Keep MEX binding insecure while securing HTTP binding w/ UsernamePasswordValidator?

Question

We're using UsernamePasswordValidator along with a certificate to secure access to our WCF services.

However, the custom authorization policies we're using are SERVICE behaviors, not endpoint behaviors, so they apply to all endpoints, including the MEX endpoint. We'd like to be able to go and grab the service references using visual studio without having to comment out the service behaviors every time, but since both the mex and the wshttp endpoint are secured, we get an error when doing "Add Service Reference.."

Is there any way around this?

Answer 1

Are you using the same binding on both? If so, try 2 seperate bindings - one for the mex endpoint and one for the wshttp:

So for the service - something like:

<wsHttpBinding><binding name="wsHttpBindingMessageUname">
<security mode="Message">
 <message clientCredentialType="UserName" negotiateServiceCredential="true"
   establishSecurityContext="false" />
</security></binding></wsHttpBinding>

and for the mex endpoint (no security):

<customBinding><binding name="customMex">
<textMessageEncoding>
 <readerQuotas maxDepth="2147483647"
    maxStringContentLength="2147483647"
    maxArrayLength="2147483647"
    maxBytesPerRead="2147483647"
    maxNameTableCharCount="2147483647" />
</textMessageEncoding>
<httpTransport transferMode="Buffered"
      maxReceivedMessageSize="2147483647"
      maxBufferSize="2147483647"/></binding></customBinding>

Service endpoints will be something like:

<endpoint address="" behaviorConfiguration="Server.Services.DefaultEndpointBehavior"  binding="wsHttpBinding" bindingConfiguration="wsHttpBindingMessageUname" name="DefaultHttp" contract="Server.Services.IMyService" listenUriMode="Explicit" />
<endpoint address="mex" binding="customBinding" contract="IMetadataExchange" name="" bindingConfiguration="customMex" listenUriMode="Explicit" />

With this setup, it's not applying the security for mex so you shouldn't get that message when trying to update service reference. Either that, or create another secure binding that uses different credentials, i.e. a client certificate on your machine.

The following MSDN post has a sample of this and more info can be found on this blog regarding secure mex endpoints.

Answer 2

I think from the question he also noted that he was using Service Behaviours, so the binding configuration wont make a difference, since the entire service uses the UserNamePassword Validator.

Two things come to mind here.

Remove the explicit mex binding and add under service behaviors

<serviceMetadata httpsGetEnabled="true" />

Or Keep the mex binding, and enable

<serviceMetadata httpGetEnabled="true" />

CustomUserNameValidator doesnt get executed when requesting Metadata, so if httpsgetenabled isnt on, and you have a mex binding on http, you need httpGetenabled on at least