Stumped by "The remote server returned an error: (403) Forbidden" with WCF Service in https

Question

I have a WCF Service that I have boiled down to next to nothing because of this error. It is driving me up the wall. Here's what I have now.

A very simple WCF service with one method that returns a string with the value, "test".

A very simple Web app that uses the service and puts the value of the string into a label.

A web server running IIS 6 on Win 2003 with a SSL certificate.

Other WCF services on the same server that work.

I publish the WCF service to it's https location

I run the web app in debug mode in VS and it works perfectly.

I publish the web app to it's https location on the same server the WCF service resides under the same SSL certificate

I get, "The remote server returned an error: (403) Forbidden"

I have changed almost every setting in IIS as well as the WCF and Web apps to no avail. I have compared setting in the WCF services that work and everything is the same.

Below are the setting in the web.config for the WCF Service and the WEB app:

It appears the problem has to do with the Web app but I am out of ideas. Any ideas:

WCF Service:

  <system.serviceModel>
<bindings>

<client />

<services>
  <service behaviorConfiguration="Ucf.Smtp.Wcf.SmtpServiceBehavior" name="Ucf.Smtp.Wcf.SmtpService">
    <host>
      <baseAddresses>
        <add baseAddress="https://test.net.ucf.edu/webservices/Smtp/" />
      </baseAddresses>
    </host>
    <endpoint address="" binding="wsHttpBinding" contract="Ucf.Smtp.Wcf.ISmtpService" bindingConfiguration="SSLBinding">
      <identity>
        <dns value="localhost"/>
      </identity>
    </endpoint>
    <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>
  </service>
</services>

<behaviors>
  <serviceBehaviors>
    <behavior name="Ucf.Smtp.Wcf.SmtpServiceBehavior">
      <serviceMetadata httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" httpsHelpPageEnabled="True"/>
    </behavior>
  </serviceBehaviors>
</behaviors>

Web App:

    <system.serviceModel>
    <bindings><wsHttpBinding>
<binding name="WSHttpBinding_ISmtpService" closeTimeout="00:01:00"
 openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
 bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
 maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
 textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
 <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
  maxBytesPerRead="4096" maxNameTableCharCount="16384" />
 <reliableSession ordered="true" inactivityTimeout="00:10:00"
  enabled="false" />
 <security mode="Transport">
  <transport clientCredentialType="None" proxyCredentialType="None"
   realm="" />
  <message clientCredentialType="Windows" negotiateServiceCredential="true"
   establishSecurityContext="true" />
 </security>
</binding>

<client>


<endpoint address="https://net228.net.ucf.edu/webservices/smtp/SmtpService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_ISmtpService"
contract="SmtpService.ISmtpService" name="WSHttpBinding_ISmtpService">
<identity>
 <dns value="localhost" />
</identity>

  </client>
</system.serviceModel>

Answer 1

The only thing that jumps out at me is you are passing the windows identity with the message, this could cause a permissions issue if the user account being passed doesn't have access to the WCF service. Potentially needing impersonation on the web app?

Answer 2

By default, WCF bindings do not permit anonymous (no-auth) access. You need to modify the bindings to allow it:

  <wsHttpBinding> 
    <binding ...> 
        <security mode ="None"/> 
    </binding> 
  </wsHttpBinding>

Answer 3

I am going to answer my own question after spending hours and hours on this problem. I hope this helps all the other people who have beat their heads against the wall trying to figure this out. We finally got a network admin involved and solved this.

Here's the scenario and the solution:

We have a production server - everything works fine. We have a test server - we get a 403 forbidden error. Debugging locally works fine.

All the setting are identical or so we thought.

There is one setting that was wrong. In IIS in the properties of the virtual directory of the webservice under the Directory Security tab, the second Edit button is for IP restrictions. Our was set to deny access to all IP except for the list which should have included the IP for the test server. The IP of the test webserver was not granted rights. The reason it did not have rights was that it was recently cloned from the production virtual server and this setting was never adjusted to add the test virtual server.