IIS hosted WCF-service + Windows auth in IIS + TransportCredentialOnly/Windows auth in basicHttpBinding

Question

I want to create a WCF-service hosted in IIS6 and disable anonymous authentication in IIS. And don't use SSL.

So only way I have is to use basicHttpBinging with TransportCredentialOnly, itsn't it?

I create a virtual directory, set Windows Integrated Auth and uncheck "Enable Anonymous Access".

Here's my web.config:

<system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="MyBinding">
                    <security mode="TransportCredentialOnly">
                        <transport clientCredentialType="Windows" />
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
        <services>
            <service name="Samples.ServiceFacadeService" behaviorConfiguration="ServiceFacadeServiceBehavior">
                <endpoint address="" binding="basicHttpBinding" bindingName="MyBinding"
                          contract="Samples.IServiceFacadeService">
                </endpoint>
            </service>
        </services>
    <behaviors>
        <serviceBehaviors>
            <behavior name="ServiceFacadeServiceBehavior">
                <serviceDebug includeExceptionDetailInFaults="true"/>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

You can see that I even haven't included MEX-enpoint for metadata exchange. Just one endpoint and one binding for it with TransportCredentialOnly security.

But when I tries to start service (invoking a method throught client proxy) I got such exception in the EventLog:

Exception: System.ServiceModel.ServiceActivationException: The service '/wcftest/ServiceFacadeService.svc' cannot be activated due to an exception during compilation. The exception message is: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.. ---> System.NotSupportedException: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

I have no idea why my service require Anonymous auth? Why?

score 8 · Answer 1 · answered Oct 20 '08 at 19:04

The answer found jezell. Thanks. I mixed up bindingName and bindingConfiguration :

<endpoint address="" binding="basicHttpBinding" bindingName="MyBinding"
          contract="Samples.IServiceFacadeService">
</endpoint>

That's right:

<endpoint address="" binding="basicHttpBinding" **bindingConfiguration**="MyBinding"
          contract="Samples.IServiceFacadeService">
</endpoint>

Sixto Saez · Answer 2 · 2008-10-20T17:50:28.660

7

The MEX endpoint may still be the problem (see this post). Try disabling MEX like this:

<services>
    <!-- Note: the service name must match the configuration name for the service implementation. -->
    <service name="MyNamespace.MyServiceType" behaviorConfiguration="MyServiceTypeBehaviors" >
        <!-- Add the following endpoint.  -->
        <!-- Note: your service must have an http base address to add this endpoint. -->
        <endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />
    </service>
</services>

<behaviors>
    <serviceBehaviors>
        <behavior name="MyServiceTypeBehaviors" >
            <!-- This disables it. -->
            <serviceMetadata httpGetEnabled="false" />
        </behavior>
    </serviceBehaviors>
</behaviors>

Here is a good post on securing MEX.

edited Oct 20 '08 at 17:50

answered Oct 20 '08 at 17:40

Sixto Saez

12,610
5
43
51

I don't have MEX endpoint at all. Securing of mex-endpoint is another challenge. But I agree not to have it at all. I guess it's no point in setting httpGetEnabled to false if I haven't got mex-endpoint. Anyway, this haven't helped, I tried. – Shrike Oct 20 '08 at 18:44
I think that WCF automatically sets up a default MEX endpoint. The suggestion I made was to manually create the MEX endpoint which overrides the default and disable it to prevent the compilation step from detecting the requirement to have anonymous access for the MEX endpoint. – Sixto Saez Oct 20 '08 at 19:05
Interesting. But everything got worked without mex-endpoint after I fixed my stupid mistake. – Shrike Oct 20 '08 at 22:11

score 3 · Answer 3 · answered Sep 07 '10 at 19:19

3

Use basicHttpBinding for your mex endpoint and apply the same bindingConfiguration:

answered Sep 07 '10 at 19:19

Kay Khan

186
1
4

score 1 · Answer 4 · edited Jan 28 '12 at 22:06

1

To get VS wcf service project (new sample project) to work with authentication under IIS, you have to:

1) Allow Anonymous access in IIS
2) Prefix your public methods with a attribute like this:

[PrincipalPermission(SecurityAction.Demand, Role = "MyADGroup")]
public string SendMyMessage(string Message)
{...}

edited Jan 28 '12 at 22:06

stealthyninja

10,343
11
51
59

answered Jan 26 '11 at 16:02

wcfdude

11
1

IIS hosted WCF-service + Windows auth in IIS + TransportCredentialOnly/Windows auth in basicHttpBinding

4 Answers4

Linked