WCF 403 Errors

Question

I'm getting different errors with a WCF service. This service has worked fine in all of our test environments so far, until now. We normally having it running under IIS 6 on Windows Server 2003. I had it running under a Windows XP Pro VM that was connected to our company's domain. Our IT guy removed the VM from the company domain just recently.

Now I'm getting errors like these:

An existing connection was forcibly closed by the remote host.

The remote server returned an error: (403) Forbidden.

The HTTP request was forbidden with client authentication scheme 'Anonymous'.

IIS is configured to allow Anonymous access. The IIS user also has permission to view/execute in the service folder.

The service works fine for some calls but not for others. The application calls the service when loading, but then later on in a separate call it does this.

The service is using wsHttpBinding:

 <wsHttpBinding>
    <binding name="wsHttpBindingSettings" maxReceivedMessageSize="2147483647">
      <security mode="None">
        <transport clientCredentialType="None" />
        <message establishSecurityContext="false" />
      </security>
      <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
    </binding>
  </wsHttpBinding>

Answer 1

The service works fine for some calls but not for others. The application calls the service when loading, but then later on in a separate call it does this.

Maybe the calls that worked did not perform any sensitive operations, like accessing DB's or files? Under what permission does the IIS application pool run, does it use client impersonation? That would explain the issue..

Also you might want to try this setting:

  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="xyz">
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="True"/>

Answer 2

same problem here, i've mitigated the problem by adding a default binding to the endpoint and explicitly setting the security level to "None" where possible, now it works better but if calls are made too frequently to the server it fails again, i've also noticed that the development webserver in VS2008 nnever fails even with very high frequency call. so it should be related to IIS in some way and i suspect that is something related to the duration of the security context but these are only my guess so far, i've not found a real solution

Answer 3

It may be caused by a combination of security settings in IIS and web.config.

If the settings in IIS were integrated and anonymous, and the settings in web.config were set to windows, with impersonate = false.

Then, when the machine was in the domain, integrated authentication would be used, and everything would work OK.

When the machine was removed from the domain, anonymous authenticaion would be used, then it would be the IIS anonymous user that is used to access the resources. This user has limited rights and therefore some calls can fail.

You could change the setting in web.config to impersonate = false, this would mean that the identity of the application pool would be used to access resources.