How to avoid CommunicationObjectFaultedException when hosting a WCF service in IIS?

Question

After creating a WCF Web Service for IIS and sucessfully testing it in my ASP.NET development server, when I deploy the service to another machine's IIS it always fire the following exception on consumption:

Test method PoolingServiceTest.ProgramTest.MainTaskTest threw exception: System.ServiceModel.CommunicationObjectFaultedException: O objeto de comunicação, System.ServiceModel.Channels.ServiceChannel, não pode ser usado para comunicação porque está no estado Com Falha..

In English: The object cannot be used for communication because it is With Fault (faulted)

Stack trace

System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout) System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) System.ServiceModel.ICommunicationObject.Close(TimeSpan timeout) System.ServiceModel.ICommunicationObject.Close(TimeSpan timeout) Close() System.IDisposable.Dispose()

What can I do to avoid this?

With a try catch block surrounding the client code I got a different exception:

[System.ServiceModel.Security.SecurityNegotiationException] {"O chamador não foi autenticado pelo serviço."} System.ServiceModel.Security.SecurityNegotiationException

In English: The caller wasn't authenticated by the service

Answer 1

Quite obviously, from your second message, the service expects the caller to authenticate. Depending on your binding (protocol) used, this might be one of several methods:

• Windows authentication: on by default for wsHttp and netTcp bindings - user's Windows account will be used (and this requires the calling user and the called service to be on the same Windows domain, or at least in trusted domains)

• UserName/Password authentication against ASP.NET membership - this typically requires quite some configuration, so I don't think you'll have that "on by default"

• X.509 certificates - again, requires configuration

My guess would be: your web IIS server somehow doesn't understand / interpret the caller's identity correctly. Is that IIS server maybe not member of the Active Directory domain? Or is the caller's machine not member of that same domain? It must be something in that area, I think.

Marc

PS:
To turn off security all together (NOT RECOMMENDED! - at least not for real production systems), you can do this:

<bindings>
  <basicHttpBinding>
    <binding name="NoSecurity">
      <security mode="None" />
    </binding>
  </basicHttpBinding>

and then reference that binding configuration in your endpoints (both server side and client side):

<endpoint address="....." 
          binding="basicHttpBinding" 
          bindingConfiguration="NoSecurity"
          contract="IMyService" />