-2

I am trying to set up message level security for a WCF application that I am writing. This application already has an endpoint that is set up with transport level security. Can I set up another endpoint that has message level security? This application is running over IIS by the way. I set up a separate service in the same config file like so... 

<service name="generalName">
  <endpoint address=...>
   .
   .
   .
</service>
<service name="generalName2">
   <endpoint address=""...>
</service>

The reason I ask this is because I think I have set everything up and I think It could work. But when I try and access the previous service I get the following error...

Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service.

I know the previous service works because I could access it before I set up the second service.

Any advice for me? Should I just try and write a completely separate service here or are there ways around this?

Sathyajith Bhat
  • 21,321
  • 22
  • 95
  • 134
SoftwareSavant
  • 9,467
  • 27
  • 121
  • 195

1 Answers1

3

Not knowing what binding you use - depending on whether that binding supports both transport and message security - yes, of course you should be able to expose two endpoints, one with transport security, the other with message security.

Since this is really only one service with two endpoints, your config should look something like this (I picked wsHttpBinding as my sample - adapt as needed):

  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="TransportSec">
          <security mode="Transport">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
        <binding name="MessageSec">
          <security mode="Message">
            <message clientCredentialType="UserName" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>

    <services>
      <service name="YourService" >
        <endpoint name="Transport" 
              address="Transport"
              binding="wsHttpBinding"
              bindingConfiguration="TransportSec"
              contract="IYourService" />

        <endpoint name="Message"
              address="Message"
              binding="wsHttpBinding"
              bindingConfiguration="MessageSec"
              contract="IYourService" />
      </service>
    </services>
  </system.serviceModel>

Basically, you define two binding configurations, and then you have two endpoints for your one service, one using the transport security binding configuration, the other endpoint using the message security binding configuration.

Those two endpoints of course cannot have the same address - so you need to give two separate (relative) addresses to each of the endpoints.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
  • Also remember to config IIS to disable anonymous access and enable Windows authentication only since @marc_s example requires that the Windows identity be passed with each service request. The WCF client will automatically provide the Windows identity so you shouldn't need to change anything except the configuration file. – Sixto Saez May 17 '11 at 16:30
  • @Sixto Saez: that's just my guess - wsHttpBinding also supports other means of passing the client credentials - like UserName or Certificate etc. – marc_s May 17 '11 at 16:31
  • Right, I was also guessing the same based on the exception I saw in the question. Thanks! – Sixto Saez May 17 '11 at 16:40
  • Thanks for the reply! You said that "since this is one service with two endpoints"... That is not the case with my application (If I am understanding what you mean correctly). I have two services (in the same project, two classes that attempt to service request from the same service contract). I have set up two bindings, and two endpoints. Sixto Saez, Both Anonymous access and windows authentication have been set to the correct settings for the particular sub site that I am on. Should the root site have those options set? I am running IIS 7. – SoftwareSavant May 17 '11 at 18:02