.com/b/drnick/archive/2007/03/23/preventing-anonymous-access.aspx http://blogs.msdn.com/b/wenlong/archive/2006/05/18/600603.aspx

vibhu
  • 1,657
  • 2
  • 15
  • 19
  • Thank you. However, we need to use webHttpBinding rather than basicHttpBinding, this is to enable us to define default behaviours for the service. Please, look at the question to see the error message that we are currently getting. – aleafonso Aug 05 '13 at 10:45
1

One of the reason for the error is that you need to enable kerberos delegation on the server hosting ASP.net. this allows the windows authenticated token to propagated to WCF service hosting server.

You have a look at the following link

Impersonation and Delegation in WCF

Nimantha
  • 6,405
  • 6
  • 28
  • 69
rauts
  • 1,018
  • 9
  • 21
  • Many thanks for the suggestion. We have enabled the server for delegation in AD and retested. Unfortunately the service still fails to work with Anonymous Authentication disabled and ASP.NET Impersonation enabled. The error message displayed remains the same as before. Any other ideas? – aleafonso Aug 06 '13 at 14:24
  • What Authentication have u enabled on WCF service and ASP.Net application respectively? I think if you have both as windows Authentication, it should work. – rauts Aug 06 '13 at 14:34
  • Please have a look at the question. I have just updated it with all the authentication values that are being used. Thanks a lot – aleafonso Aug 06 '13 at 14:58
  • Do you have any other clue about what could be going on here? We are still trying to make this work with no success unfortunately... Any help would be massively appreciated. Regards – aleafonso Aug 08 '13 at 18:55
0

Had same issue. With me it was because Windows authentication was not enabled on IIS for the application.

  1. Open IIS
  2. Select your web application
  3. Click Authentication icon (IIS)
  4. Enable windows authentication
NoloMokgosi
  • 1,678
  • 16
  • 10