I have a requirement (govt client) to turn off all authentication schemes (No anon, NTLM, digest, basic, etc) in IIS6 and enable client certificates only. This part is non-negotiable.
This WCF web service provides the data to a Silverlight client.
With Basic authentication is on, everything works peachy. When it is turned off, we get this exception:
Exception: System.ServiceModel.ServiceActivationException: The service '/QueryStatistics/QueryStatistics.svc' cannot be activated due to an exception during compilation. The exception message is: IIS specified authentication schemes 'None', but the binding only supports specification of exactly one authentication scheme. Valid authentication schemes are Digest, Negotiate, NTLM, Basic, or Anonymous. Change the IIS settings so that only a single authentication scheme is used.. ---> System.InvalidOperationException: IIS specified authentication schemes 'None', but the binding only supports specification of exactly one authentication scheme. Valid authentication schemes are Digest, Negotiate, NTLM, Basic, or Anonymous. Change the IIS settings so that only a single authentication scheme is used.
at System.ServiceModel.Web.WebServiceHost.SetBindingCredentialBasedOnHostedEnvironment(ServiceEndpoint serviceEndpoint, AuthenticationSchemes supportedSchemes)
at System.ServiceModel.Web.WebServiceHost.AddAutomaticWebHttpBindingEndpoints(ServiceHost host, IDictionary 2 implementedContracts, String multipleContractsErrorMessage)
at System.ServiceModel.Web.WebServiceHost.OnOpening()
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(String normalizedVirtualPath)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
--- End of inner exception stack trace ---
at System.ServiceModel.AsyncResult.End[TAsyncResult](IAsyncResult result)
at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result)
After some digging around, it looks like there is a switch that requires one of those modes, otherwise throws.
Initial looks makes it appear that I can change out the service host factory and implement my own ServiceHost so that it no longer requires one of these schemes to be set, but I don't know what the implications of that will be, nor how much work will be involved.
So, Overflow'rs, anyone else have this issue and solve it or have insight as to why I definitely wouldn't want to go this route?
Clarification:
Really, I want one thing. How can I require client certificates while not enabling anonymous (or any other) authentication scheme?