-1

I wrote a WCF service hosted by IIS 6 on a server that is not part of a domain. It uses the following configuration:

<system.serviceModel>
  <services>
    <service behaviorConfiguration="ServiceBehavior" name="Services.DeliveryStatsService">
      <endpoint address="" binding="customBinding" bindingConfiguration="BindingWithMaxClockSkewForIncorrectlyConfiguredWindowsServer"
        contract="Services.IDeliveryStatsService" />
    </service>
  </services>

  <bindings>
    <customBinding>
      <binding name="BindingWithMaxClockSkewForIncorrectlyConfiguredWindowsServer">
        <binaryMessageEncoding />
        <security>
          <localClientSettings maxClockSkew="00:20:00" />
          <localServiceSettings maxClockSkew="00:20:00" />
          <secureConversationBootstrap />
        </security>
        <httpTransport />
      </binding>
    </customBinding>
  </bindings>

  <behaviors>
    <serviceBehaviors>
      <behavior name="ServiceBehavior">
        <serviceMetadata httpGetEnabled="false" />
        <serviceDebug includeExceptionDetailInFaults="true" />
      </behavior>
    </serviceBehaviors>
  </behaviors>
</system.serviceModel>

It would've been a simple basicHttpBinding, except that the server's clock is not set to the right time and its administrator will not change that, so a customBinding is required to allow for "clockSkew."

Clients use pretty much the same configuration (binding-wise) and can access the service without any trouble, as long as they are not part of a domain. However, clients that are part of a domain are rejected with the message "The caller was not authenticated by the service."

I turned on tracing and it would seem that the problem comes from a token exchange using SSPI negociation. Unfortunately, I can't seem to find the right configuration that will allow both machines that are not part of a domain and machines that are part of a domain to access the service. I have tried several values for authenticationMode, without avail. What's more, as far as I'm concerned, I don't need any particular security on this service.

WCF configuration is far from being my specialty and I haven't found an answer anywhere else, so I hope someone at Stack Overflow will be able to help. Thanks in advance.

madd0
  • 9,053
  • 3
  • 35
  • 62
  • I should've specified that clients are supposed to access the service anonymously. No credentials are passed. Even so, it works when machines are not part of a domain and it doesn't when they are. – madd0 Feb 25 '11 at 17:52

1 Answers1

1

Why do you need to set maxClockSkew when you don't need security? It is for handling time differences in timestamps which are not send without security. Once you add security element you turn on authentication because all attributes in the element have default values. Default value for mode is sspiNegotiated. I would start with removing security element.

Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670
  • Removing the `security` element resulted in a new exception. I do not have access to a machine on the domain during the weekend, but I'll post more info first thing on Monday. Thanks. – madd0 Feb 26 '11 at 12:30
  • I accepted this as an answer because it indeed solved my problem, but if somebody can explain why "anonymous behavior" worked when not on a domain machine and didn't on a domain machine, without completely removing security, I wouldn't mind the explanation ;) – madd0 Feb 28 '11 at 09:22
  • madd0: It can have something to do with sspiNegotiated and configuration of domain machine. – Ladislav Mrnka Mar 03 '11 at 08:30