wcf wsHttpBinding and disabling anonymous access

Question

http://blogs.msdn.com/drnick/archive/2007/03/23/preventing-anonymous-access.aspx

Can someone clarify whether it is possible to use wsHttpBinding in WCF and disable anonymous access in IIS without transport (ssl) or message security being required?

Answer 1

Hi,

If you want to disable the anonymous access, what authentication strategy would you use instead?

--larsw

Answer 2

we want to use windows integrated security. If you disable anonymous access in IIS and allow just windows, you cannot seem to use wsHttpBinding with WCF without using some security mode (e.g. transprot security which requires ssl).

We only want to use windows authentication we don't necessarily want to use ssl for transport security.

I was a little amazed this wasn't possible out of the box (as seemed to be confirmed by my link) as it would seem quite a common scenario for intern applications.

We don't want to downgrade to basicHttpBinding which would support windows authentication only.

Answer 3

you are right, afaik in the scenario you describe wsHttpBinding requires us to use the internal WCF security stack. So what you would typically do is

• leave anonymous access enabled
• create a serviceBehavior with <serviceAuthorization principalPermissionMode="UseWindowsGroups" />
• annotate every concrete implementation of a service method using the PrincipalPermissionAttribute, which is a quite powerful tool with many different options to control access

Would that be an acceptable solution for you or are there any other things to consider?

Basic Example:

public class TestService : ITestService
{
  [PrincipalPermission(SecurityAction.Demand, Name = "testdomain\\administrator")]
  public string DoWork()
  {   
    return "Hello World " + Thread.CurrentPrincipal.Identity.Name;
  }
}

  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="WcfSecurity.Www.TestServiceBehavior">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceAuthorization principalPermissionMode="UseWindowsGroups" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service behaviorConfiguration="WcfSecurity.Www.TestServiceBehavior" name="WcfSecurity.Www.TestService">
        <endpoint address="" binding="wsHttpBinding" contract="WcfSecurity.Www.ITestService" />
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>    
  </system.serviceModel>

Answer 4

I found really good article on Code Project http://www.codeproject.com/KB/WCF/WCFBasicHttpBinding.aspx?msg=3104044