tags:

views:

13012

answers:

4
+8  Q: 

IIS hosted WCF-service + Windows auth in IIS + TransportCredentialOnly/Windows auth in basicHttpBinding

Hello. I've asked already on MSDN forum, now have a try here.

I wanted to do what I guess tried many. I wanted to create a WCF-service hosted in IIS6 and disable anonymous authentication in IIS. And don't use SSL.

So only way I have is to use basicHttpBinging with TransportCredentialOnly, itsn't it?

I create a virtual directory, set Windows Integrated Auth and uncheck "Enable Anonymouse Access". Here's my web.config:

<system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="MyBinding">
                    <security mode="TransportCredentialOnly">
                        <transport clientCredentialType="Windows" />
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
        <services>
            <service name="Samples.ServiceFacadeService" behaviorConfiguration="ServiceFacadeServiceBehavior">
                <endpoint address="" binding="basicHttpBinding" bindingName="MyBinding"
                          contract="Samples.IServiceFacadeService">
                </endpoint>
            </service>
        </services>
    <behaviors>
     <serviceBehaviors>
      <behavior name="ServiceFacadeServiceBehavior">
       <serviceDebug includeExceptionDetailInFaults="true"/>
      </behavior>
     </serviceBehaviors>
    </behaviors>
</system.serviceModel>

You can see that I even haven't included MEX-enpoint for metadata exchange. Just one endpoint and one binding for it with TransportCredentialOnly security.

But when I tries to start service (invoking a method throught client proxy) I got such exception in the EventLog: Exception: System.ServiceModel.ServiceActivationException: The service '/wcftest/ServiceFacadeService.svc' cannot be activated due to an exception during compilation. The exception message is: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.. ---> System.NotSupportedException: Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service.

I have no idea why my service require Anonymouse auth? Why?

+1  A: 

The MEX endpoint may still be the problem (see this post). Try disabling MEX like this:

<services>
    <!-- Note: the service name must match the configuration name for the service implementation. -->
    <service name="MyNamespace.MyServiceType" behaviorConfiguration="MyServiceTypeBehaviors" >
        <!-- Add the following endpoint.  -->
        <!-- Note: your service must have an http base address to add this endpoint. -->
        <endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />
    </service>
</services>

<behaviors>
    <serviceBehaviors>
        <behavior name="MyServiceTypeBehaviors" >
            <!-- This disables it. -->
            <serviceMetadata httpGetEnabled="false" />
        </behavior>
    </serviceBehaviors>
</behaviors>

Here is a good post on securing MEX.

Sixto Saez  2008-10-20 17:40:38
I don't have MEX endpoint at all. Securing of mex-endpoint is another challenge. But I agree not to have it at all. I guess it's no point in setting httpGetEnabled to false if I haven't got mex-endpoint. Anyway, this haven't helped, I tried.
Shrike  2008-10-20 18:44:33
I think that WCF automatically sets up a default MEX endpoint. The suggestion I made was to manually create the MEX endpoint which overrides the default and disable it to prevent the compilation step from detecting the requirement to have anonymous access for the MEX endpoint.
Sixto Saez  2008-10-20 19:05:20
Interesting. But everything got worked without mex-endpoint after I fixed my stupid mistake.
Shrike  2008-10-20 22:11:44
+3  A: 

Check out this post by Nicholas Allen from the WCF team about this exact issue:

http://blogs.msdn.com/drnick/archive/2007/03/23/preventing-anonymous-access.aspx

jezell  2008-10-20 18:21:41
Thanks, I've read it sevelar times. Yes, it's about basicHttpBinding with Integrated Windows auth in IIS. But, it doesn't help. You can see, that I have exact еру same config and it doesn't work as expected.
Shrike  2008-10-20 18:40:49
Replace "bindingName" with "bindingConfiguration" :)
jezell  2008-10-20 18:55:28
Genius! Thanks! You've saved my mind :)
Shrike  2008-10-20 19:03:00
+3  A: 

The answer found jezell. Thanks. I mixed up bindingName and bindingConfiguration :

<endpoint address="" binding="basicHttpBinding" bindingName="MyBinding"
          contract="Samples.IServiceFacadeService">
</endpoint>

That's right:

<endpoint address="" binding="basicHttpBinding" **bindingConfiguration**="MyBinding"
          contract="Samples.IServiceFacadeService">
</endpoint>
Shrike  2008-10-20 19:04:56
A: 

Use basicHttpBinding for your mex endpoint and apply the same bindingConfiguration:

 2010-09-07 19:19:38

related questions

IE6 security login (debugging via VirtualPC)
Asp.net Reinstalling a DLL into the GAC
Failed to load resources from resource file.
What does an IISReset do?
How do I secure a folder used to let users upload files?
VBScript/IIS - How do I automatically set ASP.NET version for a particular website
IIS 6/COM+ hangs
Web server farms with IIS ? Basic Infos
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
What Url rewriter do you use for ASP.Net?
Publishing to IIS - Best Practices
ASP.NET Proxy Application
PHP on IIS
How do I stop IIS7 dropping my cookies?
HTTPS in IIS 5.1
Best tool for performance testing ASP.NET
Alternative Hostname for an IIS web site for internal access only
SQL Server 2008 FileStream on a Web Server
Solutions for working with multiple branches in ASP.Net
Dual vs. Quadcore on a Webserver
PHP Error - Uploading a file
Visual Studio 2008 debugger already attached work-around
Linux shell equivalent on IIS
Bandwith throttling in IIS 6 by IP Address
Checklist for IIS 6/ASP.NET Windows Authentication?